From be01e4ad9f96c0e1b688ceca66c5209be21b8078 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 13 Sep 2021 17:13:24 -0400
Subject: [PATCH] copy certs even on failure, so that they can be logged.

finalizing commit c157da82eb
---
 src/main/tls.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/main/tls.c b/src/main/tls.c
index 07f2c5b840..09a2784209 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3048,6 +3048,12 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		char const *p = X509_verify_cert_error_string(err);
 		RERROR("(TLS) OpenSSL says error %d : %s", err, p);
 		REXDENT();
+
+		/*
+		 *	Copy certs even on failure so that they can be logged.
+		 */
+		if (certs && request) fr_pair_add(&request->packet->vps, fr_pair_list_copy(request->packet, *certs));
+
 		return my_ok;
 	}
 
@@ -3365,6 +3371,10 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		ssn->client_cert_ok = (my_ok == 1);
 	} /* depth == 0 */
 
+	/*
+	 *	Copy certs to request even on failure, so that the
+	 *	user can log them.
+	 */
 	if (certs && request && !my_ok) {
 		fr_pair_add(&request->packet->vps, fr_pair_list_copy(request->packet, *certs));
 	}
-- 
2.47.2