Send the right CAs to the client.

diff --git a/CHANGES b/CHANGES
index c7c24ed9e5e187aa37feb321e039dc94ae9ec1ae..2a8877ac3efaddd4aa5192f63957d07eb6de1f10 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,9 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) s_server should send the CAfile as acceptable CAs, not its own cert.
+     [Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
+
   *) Don't blow it for numeric -newkey arguments to apps/req.
      [Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
 

diff --git a/apps/s_server.c b/apps/s_server.c
index 256636bc43e893e7efe0454b436c42ceabd5d1b9..c0546f6f9b0ea0529322bf758c70d4c0ad6e181f 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -505,7 +505,7 @@ bad:
                SSL_CTX_set_cipher_list(ctx,cipher);
        SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
 
-       SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
+       SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
 
        BIO_printf(bio_s_out,"ACCEPT\n");
        if (www)
@@ -645,7 +645,7 @@ int s;
                                        /* strcpy(buf,"server side RE-NEGOTIATE\n"); */
                                        }
                                if ((buf[0] == 'R') &&
-                                       ((buf[1] == '\0') || (buf[1] == '\r')))
+                                       ((buf[1] == '\n') || (buf[1] == '\r')))
                                        {
                                        SSL_set_verify(con,
                                                SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL);