summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--dtls.c4
2 files changed, 9 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 39b030a..0422ffd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2012-10-22 1.6.2-dev
+ Bug fixes (security):
+ - Fix the issue with verification of clients when using multiple
+ 'tls' config blocks (RADSECPROXY-43) for DTLS too. Reported by
+ Raphael Geisser.
+
2012-09-14 1.6.1
Bug fixes (security):
- When verifying clients, don't consider config blocks with CA
diff --git a/dtls.c b/dtls.c
index bbebfef..3772113 100644
--- a/dtls.c
+++ b/dtls.c
@@ -354,6 +354,7 @@ void *dtlsservernew(void *arg) {
X509 *cert = NULL;
SSL_CTX *ctx = NULL;
uint8_t delay = 60;
+ struct tls *accepted_tls = NULL;
debug(DBG_DBG, "dtlsservernew: starting");
conf = find_clconf(handle, (struct sockaddr *)&params->addr, NULL);
@@ -367,10 +368,11 @@ void *dtlsservernew(void *arg) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
+ accepted_tls = conf->tlsconf;
}
while (conf) {
- if (verifyconfcert(cert, conf)) {
+ if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
X509_free(cert);
client = addclient(conf, 1);
if (client) {