Author: Carlos Soto <carlos.soto at terra.es <mailto:[email protected]> >
Variable common_name can be blank in client-connect script
If a server is configured with auth-user-pass-optional and
username-as-common-name it is possible that the auth-user-pass-verify script
will validate a connection with no username as it is optional. It that case
the common_name becames blank and client-connect script may fail because it
does not have a value for the common name. I think that the common name
should never be blank so in cases where the username is blank and the
username-as-common-name option is enabled, the common_name should keep its
original value.
diff --git a/ssl.c b/ssl.c
index a1268ac..381ab07 100644
--- a/ssl.c
+++ b/ssl.c
@@ -3718,7 +3718,7 @@ key_method_2_read (struct buffer *buf, struct
tls_multi *multi, struct tls_sessi
if (man_def_auth != KMDA_UNDEF)
ks->auth_deferred = true;
#endif
- if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
+ if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) &&
(strlen (up->username)))
set_common_name (session, up->username);
#ifdef ENABLE_DEF_AUTH
msg (D_HANDSHAKE, "TLS: Username/Password authentication %s for
username '%s' %s",
