Fix bug 68869. Don't ignore TLS no certificate messages when the server

requires client auth. Work around bug in NT TCP stack by only shutting down the socket for SEND (not for BOTH) after sending a bad_certificate alert. This avoids bogus CONNECTION_RESET_BY_PEER errors at the client. git-svn-id: svn://10.0.0.236/trunk@97079 18797224-902f-48f8-a5cc-f745e15eee43
2001-06-13 21:14:54 +00:00 · 2001-06-13 21:14:54 +00:00 · eb9c042167
commit eb9c042167
parent 624e29aa9c
1 changed files with 9 additions and 1 deletions
--- a/mozilla/security/nss/lib/ssl/ssl3con.c
+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
@ -33,7 +33,7 @@
 * may use your version of this file under either the MPL or the
 * GPL.
 *
- * $Id: ssl3con.c,v 1.20 2001-06-05 00:26:37 nelsonb%netscape.com Exp $
+ * $Id: ssl3con.c,v 1.21 2001-06-13 21:14:54 nelsonb%netscape.com Exp $
 */

 #include "nssrenam.h"
@ -1571,7 +1571,11 @@ ssl3_HandleNoCertificate(sslSocket *ss)
 	SSL3_SendAlert(ss, alert_fatal, bad_certificate);

 	lower = ss->fd->lower;
+#ifdef _WIN32
+	lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
+#else
 	lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
+#endif
 	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
 	return SECFailure;
    }
@ -6309,6 +6313,10 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
    	/* This is TLS's version of a no_certificate alert. */
    	/* I'm a server. I've requested a client cert. He hasn't got one. */
 	rv = ssl3_HandleNoCertificate(ss);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
 	goto cert_block;
    }