]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added gnutls-serv option --verify-client-cert.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 9 May 2014 18:07:36 +0000 (20:07 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 9 May 2014 18:07:38 +0000 (20:07 +0200)
That option allows forcing verification of the provided certificate
even if it is not required to present one. In that case the connection
will be closed with a fatal alert.

src/serv-args.def
src/serv.c

index 1caf7006ed663b33c05b962cdc629c394329cca9..141984a52d340d1046c9a3d59ae5177041eb4517 100644 (file)
@@ -82,6 +82,13 @@ flag = {
     doc      = "";
 };
 
+flag = {
+    name      = verify-client-cert;
+    disabled;
+    descrip   = "If a client certificate is sent then verify it.";
+    doc      = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid.";
+};
+
 flag = {
     name      = heartbeat;
     value     = b;
index 198750fbe2643404a5aac0f3064e1b401f143faf..ae46dd19f5ac70cf1acad2d53a5f588dfb6dcd7d 100644 (file)
@@ -1182,7 +1182,7 @@ static void retry_handshake(listener_item *j)
                }
 
                if (gnutls_auth_get_type(j->tls_session) == GNUTLS_CRD_CERTIFICATE) {
-                       if (require_cert && cert_verify(j->tls_session, NULL, NULL) == 0) {
+                       if ((require_cert || ENABLED_OPT(VERIFY_CLIENT_CERT)) && cert_verify(j->tls_session, NULL, NULL) == 0) {
                                do {
                                        ret = gnutls_alert_send(j->tls_session, GNUTLS_AL_FATAL, GNUTLS_A_ACCESS_DENIED);
                                } while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);