pt-tls-server: Explicitly request client authentication if necessary
The PT_TLS_AUTH_TLS_OR_SASL case currently can't be implemented properly as TLS authentication will be enforced if a client identity is configured on the TLS server socket.
This commit is contained in:
parent
4b7cfb252e
commit
602947d48a
|
@ -524,6 +524,18 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
|
||||||
pt_tls_auth_t auth, tnccs_t *tnccs)
|
pt_tls_auth_t auth, tnccs_t *tnccs)
|
||||||
{
|
{
|
||||||
private_pt_tls_server_t *this;
|
private_pt_tls_server_t *this;
|
||||||
|
identification_t *client = NULL;
|
||||||
|
|
||||||
|
switch (auth)
|
||||||
|
{
|
||||||
|
case PT_TLS_AUTH_TLS:
|
||||||
|
case PT_TLS_AUTH_TLS_OR_SASL:
|
||||||
|
case PT_TLS_AUTH_TLS_AND_SASL:
|
||||||
|
client = identification_create_from_encoding(ID_ANY, chunk_empty);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
INIT(this,
|
INIT(this,
|
||||||
.public = {
|
.public = {
|
||||||
|
@ -532,12 +544,14 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
|
||||||
.destroy = _destroy,
|
.destroy = _destroy,
|
||||||
},
|
},
|
||||||
.state = PT_TLS_SERVER_VERSION,
|
.state = PT_TLS_SERVER_VERSION,
|
||||||
.tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_UNSPEC,
|
.tls = tls_socket_create(TRUE, server, client, fd, NULL, TLS_UNSPEC,
|
||||||
TLS_UNSPEC, FALSE),
|
TLS_UNSPEC, FALSE),
|
||||||
.tnccs = (tls_t*)tnccs,
|
.tnccs = (tls_t*)tnccs,
|
||||||
.auth = auth,
|
.auth = auth,
|
||||||
);
|
);
|
||||||
|
|
||||||
|
DESTROY_IF(client);
|
||||||
|
|
||||||
if (!this->tls)
|
if (!this->tls)
|
||||||
{
|
{
|
||||||
this->tnccs->destroy(this->tnccs);
|
this->tnccs->destroy(this->tnccs);
|
||||||
|
|
Loading…
Reference in New Issue