ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

tls-server: Terminate connection if peer certificate is required but not sent 

This change mainly affects legacy TLS versions because TLS 1.3
connections are terminated by the server once the peer does not send a
CertificateVerify message next to its empty Certificate message.
This commit is contained in:
Pascal Knecht 2020-11-04 13:07:49 +01:00 committed by Tobias Brunner
parent 4bba89fff3
commit dc49d457a2
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libtls/tls_server.c
View File

@ -708,6 +708,12 @@ static status_t process_certificate(private_tls_server_t *this,
return NEED_MORE;
}
certs = bio_reader_create(data);
if (!certs->remaining(certs))
{
DBG1(DBG_TLS, "no certificate sent by peer");
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
return NEED_MORE;
}
while (certs->remaining(certs))
{
if (!certs->read_data24(certs, &data))