summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog10
-rw-r--r--tls.c28
2 files changed, 25 insertions, 13 deletions
diff --git a/ChangeLog b/ChangeLog
index 29195f7..5f044df 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2012-09-14 1.6.1-dev
+ Bug fixes (security):
+ - When verifying clients, don't consider config blocks with CA
+ settings ('tls') which differ from the one used for verifying the
+ certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43)
+
+ Bug fixes:
+ - Make naptr-eduroam.sh check NAPTR type case insensitively.
+ Fix from Adam Osuchowski.
+
2012-04-27 1.6
Incompatible changes:
- The default shared secret for TLS and DTLS connections change
diff --git a/tls.c b/tls.c
index ba2c5a3..084c0ce 100644
--- a/tls.c
+++ b/tls.c
@@ -385,6 +385,7 @@ void *tlsservernew(void *arg) {
SSL_CTX *ctx = NULL;
unsigned long error;
struct client *client;
+ struct tls *accepted_tls = NULL;
s = *(int *)arg;
if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
@@ -412,22 +413,23 @@ void *tlsservernew(void *arg) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
+ accepted_tls = conf->tlsconf;
}
while (conf) {
- if (verifyconfcert(cert, conf)) {
- X509_free(cert);
- client = addclient(conf, 1);
- if (client) {
- client->ssl = ssl;
- client->addr = addr_copy((struct sockaddr *)&from);
- tlsserverrd(client);
- removeclient(client);
- } else
- debug(DBG_WARN, "tlsservernew: failed to create new client instance");
- goto exit;
- }
- conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
+ if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
+ X509_free(cert);
+ client = addclient(conf, 1);
+ if (client) {
+ client->ssl = ssl;
+ client->addr = addr_copy((struct sockaddr *)&from);
+ tlsserverrd(client);
+ removeclient(client);
+ } else
+ debug(DBG_WARN, "tlsservernew: failed to create new client instance");
+ goto exit;
+ }
+ conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
}
debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
if (cert)