diff --git a/ChangeLog b/ChangeLog index 29195f7..5f044df 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2012-09-14 1.6.1-dev + Bug fixes (security): + - When verifying clients, don't consider config blocks with CA + settings ('tls') which differ from the one used for verifying the + certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43) + + Bug fixes: + - Make naptr-eduroam.sh check NAPTR type case insensitively. + Fix from Adam Osuchowski. + 2012-04-27 1.6 Incompatible changes: - The default shared secret for TLS and DTLS connections change diff --git a/tls.c b/tls.c index ba2c5a3..084c0ce 100644 --- a/tls.c +++ b/tls.c @@ -385,6 +385,7 @@ void *tlsservernew(void *arg) { SSL_CTX *ctx = NULL; unsigned long error; struct client *client; + struct tls *accepted_tls = NULL; s = *(int *)arg; if (getpeername(s, (struct sockaddr *)&from, &fromlen)) { @@ -412,22 +413,23 @@ void *tlsservernew(void *arg) { cert = verifytlscert(ssl); if (!cert) goto exit; + accepted_tls = conf->tlsconf; } while (conf) { - if (verifyconfcert(cert, conf)) { - X509_free(cert); - client = addclient(conf, 1); - if (client) { - client->ssl = ssl; - client->addr = addr_copy((struct sockaddr *)&from); - tlsserverrd(client); - removeclient(client); - } else - debug(DBG_WARN, "tlsservernew: failed to create new client instance"); - goto exit; - } - conf = find_clconf(handle, (struct sockaddr *)&from, &cur); + if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) { + X509_free(cert); + client = addclient(conf, 1); + if (client) { + client->ssl = ssl; + client->addr = addr_copy((struct sockaddr *)&from); + tlsserverrd(client); + removeclient(client); + } else + debug(DBG_WARN, "tlsservernew: failed to create new client instance"); + goto exit; + } + conf = find_clconf(handle, (struct sockaddr *)&from, &cur); } debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client"); if (cert)