generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Only accept a client certificate if the server requests

Browse Source 
one, as required by SSL/TLS specs.
This commit is contained in:
Dr. Stephen Henson
2003-09-03 23:42:17 +00:00
parent 3b07c32fe7
commit 33ed371ec9
2 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -1973,6 +1973,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Changes between 0.9.6j and 0.9.6k [xx XXX 2003] Changes between 0.9.6j and 0.9.6k [xx XXX 2003]
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
if the server requested one: as stated in TLS 1.0 and SSL 3.0
specifications.
[Steve Henson]
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
extra data after the compression methods not only for TLS 1.0 extra data after the compression methods not only for TLS 1.0
but also for SSL 3.0 (as required by the specification). but also for SSL 3.0 (as required by the specification).

9
ssl/s3_srvr.c
View File

@@ -431,10 +431,11 @@ int ssl3_accept(SSL *s)
if (ret == 2) if (ret == 2)
s->state = SSL3_ST_SR_CLNT_HELLO_C; s->state = SSL3_ST_SR_CLNT_HELLO_C;
else { else {
/* could be sent for a DH cert, even if we if (s->s3->tmp.cert_request)
* have not asked for it :-) */ {
ret=ssl3_get_client_certificate(s); ret=ssl3_get_client_certificate(s);
if (ret <= 0) goto end; if (ret <= 0) goto end;
}
s->init_num=0; s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A; s->state=SSL3_ST_SR_KEY_EXCH_A;
} }