pt-tls-server: Explicitly request client authentication if necessary

The PT_TLS_AUTH_TLS_OR_SASL case currently can't be implemented properly
as TLS authentication will be enforced if a client identity is configured
on the TLS server socket.

diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index 1ad6165f6c4ed78fbf845011f50a71717d51ec28..ba217aa9b8996e73af7775240d57c7a7581d7b81 100644 (file)
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -524,6 +524,18 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
                                                                          pt_tls_auth_t auth, tnccs_t *tnccs)
 {
        private_pt_tls_server_t *this;
+       identification_t *client = NULL;
+
+       switch (auth)
+       {
+               case PT_TLS_AUTH_TLS:
+               case PT_TLS_AUTH_TLS_OR_SASL:
+               case PT_TLS_AUTH_TLS_AND_SASL:
+                       client = identification_create_from_encoding(ID_ANY, chunk_empty);
+                       break;
+               default:
+                       break;
+       }
 
        INIT(this,
                .public = {
@@ -532,12 +544,14 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
                        .destroy = _destroy,
                },
                .state = PT_TLS_SERVER_VERSION,
-               .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_UNSPEC,
+               .tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC,
                                                                 TLS_UNSPEC, FALSE),
                .tnccs = (tls_t*)tnccs,
                .auth = auth,
        );
 
+       DESTROY_IF(client);
+
        if (!this->tls)
        {
                this->tnccs->destroy(this->tnccs);