[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r13974: Backport: Request client certs when renegotiating on server- (in tor/branches/tor-0_2_0-patches: . src/common)



Author: nickm
Date: 2008-03-11 13:21:47 -0400 (Tue, 11 Mar 2008)
New Revision: 13974

Modified:
   tor/branches/tor-0_2_0-patches/
   tor/branches/tor-0_2_0-patches/ChangeLog
   tor/branches/tor-0_2_0-patches/src/common/tortls.c
Log:
 r18748@catbus:  nickm | 2008-03-11 13:21:33 -0400
 Backport: Request client certs when renegotiating on server-side. Spotted by lodger.  Bugfix on 0.2.0.x.



Property changes on: tor/branches/tor-0_2_0-patches
___________________________________________________________________
 svk:merge ticket from /tor/020 [r18748] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog	2008-03-11 17:21:44 UTC (rev 13973)
+++ tor/branches/tor-0_2_0-patches/ChangeLog	2008-03-11 17:21:47 UTC (rev 13974)
@@ -14,6 +14,8 @@
       events.  Caught by mwenge; bugfix on 0.1.2.x.
     - Fix the SVK version detection logic to work correctly on a branch.
       Bugfix on 0.2.0.x.
+    - Make sure servers always request certificates from clients during
+      TLS renegotiation. Bugfix on 0.2.0.x.
 
 
 Changes in version 0.2.0.21-rc - 2008-03-02

Modified: tor/branches/tor-0_2_0-patches/src/common/tortls.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/common/tortls.c	2008-03-11 17:21:44 UTC (rev 13973)
+++ tor/branches/tor-0_2_0-patches/src/common/tortls.c	2008-03-11 17:21:47 UTC (rev 13974)
@@ -930,7 +930,7 @@
     tls->state = TOR_TLS_ST_OPEN;
     if (tls->isServer) {
       SSL_set_info_callback(tls->ssl, NULL);
-      SSL_set_verify(tls->ssl, SSL_VERIFY_NONE, always_accept_verify_cb);
+      SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
       /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
       tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
 #ifdef V2_HANDSHAKE_SERVER