diff options
| author | David Sommerseth | 2011-03-30 14:14:21 +0200 |
|---|---|---|
| committer | David Sommerseth | 2011-03-31 11:29:18 +0200 |
| commit | 008a18e772bf1854f9a2102bef4b3d5b0a08a66b (patch) | |
| tree | a46d27edb4b6f137a184f2d164e244e818154173 /ssl.c | |
| parent | dc2ccc825c6952546132286c57b193d8bb9daacd (diff) | |
| download | openvpn-008a18e772bf1854f9a2102bef4b3d5b0a08a66b.zip openvpn-008a18e772bf1854f9a2102bef4b3d5b0a08a66b.tar.gz | |
Fix the --client-cert-not-required feature
Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new
feature for using other SSL certificate fields for authentication
than the CN field.
This commit introduced a bug, which made the verify_callback()
function getting called even if --client-cert-not-required was
enabled in the config.
The reason for this was that an 'else' statement was lacking a
couple of curly braces. The offending commit in reality moved
the setup of the verify_callback() function out of the 'else'
statement.
Report-URL: https://community.openvpn.net/openvpn/ticket/108
Report-URL: https://forums.openvpn.net/topic7751.html
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Diffstat (limited to 'ssl.c')
| -rw-r--r-- | ssl.c | 10 |
1 files changed, 6 insertions, 4 deletions
@@ -2151,13 +2151,15 @@ init_ssl (const struct options *options) } else #endif + { #ifdef ENABLE_X509ALTUSERNAME - x509_username_field = (char *) options->x509_username_field; + x509_username_field = (char *) options->x509_username_field; #else - x509_username_field = X509_USERNAME_FIELD_DEFAULT; + x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif - SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - verify_callback); + SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + verify_callback); + } /* Connection information callback */ SSL_CTX_set_info_callback (ctx, info_callback); |