From: Pascal Knecht Date: Wed, 4 Nov 2020 11:22:58 +0000 (+0100) Subject: tls-server: Make CertificateRequest conditional in old TLS versions X-Git-Tag: 5.9.2rc1~23^2~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4bba89fff3dfd2dfa510e6a0ad38a905fa7f96f0;p=thirdparty%2Fstrongswan.git tls-server: Make CertificateRequest conditional in old TLS versions The server implementation now only sends a CertificateRequest message if it has identity information to verify client certificates. --- diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index 1a87d6834e..07978b3f17 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -88,11 +88,6 @@ struct private_tls_server_t { */ identification_t *peer; - /** - * Is it acceptable if we couldn't verify the peer certificate? - */ - bool peer_auth_optional; - /** * State we are in */ @@ -733,12 +728,6 @@ static status_t process_certificate(private_tls_server_t *this, DBG1(DBG_TLS, "received TLS peer certificate '%Y'", cert->get_subject(cert)); first = FALSE; - if (this->peer == NULL) - { /* apply identity to authenticate */ - this->peer = cert->get_subject(cert); - this->peer = this->peer->clone(this->peer); - this->peer_auth_optional = TRUE; - } } else { @@ -928,11 +917,6 @@ static status_t process_cert_verify(private_tls_server_t *this, { DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer", this->peer); - if (!this->peer_auth_optional) - { /* client authentication is required */ - this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN); - return NEED_MORE; - } /* reset peer identity, we couldn't authenticate it */ this->peer->destroy(this->peer); this->peer = NULL; @@ -1598,7 +1582,11 @@ METHOD(tls_handshake_t, build, status_t, } /* otherwise fall through to next state */ case STATE_KEY_EXCHANGE_SENT: - return send_certificate_request(this, type, writer); + if (this->peer) + { + return send_certificate_request(this, type, writer); + } + /* otherwise fall through to next state */ case STATE_CERTREQ_SENT: return send_hello_done(this, type, writer); case STATE_CIPHERSPEC_CHANGED_OUT: