From 14f3d7c5ccd38875d5f3ee2007baec5a7240adc0 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 3 Sep 2003 23:47:34 +0000 Subject: [PATCH] Only accept a client certificate if the server requests one, as required by SSL/TLS specs. --- CHANGES | 5 +++++ ssl/s3_srvr.c | 9 +++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 0e7f968846..421d41fd72 100644 --- a/CHANGES +++ b/CHANGES @@ -2515,6 +2515,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.6j and 0.9.6k [xx XXX 2003] + *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate + if the server requested one: as stated in TLS 1.0 and SSL 3.0 + specifications. + [Steve Henson] + *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional extra data after the compression methods not only for TLS 1.0 but also for SSL 3.0 (as required by the specification). diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 32ddc48090..ca39d6b1c8 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -456,10 +456,11 @@ int ssl3_accept(SSL *s) if (ret == 2) s->state = SSL3_ST_SR_CLNT_HELLO_C; else { - /* could be sent for a DH cert, even if we - * have not asked for it :-) */ - ret=ssl3_get_client_certificate(s); - if (ret <= 0) goto end; + if (s->s3->tmp.cert_request) + { + ret=ssl3_get_client_certificate(s); + if (ret <= 0) goto end; + } s->init_num=0; s->state=SSL3_ST_SR_KEY_EXCH_A; } -- 2.25.1