From cd4ae7193d086427b5e506862f070af24ee46e5e Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 11 Mar 2008 17:21:47 +0000 Subject: [PATCH] r18748@catbus: nickm | 2008-03-11 13:21:33 -0400 Backport: Request client certs when renegotiating on server-side. Spotted by lodger. Bugfix on 0.2.0.x. svn:r13974 --- ChangeLog | 2 ++ src/common/tortls.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index fb0d701cd..81a2bca27 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,8 @@ Changes in version 0.2.0.22-rc - 2008-03-?? events. Caught by mwenge; bugfix on 0.1.2.x. - Fix the SVK version detection logic to work correctly on a branch. Bugfix on 0.2.0.x. + - Make sure servers always request certificates from clients during + TLS renegotiation. Bugfix on 0.2.0.x. Changes in version 0.2.0.21-rc - 2008-03-02 diff --git a/src/common/tortls.c b/src/common/tortls.c index 24e0a4071..255237e1e 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -930,7 +930,7 @@ tor_tls_handshake(tor_tls_t *tls) tls->state = TOR_TLS_ST_OPEN; if (tls->isServer) { SSL_set_info_callback(tls->ssl, NULL); - SSL_set_verify(tls->ssl, SSL_VERIFY_NONE, always_accept_verify_cb); + SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb); /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */ tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN; #ifdef V2_HANDSHAKE_SERVER