Revert "OpenSSL: Do not accept SSL Client certificate for server"

This reverts commit 51e3eafb68. There are
too many deployed AAA servers that include both id-kp-clientAuth and
id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
for AAA authentication server validation. OpenSSL enforces the policy of
not connecting if only id-kp-clientAuth is included. If a valid EKU is
listed with it, the connection needs to be accepted.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-02-19 11:56:02 +02:00
parent 94a3df500f
commit b62d5b5450
2 changed files with 1 additions and 15 deletions

View file

@ -41,8 +41,7 @@ enum tls_fail_reason {
TLS_FAIL_ALTSUBJECT_MISMATCH = 6, TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
TLS_FAIL_BAD_CERTIFICATE = 7, TLS_FAIL_BAD_CERTIFICATE = 7,
TLS_FAIL_SERVER_CHAIN_PROBE = 8, TLS_FAIL_SERVER_CHAIN_PROBE = 8,
TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
}; };
union tls_event_data { union tls_event_data {

View file

@ -105,7 +105,6 @@ struct tls_connection {
unsigned int ca_cert_verify:1; unsigned int ca_cert_verify:1;
unsigned int cert_probe:1; unsigned int cert_probe:1;
unsigned int server_cert_only:1; unsigned int server_cert_only:1;
unsigned int server:1;
u8 srv_cert_hash[32]; u8 srv_cert_hash[32];
@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
TLS_FAIL_SERVER_CHAIN_PROBE); TLS_FAIL_SERVER_CHAIN_PROBE);
} }
if (!conn->server && err_cert && preverify_ok && depth == 0 &&
(err_cert->ex_flags & EXFLAG_XKUSAGE) &&
(err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
openssl_tls_fail_event(conn, err_cert, err, depth, buf,
"Server used client certificate",
TLS_FAIL_SERVER_USED_CLIENT_CERT);
preverify_ok = 0;
}
if (preverify_ok && context->event_cb != NULL) if (preverify_ok && context->event_cb != NULL)
context->event_cb(context->cb_ctx, context->event_cb(context->cb_ctx,
TLS_CERT_CHAIN_SUCCESS, NULL); TLS_CERT_CHAIN_SUCCESS, NULL);
@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
int res; int res;
struct wpabuf *out_data; struct wpabuf *out_data;
conn->server = !!server;
/* /*
* Give TLS handshake data from the server (if available) to OpenSSL * Give TLS handshake data from the server (if available) to OpenSSL
* for processing. * for processing.