From: Nikos Mavrogiannopoulos Date: Fri, 9 May 2014 18:07:36 +0000 (+0200) Subject: Added gnutls-serv option --verify-client-cert. X-Git-Tag: gnutls_3_3_3~79 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=be5cf34ec97ce5a66160e21dc039b7f66dc600bd;p=thirdparty%2Fgnutls.git Added gnutls-serv option --verify-client-cert. That option allows forcing verification of the provided certificate even if it is not required to present one. In that case the connection will be closed with a fatal alert. --- diff --git a/src/serv-args.def b/src/serv-args.def index 1caf7006ed..141984a52d 100644 --- a/src/serv-args.def +++ b/src/serv-args.def @@ -82,6 +82,13 @@ flag = { doc = ""; }; +flag = { + name = verify-client-cert; + disabled; + descrip = "If a client certificate is sent then verify it."; + doc = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid."; +}; + flag = { name = heartbeat; value = b; diff --git a/src/serv.c b/src/serv.c index 198750fbe2..ae46dd19f5 100644 --- a/src/serv.c +++ b/src/serv.c @@ -1182,7 +1182,7 @@ static void retry_handshake(listener_item *j) } if (gnutls_auth_get_type(j->tls_session) == GNUTLS_CRD_CERTIFICATE) { - if (require_cert && cert_verify(j->tls_session, NULL, NULL) == 0) { + if ((require_cert || ENABLED_OPT(VERIFY_CLIENT_CERT)) && cert_verify(j->tls_session, NULL, NULL) == 0) { do { ret = gnutls_alert_send(j->tls_session, GNUTLS_AL_FATAL, GNUTLS_A_ACCESS_DENIED); } while(ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);