Only accept a client certificate if the server requests
authorDr. Stephen Henson <steve@openssl.org>
Wed, 3 Sep 2003 23:47:34 +0000 (23:47 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 3 Sep 2003 23:47:34 +0000 (23:47 +0000)
one, as required by SSL/TLS specs.

CHANGES
ssl/s3_srvr.c

diff --git a/CHANGES b/CHANGES
index 0e7f968846d1290ec56e612702d44ec24d96b383..421d41fd72d9cb983e5ec3bb0b31d5572bfc16ce 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2515,6 +2515,11 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
  Changes between 0.9.6j and 0.9.6k  [xx XXX 2003]
 
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
      extra data after the compression methods not only for TLS 1.0
      but also for SSL 3.0 (as required by the specification).
index 32ddc480900b03458f1db2abb7bc999b1fc81872..ca39d6b1c8e97374f0749ef8a58fb870095e05a0 100644 (file)
@@ -456,10 +456,11 @@ int ssl3_accept(SSL *s)
                        if (ret == 2)
                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
                        else {
-                               /* could be sent for a DH cert, even if we
-                                * have not asked for it :-) */
-                               ret=ssl3_get_client_certificate(s);
-                               if (ret <= 0) goto end;
+                               if (s->s3->tmp.cert_request)
+                                       {
+                                       ret=ssl3_get_client_certificate(s);
+                                       if (ret <= 0) goto end;
+                                       }
                                s->init_num=0;
                                s->state=SSL3_ST_SR_KEY_EXCH_A;
                        }