Commit 3158c87a authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Only accept a client certificate if the server requests 

one, as required by SSL/TLS specs.
parent 0841f288

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ 


 Changes between 0.9.6j and 0.9.6k  [xx XXX 2003]



  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate

     if the server requested one: as stated in TLS 1.0 and SSL 3.0

     specifications.

     [Steve Henson]



  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional

     extra data after the compression methods not only for TLS 1.0

     but also for SSL 3.0 (as required by the specification).

ssl/s3_srvr.c

+5 −4
Original line number Diff line number Diff line
@@ -420,10 +420,11 @@ int ssl3_accept(SSL *s) 
			if (ret == 2)

				s->state = SSL3_ST_SR_CLNT_HELLO_C;

			else {

				/* could be sent for a DH cert, even if we

				 * have not asked for it :-) */

				if (s->s3->tmp.cert_request)

					{

					ret=ssl3_get_client_certificate(s);

					if (ret <= 0) goto end;

					}

				s->init_num=0;

				s->state=SSL3_ST_SR_KEY_EXCH_A;

			}