From 4b7cfb252e583c9ef46ebf5a569faa53cb747a8d Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 18 Feb 2021 12:31:17 +0100
Subject: [PATCH] tls-server: Use subject DN as peer identity if it was ID_ANY

To request client authentication if we don't know the client's identity,
it's possible to use ID_ANY.  However, if we don't change the identity
get_peer_id() would still report ID_ANY after the authentication.
---
 src/libtls/tls_server.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 687fd0ce2..247b9f636 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -729,6 +729,12 @@ static status_t process_certificate(private_tls_server_t *this,
 				DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
 					 cert->get_subject(cert));
 				first = FALSE;
+				if (this->peer && this->peer->get_type(this->peer) == ID_ANY)
+				{
+					this->peer->destroy(this->peer);
+					this->peer = cert->get_subject(cert);
+					this->peer = this->peer->clone(this->peer);
+				}
 			}
 			else
 			{