From e865dcb354ca93aa964d80638dac958fc7350c2b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 12 Feb 2015 10:07:35 +0100 Subject: [PATCH] In certificate verification separate between no certificate and verification failure --- src/tlslib.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/tlslib.c b/src/tlslib.c index 4e3c27dd..ec645ade 100644 --- a/src/tlslib.c +++ b/src/tlslib.c @@ -368,6 +368,10 @@ static int verify_certificate_cb(gnutls_session_t session) * structure. So you must have installed one or more CA certificates. */ ret = gnutls_certificate_verify_peers2(session, &status); + if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) { + oclog(ws, LOG_ERR, "no certificate was found"); + goto no_cert; + } if (ret < 0) { oclog(ws, LOG_ERR, "error verifying client certificate: %s", gnutls_strerror(ret)); goto fail; @@ -395,14 +399,11 @@ static int verify_certificate_cb(gnutls_session_t session) /* notify gnutls to continue handshake normally */ return 0; -fail: - /* In cisco client compatibility we don't hangup immediately, we - * simply use the flag (ws->cert_auth_ok). */ +no_cert: if (ws->config->cisco_client_compat != 0 || ws->config->cert_req != GNUTLS_CERT_REQUIRE) return 0; - else - return GNUTLS_E_CERTIFICATE_ERROR; - +fail: + return GNUTLS_E_CERTIFICATE_ERROR; } void tls_global_init(tls_st *creds)