diff options
| author | Martin Willi <martin@revosec.ch> | 2011-04-14 19:54:02 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2011-04-14 20:02:12 +0200 |
| commit | 6a8f1a578fc9841309fee355b8c934dc454b6901 (patch) | |
| tree | 8bccfb99c590dd2f5b91271791ce719f3f7d1ff1 /src | |
| parent | 1c21f47a060bdc0460c535c800591eebf641f3ac (diff) | |
| download | strongswan-6a8f1a578fc9841309fee355b8c934dc454b6901.tar.bz2 strongswan-6a8f1a578fc9841309fee355b8c934dc454b6901.tar.xz | |
Ignore TLS certificate requests as peer if peer authentication disabled
Diffstat (limited to 'src')
| -rw-r--r-- | src/libtls/tls_peer.c | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index ae89153be..8efc394f5 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -502,8 +502,6 @@ static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader) { DBG1(DBG_TLS, "server requested a certificate, but client " "authentication disabled"); - this->alert->add(this->alert, TLS_FATAL, TLS_HANDSHAKE_FAILURE); - return NEED_MORE; } this->crypto->append_handshake(this->crypto, TLS_CERTIFICATE_REQUEST, reader->peek(reader)); @@ -541,19 +539,22 @@ static status_t process_certreq(private_tls_peer_t *this, tls_reader_t *reader) authorities->destroy(authorities); return NEED_MORE; } - id = identification_create_from_encoding(ID_DER_ASN1_DN, data); - cert = lib->credmgr->get_cert(lib->credmgr, - CERT_X509, KEY_ANY, id, TRUE); - if (cert) - { - DBG1(DBG_TLS, "received TLS cert request for '%Y", id); - this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert); - } - else + if (this->peer) { - DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id); + id = identification_create_from_encoding(ID_DER_ASN1_DN, data); + cert = lib->credmgr->get_cert(lib->credmgr, + CERT_X509, KEY_ANY, id, TRUE); + if (cert) + { + DBG1(DBG_TLS, "received TLS cert request for '%Y", id); + this->peer_auth->add(this->peer_auth, AUTH_RULE_CA_CERT, cert); + } + else + { + DBG1(DBG_TLS, "received TLS cert request for unknown CA '%Y'", id); + } + id->destroy(id); } - id->destroy(id); } authorities->destroy(authorities); this->state = STATE_CERTREQ_RECEIVED; |