From: Tamas TEVESZ <ice@extreme.hu>
Date: Sat, 8 Jun 2013 05:00:16 +0000 (+0200)
Subject: Add support for client-cert-not-required for PolarSSL.
X-Git-Tag: v2.4_alpha1~553
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a781d6714758489a808b55cdefc1d1623194e318;p=thirdparty%2Fopenvpn.git

Add support for client-cert-not-required for PolarSSL.

Signed-off-by: Tamas TEVESZ <ice@extreme.hu>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: alpine.GSO.2.03.1306080732510.23277@extreme.hu
URL: http://article.gmane.org/gmane.network.openvpn.devel/7667
Signed-off-by: David Sommerseth <davids@redhat.com>
---

diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index a82b23338..8a917b34d 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -533,8 +533,20 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
 	ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
 
       /* Initialise SSL verification */
-      ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
-      ssl_set_verify (ks_ssl->ctx, verify_callback, session);
+#if P2MP_SERVER
+      if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
+	{
+	  msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+	   "--client-cert-not-required may accept clients which do not present "
+	   "a certificate");
+	}
+      else
+#endif
+      {
+	ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
+	ssl_set_verify (ks_ssl->ctx, verify_callback, session);
+      }
+
       /* TODO: PolarSSL does not currently support sending the CA chain to the client */
       ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL );