That option allows forcing verification of the provided certificate
even if it is not required to present one. In that case the connection
will be closed with a fatal alert.
doc = "";
};
+flag = {
+ name = verify-client-cert;
+ disabled;
+ descrip = "If a client certificate is sent then verify it.";
+ doc = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid.";
+};
+
flag = {
name = heartbeat;
value = b;
}
if (gnutls_auth_get_type(j->tls_session) == GNUTLS_CRD_CERTIFICATE) {
- if (require_cert && cert_verify(j->tls_session, NULL, NULL) == 0) {
+ if ((require_cert || ENABLED_OPT(VERIFY_CLIENT_CERT)) && cert_verify(j->tls_session, NULL, NULL) == 0) {
do {
ret = gnutls_alert_send(j->tls_session, GNUTLS_AL_FATAL, GNUTLS_A_ACCESS_DENIED);
} while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);