TLS tweaks for client certificate

2025-04-23 09:04:13 +00:00 · 2018-08-13 16:34:00 +01:00 · 2018-08-13 16:34:00 +01:00 · cb0ea3fb6d
commit cb0ea3fb6d
parent e87f59a429
3 changed files with 20 additions and 8 deletions
--- a/10
+++ b/10
@ -1,8 +1,16 @@
+2018-08-13  Richard Frith-Macdonald <rfm@gnu.org>
+
+	* Source/GSTLS.m: Change behavior so that when acting as a server we
+	always request that the client sends us a certificate (if it doesn't
+	have one, it should ignore the request). The 'verify' setting should
+	control only whether a request without a certificate is rejected.
+
 2018-08-08 Riccardo Mottola <rm@gnu.org>

 	* configure.ac
 	* configure:
-	When checking for pthread_np.h include pthread.h if available or it may fail (e.g. OpenBSD).
+	When checking for pthread_np.h include pthread.h if available or
+	it may fail (e.g. OpenBSD).

 2018-08-06  Richard Frith-Macdonald <rfm@gnu.org>

--- a/Source/GSTLS.h
+++ b/Source/GSTLS.h
@ -235,13 +235,13 @@ typedef ssize_t (*GSTLSIOW)(gnutls_transport_ptr_t, const void *, size_t);

 /** If the session verified a certificate from the remote end, returns the
 * name of the certificate issuer in the form "C=xxxx,O=yyyy,CN=zzzz" as
- * described in RFC2253.  Otherwise returns nil.
+ * described in RFC4514.  Otherwise returns nil.
 */
 - (NSString*) issuer;

 /** If the session verified a certificate from the remote end, returns the
 * name of the certificate owner in the form "C=xxxx,O=yyyy,CN=zzzz" as
- * described in RFC2253.  Otherwise returns nil.
+ * described in RFC4514.  Otherwise returns nil.
 */
 - (NSString*) owner;

@ -262,7 +262,7 @@ typedef ssize_t (*GSTLSIOW)(gnutls_transport_ptr_t, const void *, size_t);
 */
 - (NSInteger) write: (const void*)buf length: (NSUInteger)len;

-/* For internal use to verify the remmote system's vertificate.
+/* For internal use to verify the remote system's certificate.
 * Returns 0 on success, negative on failure.
 */
 - (int) verify;
--- a/Source/GSTLS.m
+++ b/Source/GSTLS.m
@ -1566,16 +1566,20 @@ retrieve_callback(gnutls_session_t session,
          gnutls_init(&session, GNUTLS_SERVER);
          if (NO == verify)
            {
-              /* We don't want to request/verify the client certificate,
-               * so we mustn't ask the other end to send it.
+              /* We don't want to demand/verify the client certificate,
+               * but we still ask the other end to send it so that higher
+               * level code can see what distinguished names are in it.
               */
              gnutls_certificate_server_set_request(session,
-                GNUTLS_CERT_IGNORE);
+                GNUTLS_CERT_REQUEST);
            }
          else
            {
+              /* We request the client certificate and require them client
+               * end to send it (if not, we don't allow the session).
+               */
              gnutls_certificate_server_set_request(session,
-                GNUTLS_CERT_REQUEST);
+                GNUTLS_CERT_REQUIRE);
            }
        }
      setup = YES;