diff -Nru canl-c-2.1.7/ChangeLog canl-c-2.1.8/ChangeLog
--- canl-c-2.1.7/ChangeLog	2016-08-19 08:20:47.000000000 +0000
+++ canl-c-2.1.8/ChangeLog	2017-02-23 21:16:26.000000000 +0000
@@ -135,3 +135,7 @@
 2.1.7-1
 - Quick fix to prevent RFC Proxy DN forgery (RT #11476)
 
+2.1.8-1
+- Security fix to verify certificates properly (EGI RT #12276):
+  - Treat untrusted certificates properly in proxy_verify_cert_chain()
+  - Override only openssl errors relevant to X.509 handling
diff -Nru canl-c-2.1.7/debian/changelog canl-c-2.1.8/debian/changelog
--- canl-c-2.1.7/debian/changelog	2016-12-23 14:14:18.000000000 +0000
+++ canl-c-2.1.8/debian/changelog	2017-03-22 14:56:11.000000000 +0000
@@ -1,3 +1,9 @@
+canl-c (2.1.8-1) unstable; urgency=medium
+
+  * Update to version 2.1.8
+
+ -- Mattias Ellert <mattias.ellert@physics.uu.se>  Wed, 22 Mar 2017 15:56:11 +0100
+
 canl-c (2.1.7-3) unstable; urgency=medium
 
   * Reverse the order of conditional dependencies
diff -Nru canl-c-2.1.7/debian/control canl-c-2.1.8/debian/control
--- canl-c-2.1.7/debian/control	2016-12-23 14:13:43.000000000 +0000
+++ canl-c-2.1.8/debian/control	2017-03-22 14:56:11.000000000 +0000
@@ -4,7 +4,7 @@
 Maintainer: Mattias Ellert <mattias.ellert@physics.uu.se>
 Build-Depends: debhelper, bison, flex, libc-ares-dev, libkrb5-dev, libssl1.0-dev | libssl-dev (<< 1.1), libtool, libtool-bin, pkg-config, texlive-fonts-recommended, texlive-latex-extra, texlive-latex-recommended
 Standards-Version: 3.9.8
-Homepage: http://www.eu-emi.eu/
+Homepage: https://github.com/CESNET/canl-c
 
 Package: libcanl-c2
 Section: libs
diff -Nru canl-c-2.1.7/debian/copyright canl-c-2.1.8/debian/copyright
--- canl-c-2.1.7/debian/copyright	2016-08-25 09:30:50.000000000 +0000
+++ canl-c-2.1.8/debian/copyright	2017-03-22 14:54:02.000000000 +0000
@@ -1,7 +1,7 @@
 Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: canl-c
 Upstream-Contact: CESNET Product Teams <emi-lb@metacentrum.cz>
-Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.7.tar.gz
+Source: http://scientific.zcu.cz/emi/emi.canl.c/canl-c-2.1.8.tar.gz
 
 Files: *
 Copyright: 2004-2011 Members of the EGEE Collaboration
@@ -26,7 +26,7 @@
  PURPOSE.
 
 Files: debian/*
-Copyright: 2013-2016 Mattias Ellert
+Copyright: 2013-2017 Mattias Ellert
 License: Apache-2.0
 
 License: Apache-2.0
diff -Nru canl-c-2.1.7/project/version.properties canl-c-2.1.8/project/version.properties
--- canl-c-2.1.7/project/version.properties	2016-08-19 08:20:47.000000000 +0000
+++ canl-c-2.1.8/project/version.properties	2017-02-23 21:16:26.000000000 +0000
@@ -1,3 +1,3 @@
 # $Header:
-module.version=2.1.7
+module.version=2.1.8
 module.age=1
diff -Nru canl-c-2.1.7/src/proxy/sslutils.c canl-c-2.1.8/src/proxy/sslutils.c
--- canl-c-2.1.7/src/proxy/sslutils.c	2016-08-19 08:20:46.000000000 +0000
+++ canl-c-2.1.8/src/proxy/sslutils.c	2017-02-23 21:16:26.000000000 +0000
@@ -1934,20 +1934,7 @@
                  }
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
-        case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-          /*
-           * OpenSSL 1.0 causes the cert to be added twice to 
-           * the store.
-           */
-          if (proxy_check_proxy_name(ctx->cert) && 
-              !X509_cmp(ctx->cert, ctx->current_cert))
-            ok = 1;
-          break;
-#endif
-
         case X509_V_ERR_INVALID_CA:
-        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
           /*
            * This may happen since proxy issuers are not CAs
            */
@@ -1966,14 +1953,6 @@
           }
           break;
 
-        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-        case X509_V_ERR_CERT_UNTRUSTED:
-          if (proxy_check_proxy_name(ctx->current_cert) > 0) {
-            /* Server side, needed to fully recognize a proxy. */
-            ok = 1;
-          }
-          break;
-
 #ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
         case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
           /* Proxies ARE allowed */
@@ -2291,50 +2270,26 @@
     X509_STORE *                        cert_store = NULL;
     X509_LOOKUP *                       lookup = NULL;
     X509_STORE_CTX                      csc;
-    X509 *                              xcert = NULL;
-    X509 *                              scert = NULL;
     int cscinitialized = 0;
 
-    scert = ucert;
+    if (cert_chain == NULL)
+        goto err;
+
+    if (ucert == NULL)
+        ucert = sk_X509_value(cert_chain, 0);
+
     if(!(cert_store = X509_STORE_new())){
        goto err;
     }
     X509_STORE_set_verify_cb_func(cert_store, proxy_verify_callback);
-    if (cert_chain != NULL)
-    {
-        int i =0;
-        for (i=0;i<sk_X509_num(cert_chain);i++)
-        {
-            xcert = sk_X509_value(cert_chain,i);
-            if (!scert)
-            {
-                scert = xcert;
-            }
-            else
-            {
-                int j = X509_STORE_add_cert(cert_store, xcert);
-                if (!j)
-                {
-                    if ((ERR_GET_REASON(ERR_peek_error()) ==
-                         X509_R_CERT_ALREADY_IN_HASH_TABLE))
-                    {
-                        ERR_clear_error();
-                        break;
-                    }
-                    else
-                    {
-                        /*DEE need errprhere */
-                        goto err;
-                    }
-                }
-            }
-        }
-    }
-    if ((lookup = X509_STORE_add_lookup(cert_store,
-                                        X509_LOOKUP_hash_dir())))
+
+    lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
+    if (lookup == NULL)
+        goto err;
+
     {
         X509_LOOKUP_add_dir(lookup,pvd->pvxd->certdir,X509_FILETYPE_PEM);
-        X509_STORE_CTX_init(&csc,cert_store,scert,NULL);
+        X509_STORE_CTX_init(&csc, cert_store, ucert, cert_chain);
         cscinitialized = 1;
 #if SSLEAY_VERSION_NUMBER >=  0x0090600fL
         /* override the check_issued with our version */