Add support for client-cert-not-required for PolarSSL.

Signed-off-by: Tamas TEVESZ <ice@extreme.hu>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: alpine.GSO.2.03.1306080732510.23277@extreme.hu
URL: http://article.gmane.org/gmane.network.openvpn.devel/7667
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index a82b23338bab733e3140cda7fd80c12dfd143744..8a917b34dbb5248dd339442e101764b0dc9b8c7a 100644 (file)
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -533,8 +533,20 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
        ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
 
       /* Initialise SSL verification */
-      ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
-      ssl_set_verify (ks_ssl->ctx, verify_callback, session);
+#if P2MP_SERVER
+      if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
+       {
+         msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+          "--client-cert-not-required may accept clients which do not present "
+          "a certificate");
+       }
+      else
+#endif
+      {
+       ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
+       ssl_set_verify (ks_ssl->ctx, verify_callback, session);
+      }
+
       /* TODO: PolarSSL does not currently support sending the CA chain to the client */
       ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL );