Howard Chu authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

This reverts commit 3cb2ca8b.
Patch has no benefit

ITS#7002

Rich Megginson authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

If the olcTLSVerifyClient is set to a value other than "never", the server
should request that the client send a client certificate for possible use
with client cert auth (e.g. SASL/EXTERNAL).
If set to "allow", if the client sends a cert, and there are problems with
it, the server will warn about problems, but will allow the SSL session to
proceed without a client cert.
If set to "try", if the client sends a cert, and there are problems with
it, the server will warn about those problems, and shutdown the SSL session.
If set to "demand" or "hard", the client must send a cert, and the server
will shutdown the SSL session if there are problems.
I added a new member of the tlsm context structure - tc_warn_only - if this
is set, tlsm_verify_cert will only warn about errors, and only if TRACE
level debug is set.  This allows the server to warn but allow bad certs
if "allow" is set, and warn and fail if "try" is set.

Rich Megginson authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
to verify them, it will leave them allocated for the caller to dispose of.
There were a couple of places that were not disposing of the cert and key
upon error.

Jan Vcelak authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

When server certificate is not required in a TLS session (e.g.
TLS_REQCERT is set to 'never'), ignore expired issuer certificate error
and do not terminate the connection.