Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new feature for using other SSL certificate fields for authentication than then CN field.
This commit introduced a bug, which made the verify_callback() function getting called even if --client-cert-not-required was enabled in the config. The reason for this was that an 'else' statement was lacking a couple of curly braces. The offending commit in reality moved the setup the verify_callback() function out of the 'else' statement. Report-URL: https://community.openvpn.net/openvpn/ticket/108 Report-URL: https://forums.openvpn.net/topic7751.html Signed-off-by: David Sommerseth <dav...@redhat.com> --- ssl.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ssl.c b/ssl.c index ed10714..6d9a9fd 100644 --- a/ssl.c +++ b/ssl.c @@ -1874,13 +1874,15 @@ init_ssl (const struct options *options) } else #endif + { #ifdef ENABLE_X509ALTUSERNAME - x509_username_field = (char *) options->x509_username_field; + x509_username_field = (char *) options->x509_username_field; #else - x509_username_field = X509_USERNAME_FIELD_DEFAULT; + x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif - SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - verify_callback); + SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + verify_callback); + } /* Connection information callback */ SSL_CTX_set_info_callback (ctx, info_callback); -- 1.7.4
