On server, lock client-provided certs against mid-session TLS

renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
author: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2009-10-25 15:51:04 +0000
committer: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2009-10-25 15:51:04 +0000
commit: ec4a500bb4f0c642fb4e013387d97aab3c516372 (patch)
tree: c56bc3a8991d0afe025e946f8a6b61296487dde7 /multi.c
parent: 0c7168e259036d9c9e7571d5a3e2bfecde67c9bd (diff)
download: openvpn-ec4a500bb4f0c642fb4e013387d97aab3c516372.tar.gz
openvpn-ec4a500bb4f0c642fb4e013387d97aab3c516372.tar.xz
openvpn-ec4a500bb4f0c642fb4e013387d97aab3c516372.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/multi.c b/multi.c
index 7f77cb8..7ea64b4 100644
--- a/multi.c
+++ b/multi.c
@@ -1458,8 +1458,9 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi
 
       ASSERT (mi->context.c1.tuntap);
 
-      /* lock down the common name so it can't change during future TLS renegotiations */
+      /* lock down the common name and cert hashes so they can't change during future TLS renegotiations */
       tls_lock_common_name (mi->context.c2.tls_multi);
+      tls_lock_cert_hash_set (mi->context.c2.tls_multi);
 
       /* generate a msg() prefix for this client instance */
       generate_prefix (mi);
author	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2009-10-25 15:51:04 +0000
committer	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2009-10-25 15:51:04 +0000
commit	ec4a500bb4f0c642fb4e013387d97aab3c516372 (patch)
tree	c56bc3a8991d0afe025e946f8a6b61296487dde7 /multi.c
parent	0c7168e259036d9c9e7571d5a3e2bfecde67c9bd (diff)
download	openvpn-ec4a500bb4f0c642fb4e013387d97aab3c516372.tar.gz openvpn-ec4a500bb4f0c642fb4e013387d97aab3c516372.tar.xz openvpn-ec4a500bb4f0c642fb4e013387d97aab3c516372.zip