identification_t *peer;
/**
- * Is it acceptable if we couldn't verify the peer certificate?
- */
- bool peer_auth_optional;
-
- /**
* State we are in
*/
server_state_t state;
DBG1(DBG_TLS, "received TLS peer certificate '%Y'",
cert->get_subject(cert));
first = FALSE;
- if (this->peer == NULL)
- { /* apply identity to authenticate */
- this->peer = cert->get_subject(cert);
- this->peer = this->peer->clone(this->peer);
- this->peer_auth_optional = TRUE;
- }
}
else
{
{
DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
this->peer);
- if (!this->peer_auth_optional)
- { /* client authentication is required */
- this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
- return NEED_MORE;
- }
/* reset peer identity, we couldn't authenticate it */
this->peer->destroy(this->peer);
this->peer = NULL;
}
/* otherwise fall through to next state */
case STATE_KEY_EXCHANGE_SENT:
- return send_certificate_request(this, type, writer);
+ if (this->peer)
+ {
+ return send_certificate_request(this, type, writer);
+ }
+ /* otherwise fall through to next state */
case STATE_CERTREQ_SENT:
return send_hello_done(this, type, writer);
case STATE_CIPHERSPEC_CHANGED_OUT:
projects / strongswan.git / blobdiff