From 869b2e79c9ff30e6144dddc6562522a90c73bb14 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Wed, 9 Sep 2015 19:23:04 +0000
Subject: Add client certificate support. Still needs a few tweaks but this
 will ride upcoming minor bump ok jsing@

---
 src/lib/libtls/tls_server.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'src/lib/libtls/tls_server.c')

diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 190682e630..6f8daa0aca 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.11 2015/09/09 14:32:06 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.12 2015/09/09 19:23:04 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -60,8 +60,15 @@ tls_configure_server(struct tls *ctx)
 
 	if (tls_configure_ssl(ctx) != 0)
 		goto err;
-	if (tls_configure_keypair(ctx) != 0)
+	if (tls_configure_keypair(ctx, 1) != 0)
 		goto err;
+	if (ctx->config->verify_client != 0) {
+		int verify = SSL_VERIFY_PEER;
+		if (ctx->config->verify_client == 1)
+			verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+		if (tls_configure_ssl_verify(ctx, verify) == -1)
+			goto err;
+	}
 
 	if (ctx->config->dheparams == -1)
 		SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);
-- 
cgit v1.2.3-55-g6feb