From 272aef2f0fd6b8c81c397fc32a503776e2b4bef1 Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@redhat.com>
Date: Wed, 30 Mar 2011 14:14:21 +0200
Subject: [PATCH] Fix the --client-cert-not-required feature

Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new
feature for using other SSL certificate fields for authentication
than the CN field.

This commit introduced a bug, which made the verify_callback()
function getting called even if --client-cert-not-required was
enabled in the config.

The reason for this was that an 'else' statement was lacking a
couple of curly braces.  The offending commit in reality moved
the setup of the verify_callback() function out of the 'else'
statement.

Report-URL: https://community.openvpn.net/openvpn/ticket/108
Report-URL: https://forums.openvpn.net/topic7751.html
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
(cherry picked from commit 008a18e772bf1854f9a2102bef4b3d5b0a08a66b)
---
 ssl.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ssl.c b/ssl.c
index ed1071481..6d9a9fd37 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1874,13 +1874,15 @@ init_ssl (const struct options *options)
     }
   else
 #endif
+    {
 #ifdef ENABLE_X509ALTUSERNAME
-  x509_username_field = (char *) options->x509_username_field;
+      x509_username_field = (char *) options->x509_username_field;
 #else
-  x509_username_field = X509_USERNAME_FIELD_DEFAULT;
+      x509_username_field = X509_USERNAME_FIELD_DEFAULT;
 #endif
-  SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-			verify_callback);
+      SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+                          verify_callback);
+    }
 
   /* Connection information callback */
   SSL_CTX_set_info_callback (ctx, info_callback);
-- 
2.47.2