We should only call virtual server for depth 0

author Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Fri, 8 Oct 2021 21:59:48 +0000 (16:59 -0500)

committer Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Fri, 8 Oct 2021 22:10:59 +0000 (17:10 -0500)
author Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Fri, 8 Oct 2021 21:59:48 +0000 (16:59 -0500)
committer Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Fri, 8 Oct 2021 22:10:59 +0000 (17:10 -0500)
diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c

index 5e47e3b2c97e9ebb31ea62aae53662f9d4e45d35..55174b0698bd2705712812e569604d7a0554ee6a 100644 (file)
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -260,8 +260,13 @@ done:
          *      If verification hasn't already failed
          *      and we're meant to verify this cert
          *      then call the virtual server.
+        *
+        *      We only call the virtual server for
+        *      the certificate at depth 0 as all
+        *      other certificate attributes should
+        *      have been added by this point.
          */
-       if (my_ok && verify_applies(conf->verify.attribute_mode, depth, untrusted)) {
+       if (my_ok && (depth == 0)) {
                 if (conf->virtual_server && tls_session->verify_client_cert) {
                         RDEBUG2("Requesting certificate validation");
author	Arran Cudbard-Bell <a.cudbardb@freeradius.org>
	Fri, 8 Oct 2021 21:59:48 +0000 (16:59 -0500)
committer	Arran Cudbard-Bell <a.cudbardb@freeradius.org>
	Fri, 8 Oct 2021 22:10:59 +0000 (17:10 -0500)