gnutls-serv: --require-client-cert no longer implies --verify-client-cert

That is, it is now possible to require a client certificate without verifying it. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-06-27 11:01:08 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-08-10 17:13:46 +0200
commit: 259d1252b9da852363b62efb671d6f57b3d5415c (patch)
tree: 8777f7a394a2b89a4577a559d83d5117afaa3b17 /src
parent: c24a68e4f79a411d2936fd591628bf55c70d9e3b (diff)
download: gnutls-259d1252b9da852363b62efb671d6f57b3d5415c.tar.gz
2 files changed, 3 insertions, 2 deletions
diff --git a/src/serv-args.def b/src/serv-args.def
index f5b7f9c6a0..f04641e0e2 100644
--- a/src/serv-args.def
+++ b/src/serv-args.def
@@ -107,7 +107,8 @@ flag = {
     name      = require-client-cert;
     value     = r;
     descrip   = "Require a client certificate";
-    doc      = "";
+    doc      = "This option before 3.6.0 used to imply --verify-client-cert.
+Since 3.6.0 it will no longer verify the certificate by default.";
 };
 
 flag = {
diff --git a/src/serv.c b/src/serv.c
index c0937b6f7e..c6c2e18bf8 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -270,7 +270,7 @@ int ret;
 		if (!require_cert && gnutls_certificate_get_peers(session, &size) == NULL)
 			return 0;
 
-		if (require_cert || ENABLED_OPT(VERIFY_CLIENT_CERT)) {
+		if (ENABLED_OPT(VERIFY_CLIENT_CERT)) {
 			if (cert_verify(session, NULL, NULL) == 0) {
 				do {
 					ret = gnutls_alert_send(session, GNUTLS_AL_FATAL, GNUTLS_A_ACCESS_DENIED);
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-06-27 11:01:08 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-08-10 17:13:46 +0200
commit	259d1252b9da852363b62efb671d6f57b3d5415c (patch)
tree	8777f7a394a2b89a4577a559d83d5117afaa3b17 /src
parent	c24a68e4f79a411d2936fd591628bf55c70d9e3b (diff)
download	gnutls-259d1252b9da852363b62efb671d6f57b3d5415c.tar.gz