aboutsummaryrefslogtreecommitdiff
path: root/ssl.c
diff options
context:
space:
mode:
authorDavid Sommerseth <davids@redhat.com>2011-03-30 14:14:21 +0200
committerDavid Sommerseth <davids@redhat.com>2011-03-31 11:29:50 +0200
commit272aef2f0fd6b8c81c397fc32a503776e2b4bef1 (patch)
tree53adc5b8d6d3a5ce3059a22fea3e94319f8218f0 /ssl.c
parentClarify --tmp-dir option (diff)
downloadopenvpn-272aef2f0fd6b8c81c397fc32a503776e2b4bef1.tar.xz
Fix the --client-cert-not-required feature
Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new feature for using other SSL certificate fields for authentication than the CN field. This commit introduced a bug, which made the verify_callback() function getting called even if --client-cert-not-required was enabled in the config. The reason for this was that an 'else' statement was lacking a couple of curly braces. The offending commit in reality moved the setup of the verify_callback() function out of the 'else' statement. Report-URL: https://community.openvpn.net/openvpn/ticket/108 Report-URL: https://forums.openvpn.net/topic7751.html Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Jan Just Keijser <janjust@nikhef.nl> (cherry picked from commit 008a18e772bf1854f9a2102bef4b3d5b0a08a66b)
Diffstat (limited to '')
-rw-r--r--ssl.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/ssl.c b/ssl.c
index ed10714..6d9a9fd 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1874,13 +1874,15 @@ init_ssl (const struct options *options)
}
else
#endif
+ {
#ifdef ENABLE_X509ALTUSERNAME
- x509_username_field = (char *) options->x509_username_field;
+ x509_username_field = (char *) options->x509_username_field;
#else
- x509_username_field = X509_USERNAME_FIELD_DEFAULT;
+ x509_username_field = X509_USERNAME_FIELD_DEFAULT;
#endif
- SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
- verify_callback);
+ SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ verify_callback);
+ }
/* Connection information callback */
SSL_CTX_set_info_callback (ctx, info_callback);