Fix DTLS certificate requesting code.
authorDr. Stephen Henson <steve@openssl.org>
Tue, 15 Jul 2014 17:21:59 +0000 (18:21 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 15 Jul 2014 17:24:14 +0000 (18:24 +0100)
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc5f83d69d802f941a4cc5895eb5fe3d65)

ssl/d1_srvr.c

index c0246c94eae87f5f9d1d3ded0b90a6a4cf090088..0e6bf46c028b7884a01bd29a4934700ad3e9d896 100644 (file)
@@ -480,10 +480,11 @@ int dtls1_accept(SSL *s)
                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
                                }
                        else {
-                               /* could be sent for a DH cert, even if we
-                                * have not asked for it :-) */
-                               ret=ssl3_get_client_certificate(s);
-                               if (ret <= 0) goto end;
+                               if (s->s3->tmp.cert_request)
+                                       {
+                                       ret=ssl3_get_client_certificate(s);
+                                       if (ret <= 0) goto end;
+                                       }
                                s->init_num=0;
                                s->state=SSL3_ST_SR_KEY_EXCH_A;
                        }