hi,
the attached patch adds support for --client-cert-not-required with
polarssl. please apply.
thanks,
--
[-]
mkdir /nonexistent
From 968ddad1f32641f0218e5362092a4b2066529405 Mon Sep 17 00:00:00 2001
From: Tamas TEVESZ <i...@extreme.hu>
Date: Sat, 8 Jun 2013 07:00:16 +0200
Subject: [PATCH] Add support for client-cert-not-required for PolarSSL.
Signed-off-by: Tamas TEVESZ <i...@extreme.hu>
---
src/openvpn/ssl_polarssl.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index a82b233..8a917b3 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -533,8 +533,20 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
/* Initialise SSL verification */
- ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
- ssl_set_verify (ks_ssl->ctx, verify_callback, session);
+#if P2MP_SERVER
+ if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
+ {
+ msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+ "--client-cert-not-required may accept clients which do not present "
+ "a certificate");
+ }
+ else
+#endif
+ {
+ ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
+ ssl_set_verify (ks_ssl->ctx, verify_callback, session);
+ }
+
/* TODO: PolarSSL does not currently support sending the CA chain to the client */
ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL );
--
1.7.9.5