sasl and ssl configuration

[Kenichi Okada]

In the message <Phillip_Villaume at sandy.pool-48.oops.inka.de>
Sven Paulus <sven at karlsruhe.org> at news.software.nntp wrote:

> Russell Virgilio <russ at gatech.edu> wrote:
|> The certificate request comes from the server, so how do I
|> avoid the cert request? (This is strictly a "ease of user use"
|> question)

> Go to nnrpd/tls.c and look for
>      peer = SSL_get_peer_certificate(tls_conn);
>
> change this line to
>      peer = NULL;
>
> and recompile nnrpd. I don't know why the nnrpd code includes this
> request, since there is no infrastructure for dealing with client 
> certificates (that means doing authentication based on certificates),
> it just logs the data received.

It is a trial code for future feature.
Now it is not needed. Please commit the next patch.

-- 
Kenichi Okada
mailto:okada at opaopa.org

diff -c inn-CURRENT-20010207-orig/nnrpd/tls.c inn-CURRENT-20010207/nnrpd/tls.c
*** inn-CURRENT-20010207-orig/nnrpd/tls.c	Wed Feb  7 19:01:01 2001
--- inn-CURRENT-20010207/nnrpd/tls.c	Thu Feb  8 20:22:36 2001
***************
*** 456,462 ****
      unsigned int n;
      SSL_SESSION *session;
      SSL_CIPHER *cipher;
-     X509   *peer;
  
      if (!tls_serverengine)
      {		
--- 456,461 ----
***************
*** 523,578 ****
        if (tls_loglevel < 4)
  	do_dump = 0;
  
-     /*
-      * Lets see, whether a peer certificate is availabe and what is
-      * the actual information. We want to save it for later use.
-      */
-     peer = SSL_get_peer_certificate(tls_conn);
- 
-     if (peer != NULL) {
-       
-       syslog(L_ERROR,"GOT CLIENT CERTIFICATE!!!\n");
- 
- 	X509_NAME_oneline(X509_get_subject_name(peer),
- 			  peer_subject, CCERT_BUFSIZ);
- 	if (tls_loglevel >= 2)
- 	  Printf("subject=%s", peer_subject);
- 
- 	syslog(L_ERROR, "subject=%s", peer_subject);
- 	tls_peer_subject = peer_subject;
- 	X509_NAME_oneline(X509_get_issuer_name(peer),
- 			  peer_issuer, CCERT_BUFSIZ);
- 	if (tls_loglevel >= 2)
- 	   Printf("issuer=%s", peer_issuer);
- 	tls_peer_issuer = peer_issuer;
- 	if (X509_digest(peer, EVP_md5(), md, &n)) {
- 	    for (j = 0; j < (int) n; j++)
- 	    {
- 		fingerprint[j * 3] = hexcodes[(md[j] & 0xf0) >> 4];
- 		fingerprint[(j * 3) + 1] = hexcodes[(md[j] & 0x0f)];
- 		if (j + 1 != (int) n)
- 		    fingerprint[(j * 3) + 2] = '_';
- 		else
- 		    fingerprint[(j * 3) + 2] = '\0';
- 	    }
- 	    if (tls_loglevel >= 2)
- 		Printf("fingerprint=%s", fingerprint);
- 	    syslog(L_ERROR,"fingerprint=%s", fingerprint);
- 	    tls_peer_fingerprint = fingerprint;
- 	}
- 	X509_NAME_get_text_by_NID(X509_get_subject_name(peer),
- 			  NID_commonName, peer_CN, CCERT_BUFSIZ);
- 	tls_peer_CN = peer_CN;
- 	X509_NAME_get_text_by_NID(X509_get_issuer_name(peer),
- 			  NID_commonName, issuer_CN, CCERT_BUFSIZ);
- 	if (tls_loglevel >= 3)
- 	   Printf("subject_CN=%s, issuer_CN=%s", peer_CN, issuer_CN);
- 
- 	syslog(L_ERROR,"subject_CN=%s, issuer_CN=%s", peer_CN, issuer_CN);
- 
- 	tls_issuer_CN = issuer_CN;
- 	/* xxx	X509_free(peer);*/
-     }
      tls_protocol = SSL_get_version(tls_conn);
      cipher = SSL_get_current_cipher(tls_conn);
  
--- 522,527 ----