fix cert order only for lookup=0. Fixes #4785

author Alan T. DeKok <aland@freeradius.org>

Wed, 26 Oct 2022 11:31:43 +0000 (07:31 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Wed, 26 Oct 2022 11:31:43 +0000 (07:31 -0400)
author Alan T. DeKok <aland@freeradius.org>
Wed, 26 Oct 2022 11:31:43 +0000 (07:31 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Wed, 26 Oct 2022 11:31:43 +0000 (07:31 -0400)
diff --git a/src/main/tls.c b/src/main/tls.c

index a33699cbb66e79352edc2174d96e8f760ec03590..c67148cf12c7977d77b1f694d5ec2dd09873550c 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
          */
         if (lookup > 1) {
                 if (!my_ok) lookup = 1;
-       } else {
+
+       } else if (lookup == 0) {
+               /*
+                *      This flag is only set for outbound
+                *      connections.  And then allows us to remap SSL
+                *      offset 0 (server) to our offset 1 (also
+                *      server).
+                */
                 lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL);
         }
author	Alan T. DeKok <aland@freeradius.org>
	Wed, 26 Oct 2022 11:31:43 +0000 (07:31 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Wed, 26 Oct 2022 11:31:43 +0000 (07:31 -0400)