Commit 3682c935 authored by Linus Nordberg's avatar Linus Nordberg Committed by Linus Nordberg
Browse files

Don't mix up pre- and post-handshake verification of DTLS clients.

Commit db965c9b addressed TLS clients only.

When verifying DTLS clients, don't consider config blocks with CA
settings ('tls') which differ from the one used for verifying the
certificate chain.

Original issue reported and analysed by Ralf Paffrath. DTLS being
vulnerable reported by Raphael Geisser.

Addresses issue RADSECPROXY-43, CVE-2012-4523.
parent b04eb90f
2012-10-22 1.6.2-dev
Bug fixes (security):
- Fix the issue with verification of clients when using multiple
'tls' config blocks (RADSECPROXY-43) for DTLS too. Reported by
Raphael Geisser.
2012-09-14 1.6.1
Bug fixes (security):
- When verifying clients, don't consider config blocks with CA
......@@ -354,6 +354,7 @@ void *dtlsservernew(void *arg) {
X509 *cert = NULL;
SSL_CTX *ctx = NULL;
uint8_t delay = 60;
struct tls *accepted_tls = NULL;
debug(DBG_DBG, "dtlsservernew: starting");
conf = find_clconf(handle, (struct sockaddr *)&params->addr, NULL);
......@@ -367,10 +368,11 @@ void *dtlsservernew(void *arg) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
accepted_tls = conf->tlsconf;
while (conf) {
if (verifyconfcert(cert, conf)) {
if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
client = addclient(conf, 1);
if (client) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment