Don’t set ctx options in the tls client session init function

FreeRADIUS · Mar 14, 2018 · b1ce64e · b1ce64e
1 parent 24b4fb1
commit b1ce64e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 10 deletions.
diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c
@@ -490,14 +490,22 @@ SSL_CTX *tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
 #endif
 #endif
 
-	/*
-	 *	OpenSSL will automatically create certificate chains,
-	 *	unless we tell it to not do that.  The problem is that
-	 *	it sometimes gets the chains right from a certificate
-	 *	signature view, but wrong from the clients view.
-	 */
-	if (!conf->auto_chain) {
-		SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
+	{
+		int mode = 0;
+
+		/*
+		 *	OpenSSL will automatically create certificate chains,
+		 *	unless we tell it to not do that.  The problem is that
+		 *	it sometimes gets the chains right from a certificate
+		 *	signature view, but wrong from the clients view.
+		 */
+		if (!conf->auto_chain) mode |= SSL_MODE_NO_AUTO_CHAIN;
+
+		if (client) {
+			mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
+			mode |= SSL_MODE_AUTO_RETRY;
+		}
+		SSL_CTX_set_mode(ctx, mode);
 	}
 
 	/* Set Info callback */

diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c
@@ -1471,8 +1471,6 @@ tls_session_t *tls_session_init_client(TALLOC_CTX *ctx, fr_tls_conf_t *conf)
 	session->ctx = conf->ctx[(conf->ctx_count == 1) ? 0 : conf->ctx_next++ % conf->ctx_count];	/* mutex not needed */
 	rad_assert(session->ctx);
 
-	SSL_CTX_set_mode(session->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
-
 	session->ssl = SSL_new(session->ctx);
 	if (!session->ssl) {
 		talloc_free(session);