Only accept a client certificate if the server requests

one, as required by SSL/TLS specs.
author: Dr. Stephen Henson <steve@openssl.org> 2003-09-03 23:47:34 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2003-09-03 23:47:34 +0000
commit: 14f3d7c5ccd38875d5f3ee2007baec5a7240adc0 (patch)
tree: b3c5d1ce8e250369178588ef5c8b10ba87bcdd7d /ssl
parent: 510dc1ecd00296a17a9b680288290942d82beddf (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 32ddc48090..ca39d6b1c8 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -456,10 +456,11 @@ int ssl3_accept(SSL *s)
 			if (ret == 2)
 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
 			else {
-				/* could be sent for a DH cert, even if we
-				 * have not asked for it :-) */
-				ret=ssl3_get_client_certificate(s);
-				if (ret <= 0) goto end;
+				if (s->s3->tmp.cert_request)
+					{
+					ret=ssl3_get_client_certificate(s);
+					if (ret <= 0) goto end;
+					}
 				s->init_num=0;
 				s->state=SSL3_ST_SR_KEY_EXCH_A;
 			}
author	Dr. Stephen Henson <steve@openssl.org>	2003-09-03 23:47:34 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2003-09-03 23:47:34 +0000
commit	14f3d7c5ccd38875d5f3ee2007baec5a7240adc0 (patch)
tree	b3c5d1ce8e250369178588ef5c8b10ba87bcdd7d /ssl
parent	510dc1ecd00296a17a9b680288290942d82beddf (diff)