upd: enforce serverAuth EKU for SSL-pings

[gigi.git] / src / org / cacert / gigi / ping / SSLPinger.java

diff --git a/src/org/cacert/gigi/ping/SSLPinger.java b/src/org/cacert/gigi/ping/SSLPinger.java
index 312c88709df9882c349f2bbcdccce4fbbec616fe..7db5a6b16786a066cb4f3427990a2477b111c7ed 100644 (file)
--- a/src/org/cacert/gigi/ping/SSLPinger.java
+++ b/src/org/cacert/gigi/ping/SSLPinger.java
@@ -180,8 +180,8 @@ public class SSLPinger extends DomainPinger {
                             @Override
                             public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws java.security.cert.CertificateException {
                                 java.security.cert.X509Certificate c = chain[0];
-                                if (c.getExtendedKeyUsage() != null && !c.getExtendedKeyUsage().contains(OID_EKU_serverAuth)) {
-                                    throw new java.security.cert.CertificateException("Illegal EKU");
+                                if (c.getExtendedKeyUsage() == null || !c.getExtendedKeyUsage().contains(OID_EKU_serverAuth)) {
+                                    throw new java.security.cert.CertificateException("Extended Key Usage for SSL Server Authentication missing");
                                 }
                             }