summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDr. Stephen Henson <steve@openssl.org>2003-09-03 23:47:34 +0000
committerDr. Stephen Henson <steve@openssl.org>2003-09-03 23:47:34 +0000
commit14f3d7c5ccd38875d5f3ee2007baec5a7240adc0 (patch)
treeb3c5d1ce8e250369178588ef5c8b10ba87bcdd7d
parent510dc1ecd00296a17a9b680288290942d82beddf (diff)
downloadopenssl-new-14f3d7c5ccd38875d5f3ee2007baec5a7240adc0.tar.gz
Only accept a client certificate if the server requests
one, as required by SSL/TLS specs.
Diffstat
-rw-r--r--CHANGES5
-rw-r--r--ssl/s3_srvr.c9
2 files changed, 10 insertions, 4 deletions
diff --git a/CHANGES b/CHANGES
index 0e7f968846..421d41fd72 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2515,6 +2515,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Changes between 0.9.6j and 0.9.6k [xx XXX 2003]
+ *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+ if the server requested one: as stated in TLS 1.0 and SSL 3.0
+ specifications.
+ [Steve Henson]
+
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
extra data after the compression methods not only for TLS 1.0
but also for SSL 3.0 (as required by the specification).
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 32ddc48090..ca39d6b1c8 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -456,10 +456,11 @@ int ssl3_accept(SSL *s)
if (ret == 2)
s->state = SSL3_ST_SR_CLNT_HELLO_C;
else {
- /* could be sent for a DH cert, even if we
- * have not asked for it :-) */
- ret=ssl3_get_client_certificate(s);
- if (ret <= 0) goto end;
+ if (s->s3->tmp.cert_request)
+ {
+ ret=ssl3_get_client_certificate(s);
+ if (ret <= 0) goto end;
+ }
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
}
View Lorry Controller Status