Add SRP and PSK to disallowed CertificateRequest ciphersuites There was a discrepancy between what ciphersuites we allowed to send a CertificateRequest, and what ciphersuites we allowed to receive one. So add PSK and SRP to the disallowed ones. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>

commit: b7fa1f989d0059ad7b992c11797f37f095d61204 [log] [tgz]
author: Matt Caswell <matt@openssl.org> Mon Oct 26 23:11:44 2015 +0000
committer: Matt Caswell <matt@openssl.org> Fri Oct 30 08:39:47 2015 +0000
tree: 356b00fb0e793ebe6a43c184598b99c318751dc2
parent: bb3e20cf8c5e733c16fe68ce41f67eea5a2a520e [diff] [blame]
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 2ad41f5..c9d760f 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c

@@ -182,8 +182,9 @@
 static inline int cert_req_allowed(SSL *s)
 {
     /* TLS does not like anon-DH with client cert */
-    if (s->version > SSL3_VERSION
-            && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+    if ((s->version > SSL3_VERSION
+                && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
+            || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
         return 0;
 
     return 1;
commit	b7fa1f989d0059ad7b992c11797f37f095d61204	[log] [tgz]
author	Matt Caswell <matt@openssl.org>	Mon Oct 26 23:11:44 2015 +0000
committer	Matt Caswell <matt@openssl.org>	Fri Oct 30 08:39:47 2015 +0000
tree	356b00fb0e793ebe6a43c184598b99c318751dc2
parent	bb3e20cf8c5e733c16fe68ce41f67eea5a2a520e [diff] [blame]