From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 23 Jan 2026 09:13:03 +0000 (+0000)
Subject: If we have DER decoded certs pass them to verify certificate
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47d112724ef77560e31049d49cc994d9e2400c7f;p=thirdparty%2Ffreeradius-server.git

If we have DER decoded certs pass them to verify certificate
---

diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index a5dd8a1f5dc..48833cba699 100644
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -486,6 +486,11 @@ static unlang_action_t tls_verify_client_cert_push(request_t *request, fr_tls_se
 	while ((vp = fr_pair_find_by_da(&request->parent->session_state_pairs, vp, attr_tls_certificate))) {
 		fr_pair_append(&request->session_state_pairs, fr_pair_copy(request->session_state_ctx, vp));
 	}
+	if (conf->verify.der_decode) {
+		while ((vp = fr_pair_find_by_da(&request->parent->session_state_pairs, vp, attr_der_certificate))) {
+			fr_pair_append(&request->session_state_pairs, fr_pair_copy(request->session_state_ctx, vp));
+		}
+	}
 
 	MEM(pair_append_request(&vp, attr_tls_session_resumed) >= 0);
 	vp->vp_bool = tls_session->validate.resumed;