r18747@catbus: nickm | 2008-03-11 13:21:25 -0400

Request client certs when renegotiating on server-side. Spotted by lodger. Bugfix on 0.2.0.x. svn:r13973
2024-11-24 04:13:28 +01:00 · 2008-03-11 17:21:44 +00:00 · 2008-03-11 17:21:44 +00:00 · 24f91d2876
commit 24f91d2876
parent 2cb7f63c9c
2 changed files with 3 additions and 1 deletions
--- a/2
+++ b/2
@ -11,6 +11,8 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
      events.  Caught by mwenge; bugfix on 0.1.2.x.
    - Fix the SVK version detection logic to work correctly on a branch.
      Bugfix on 0.2.0.x.
+    - Make sure servers always request certificates from clients during
+      TLS renegotiation. Bugfix on 0.2.0.x.

  o Minor features:
    - Allow separate log levels to be configured for different logging
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@ -930,7 +930,7 @@ tor_tls_handshake(tor_tls_t *tls)
    tls->state = TOR_TLS_ST_OPEN;
    if (tls->isServer) {
      SSL_set_info_callback(tls->ssl, NULL);
-      SSL_set_verify(tls->ssl, SSL_VERIFY_NONE, always_accept_verify_cb);
+      SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
      /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
      tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
 #ifdef V2_HANDSHAKE_SERVER