From a6ef11572ffdfde69c901c8c4903c911f0e27d76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 31 Jan 2018 11:09:38 +0000
Subject: [PATCH] Don't short-circuit request for TLS credentials
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Although newer GNUTLS has a default system trust fallback for CA
certificates, we must still request certificates from the client app. If
we do not, then the VNC client will never be given the opportunity to
provide custom certs to override the system trust database.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit df656c79467c2595b4a2cd35283c7f5d52adf336)
---
 src/vncconnection.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/src/vncconnection.c b/src/vncconnection.c
index 1ddf38d..e5496ef 100644
--- a/src/vncconnection.c
+++ b/src/vncconnection.c
@@ -3528,16 +3528,8 @@ static gboolean vnc_connection_has_credentials(gpointer data)
         return FALSE;
     if (priv->want_cred_password && !priv->cred_password)
         return FALSE;
-    /*
-     * For x509 we require a minimum of the CA cert
-     * if using GNUTLS < 3.0. With newer GNUTLS we'll
-     * fallback to the system trust, so don't need to
-     * explicitly check for a CA cert.
-     */
-#if GNUTLS_VERSION_NUMBER < 0x030000
     if (priv->want_cred_x509 && !priv->cred_x509_cacert)
         return FALSE;
-#endif
     return TRUE;
 }