When verifying clients, don't consider config blocks with CA
settings ('tls') which differ from the one used for verifying the
certificate chain. Reported by Ralf Paffrath.
Reported and analysed by Ralf Paffrath.
Addresses issue RADSECPROXY-43.
+2012-09-14 1.6.1-dev
+ Bug fixes (security):
+ - When verifying clients, don't consider config blocks with CA
+ settings ('tls') which differ from the one used for verifying the
+ certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43)
+
+ Bug fixes:
+ - Make naptr-eduroam.sh check NAPTR type case insensitively.
+ Fix from Adam Osuchowski.
+
2012-04-27 1.6
Incompatible changes:
- The default shared secret for TLS and DTLS connections change
2012-04-27 1.6
Incompatible changes:
- The default shared secret for TLS and DTLS connections change
SSL_CTX *ctx = NULL;
unsigned long error;
struct client *client;
SSL_CTX *ctx = NULL;
unsigned long error;
struct client *client;
+ struct tls *accepted_tls = NULL;
s = *(int *)arg;
if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
s = *(int *)arg;
if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
cert = verifytlscert(ssl);
if (!cert)
goto exit;
+ accepted_tls = conf->tlsconf;
- if (verifyconfcert(cert, conf)) {
- X509_free(cert);
- client = addclient(conf, 1);
- if (client) {
- client->ssl = ssl;
- client->addr = addr_copy((struct sockaddr *)&from);
- tlsserverrd(client);
- removeclient(client);
- } else
- debug(DBG_WARN, "tlsservernew: failed to create new client instance");
- goto exit;
- }
- conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
+ if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
+ X509_free(cert);
+ client = addclient(conf, 1);
+ if (client) {
+ client->ssl = ssl;
+ client->addr = addr_copy((struct sockaddr *)&from);
+ tlsserverrd(client);
+ removeclient(client);
+ } else
+ debug(DBG_WARN, "tlsservernew: failed to create new client instance");
+ goto exit;
+ }
+ conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
}
debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
if (cert)
}
debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
if (cert)