Fix bug 68869. Don't ignore TLS no certificate messages when the server

requires client auth. Work around bug in NT TCP stack by only shutting down the socket for SEND (not for BOTH) after sending a bad_certificate alert. This avoids bogus CONNECTION_RESET_BY_PEER errors at the client.
author: nelsonb%netscape.com <devnull@localhost> 2001-06-13 21:14:54 +0000
committer: nelsonb%netscape.com <devnull@localhost> 2001-06-13 21:14:54 +0000
commit: 6bfe20d7337d2b875b14cdf807b541780ba8bc4c (patch)
tree: 4c3b0592dc866013d34850927d74557ecc290013
parent: e44ff2b5256864bf2f647c8672aa72bfeea8e217 (diff)
download: nss-hg-6bfe20d7337d2b875b14cdf807b541780ba8bc4c.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index a80da28fe..be252d7d6 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -1571,7 +1571,11 @@ ssl3_HandleNoCertificate(sslSocket *ss)
 	SSL3_SendAlert(ss, alert_fatal, bad_certificate);
 
 	lower = ss->fd->lower;
+#ifdef _WIN32
+	lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
+#else
 	lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
+#endif
 	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
 	return SECFailure;
     }
@@ -6309,6 +6313,10 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     	/* This is TLS's version of a no_certificate alert. */
     	/* I'm a server. I've requested a client cert. He hasn't got one. */
 	rv = ssl3_HandleNoCertificate(ss);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
 	goto cert_block;
     }
author	nelsonb%netscape.com <devnull@localhost>	2001-06-13 21:14:54 +0000
committer	nelsonb%netscape.com <devnull@localhost>	2001-06-13 21:14:54 +0000
commit	6bfe20d7337d2b875b14cdf807b541780ba8bc4c (patch)
tree	4c3b0592dc866013d34850927d74557ecc290013
parent	e44ff2b5256864bf2f647c8672aa72bfeea8e217 (diff)
download	nss-hg-6bfe20d7337d2b875b14cdf807b541780ba8bc4c.tar.gz