{ FR_CONF_DEPRECATED("check_all_crl", FR_TYPE_BOOL, fr_tls_conf_t, NULL) },
#endif
{ FR_CONF_OFFSET("allow_expired_crl", FR_TYPE_BOOL, fr_tls_conf_t, allow_expired_crl) },
- { FR_CONF_OFFSET("check_cert_cn", FR_TYPE_STRING, fr_tls_conf_t, check_cert_cn) },
{ FR_CONF_OFFSET("cipher_list", FR_TYPE_STRING, fr_tls_conf_t, cipher_list) },
{ FR_CONF_OFFSET("cipher_server_preference", FR_TYPE_BOOL, fr_tls_conf_t, cipher_server_preference), .dflt = "yes" },
#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
{ FR_CONF_OFFSET("allow_renegotiation", FR_TYPE_BOOL, fr_tls_conf_t, allow_renegotiation), .dflt = "no" },
#endif
- { FR_CONF_OFFSET("check_cert_issuer", FR_TYPE_STRING, fr_tls_conf_t, check_cert_issuer) },
- { FR_CONF_OFFSET("require_client_cert", FR_TYPE_BOOL, fr_tls_conf_t, require_client_cert) },
#ifndef OPENSSL_NO_ECDH
{ FR_CONF_OFFSET("ecdh_curve", FR_TYPE_STRING, fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
{ FR_CONF_OFFSET("cache", FR_TYPE_SUBSECTION, fr_tls_conf_t, cache), .subcs = (void const *) cache_config },
{ FR_CONF_DEPRECATED("verify", FR_TYPE_SUBSECTION, fr_tls_conf_t, NULL) },
+ { FR_CONF_DEPRECATED("check_cert_issuer", FR_TYPE_STRING, fr_tls_conf_t, check_cert_issuer) },
+ { FR_CONF_DEPRECATED("check_cert_cn", FR_TYPE_STRING, fr_tls_conf_t, check_cert_cn) },
CONF_PARSER_TERMINATOR
};
{ FR_CONF_OFFSET("random_file", FR_TYPE_STRING, fr_tls_conf_t, random_file) },
{ FR_CONF_OFFSET("fragment_size", FR_TYPE_UINT32, fr_tls_conf_t, fragment_size), .dflt = "1024" },
{ FR_CONF_OFFSET("check_crl", FR_TYPE_BOOL, fr_tls_conf_t, check_crl), .dflt = "no" },
- { FR_CONF_OFFSET("check_cert_cn", FR_TYPE_STRING, fr_tls_conf_t, check_cert_cn) },
+
{ FR_CONF_OFFSET("cipher_list", FR_TYPE_STRING, fr_tls_conf_t, cipher_list) },
- { FR_CONF_OFFSET("check_cert_issuer", FR_TYPE_STRING, fr_tls_conf_t, check_cert_issuer) },
#ifndef OPENSSL_NO_ECDH
{ FR_CONF_OFFSET("ecdh_curve", FR_TYPE_STRING, fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
{ FR_CONF_OFFSET("tls_min_version", FR_TYPE_FLOAT32, fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
+ { FR_CONF_DEPRECATED("check_cert_issuer", FR_TYPE_STRING, fr_tls_conf_t, check_cert_issuer) },
+ { FR_CONF_DEPRECATED("check_cert_cn", FR_TYPE_STRING, fr_tls_conf_t, check_cert_cn) },
CONF_PARSER_TERMINATOR
};
return my_ok;
}
- /*
- * If the conf tells us to, check cert issuer
- * against the specified value and fail
- * verification if they don't match.
- */
- if (conf->check_cert_issuer && (strcmp(issuer, conf->check_cert_issuer) != 0)) {
- REDEBUG("Certificate issuer (%s) does not match specified value (%s)!",
- issuer, conf->check_cert_issuer);
- my_ok = 0;
- }
-
- /*
- * If the conf tells us to, check the CN in the
- * cert against xlat'ed value, but only if the
- * previous checks passed.
- */
- if (my_ok && conf->check_cert_cn) {
- char cn_str[1024];
-
- if (xlat_eval(cn_str, sizeof(cn_str), request, conf->check_cert_cn, NULL, NULL) < 0) {
- /* if this fails, fail the verification */
- my_ok = 0;
- } else {
- RDEBUG2("checking certificate CN (%s) with xlat'ed value (%s)", common_name, cn_str);
- if (strcmp(cn_str, common_name) != 0) {
- REDEBUG("Certificate CN (%s) does not match specified value (%s)!",
- common_name, cn_str);
- my_ok = 0;
- }
- }
- } /* check_cert_cn */
-
/*
* If we have a client certificate, cache whether or not
* we validated it.