tweak tls notification posting

Author: rfm

Headers/GNUstepBase/GSTLS.h

@@ -58,6 +58,8 @@ GS_EXPORT NSString * const GSTLSVerify;
 
 /** Notification posted whenever a connection (handled by a [GSTLSSession]
  * instance) to a TLS server fails certificate or host name verification.
+ * This is only sent if the option to turn off strict verification was not
+ * set in the session options.
  */
 GS_EXPORT NSString* const GSTLSVerifyFailedNotification;
 

Source/GSTLS.m

@@ -2059,16 +2059,24 @@ - (BOOL) handshake
                 handle, gnutls_strerror(ret));
               NSLog(@"%p failed verify:\n%@", handle, [self sessionInfo]);
             }
-	  if (outgoing)
+          if (requireVerified)
+            {
+              [self disconnect: NO];
+            }
+	  else if (outgoing && nil == [opts objectForKey: GSTLSVerify])
 	    {
+	      /* We notify about verification failure on outgoing connections
+	       * if the failure was ignored, unless it was specifically turned
+	       * off by the app (GSTLSVerify set to NO). That is to say, if
+	       * strict verification was turned off by environment variable
+	       * or user default.  This is intended to allow an application
+	       * to catch connection attempts which would have failed if the
+	       * default setting had been to use strict verification.
+	       */
               [[NSNotificationCenter defaultCenter]
                 postNotificationName: GSTLSVerifyFailedNotification
                   object: self];
 	    }
-          if (requireVerified)
-            {
-              [self disconnect: NO];
-            }
         }
       else
         {