diff options
Diffstat (limited to 'debian/patches/fix-tls-client-cert-common-name-2.patch')
| -rw-r--r-- | debian/patches/fix-tls-client-cert-common-name-2.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/debian/patches/fix-tls-client-cert-common-name-2.patch b/debian/patches/fix-tls-client-cert-common-name-2.patch new file mode 100644 index 0000000..f7207db --- /dev/null +++ b/debian/patches/fix-tls-client-cert-common-name-2.patch @@ -0,0 +1,29 @@ +From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <aland@freeradius.org> +Date: Wed, 26 Oct 2022 07:31:43 -0400 +Subject: [PATCH] fix cert order only for lookup=0. Fixes #4785 + +--- + src/main/tls.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index a33699cbb66e..c67148cf12c7 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + */ + if (lookup > 1) { + if (!my_ok) lookup = 1; +- } else { ++ ++ } else if (lookup == 0) { ++ /* ++ * This flag is only set for outbound ++ * connections. And then allows us to remap SSL ++ * offset 0 (server) to our offset 1 (also ++ * server). ++ */ + lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL); + } + |