From 33ed371ec9cce59d19a2c1a6b29f105143377c38 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 3 Sep 2003 23:42:17 +0000
Subject: [PATCH] Only accept a client certificate if the server requests one,
 as required by SSL/TLS specs.

---
 CHANGES       | 5 +++++
 ssl/s3_srvr.c | 9 +++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 591f5cf6d9..52bbe03ba4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1973,6 +1973,11 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
  Changes between 0.9.6j and 0.9.6k  [xx XXX 2003]
 
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
      extra data after the compression methods not only for TLS 1.0
      but also for SSL 3.0 (as required by the specification).
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index bb029cfa1d..37cf730d0e 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -431,10 +431,11 @@ int ssl3_accept(SSL *s)
 			if (ret == 2)
 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
 			else {
-				/* could be sent for a DH cert, even if we
-				 * have not asked for it :-) */
-				ret=ssl3_get_client_certificate(s);
-				if (ret <= 0) goto end;
+				if (s->s3->tmp.cert_request)
+					{
+					ret=ssl3_get_client_certificate(s);
+					if (ret <= 0) goto end;
+					}
 				s->init_num=0;
 				s->state=SSL3_ST_SR_KEY_EXCH_A;
 			}
-- 
2.25.1