In certificate verification separate between no certificate and verification failure

src/tlslib.c

@@ -368,6 +368,10 @@ static int verify_certificate_cb(gnutls_session_t session)
 	 * structure. So you must have installed one or more CA certificates.
 	 */
 	ret = gnutls_certificate_verify_peers2(session, &status);
+	if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) {
+		oclog(ws, LOG_ERR, "no certificate was found");
+		goto no_cert;
+	}
 	if (ret < 0) {
 		oclog(ws, LOG_ERR, "error verifying client certificate: %s", gnutls_strerror(ret));
 		goto fail;
@@ -395,14 +399,11 @@ static int verify_certificate_cb(gnutls_session_t session)
 
 	/* notify gnutls to continue handshake normally */
 	return 0;
-fail:
-	/* In cisco client compatibility we don't hangup immediately, we
-	 * simply use the flag (ws->cert_auth_ok). */
+no_cert:
 	if (ws->config->cisco_client_compat != 0 || ws->config->cert_req != GNUTLS_CERT_REQUIRE)
 		return 0;
-	else
-		return GNUTLS_E_CERTIFICATE_ERROR;
-
+fail:
+	return GNUTLS_E_CERTIFICATE_ERROR;
 }
 
 void tls_global_init(tls_st *creds)