Indicate properly the status of TLS authentication when a client has reconnected.

src/tlslib.c

@@ -121,6 +121,28 @@ ssize_t tls_recv(gnutls_session_t session, void *data, size_t data_size)
 	return ret;
 }
 
+/* Typically used in a resumed session. It will return
+ * true if a certificate has been used.
+ */
+unsigned tls_has_session_cert(struct worker_st * ws)
+{
+	unsigned int list_size = 0;
+	const gnutls_datum_t * certs;
+
+	if (ws->cert_auth_ok)
+		return 1;
+
+	if (ws->config->force_cert_auth != 0) {
+		return 0;
+	}
+
+	certs = gnutls_certificate_get_peers(ws->session, &list_size);
+	if (certs != NULL)
+		return 1;
+
+	return 0;
+}
+
 int __attribute__ ((format(printf, 2, 3)))
     tls_printf(gnutls_session_t session, const char *fmt, ...)
 {

src/tlslib.h

@@ -71,6 +71,8 @@ size_t tls_get_overhead(gnutls_protocol_t, gnutls_cipher_algorithm_t, gnutls_mac
 
 void tls_close(gnutls_session_t session);
 
+unsigned tls_has_session_cert(struct worker_st * ws);
+
 void tls_fatal_close(gnutls_session_t session,
 			    gnutls_alert_description_t a);
 

src/worker-auth.c

@@ -688,7 +688,8 @@ restart:
 			 */
 			complete_auth = 1;
 			ireq.user_name = ws->username;
-		} else
+			ireq.tls_auth_ok = tls_has_session_cert(ws);
+		} else {
 #endif
 		if (ws->config->auth_types & AUTH_TYPE_USERNAME_PASS) {
 			ret =
@@ -724,6 +725,10 @@ restart:
 			ireq.cert_group_name = tmp_group;
 		}
 
+#ifdef ANYCONNECT_CLIENT_COMPAT
+		}
+#endif
+
 		ireq.hostname = req->hostname;
 
 		ret = send_msg_to_main(ws, AUTH_INIT,