From 09b7f39e8655f446fd7b3ed7c69f4193ce4a8711 Mon Sep 17 00:00:00 2001
From: Jean Flach <jean-marcel.flach@netways.de>
Date: Tue, 9 Feb 2016 15:55:12 +0100
Subject: [PATCH] Fix client not closing connections

fixes #11122
---
 lib/remote/apilistener.cpp | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp
index 3c53c04ea..60498c7cc 100644
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@@ -321,16 +321,24 @@ void ApiListener::NewClientHandlerInternal(const Socket::Ptr& client, const Stri
 			return;
 		}
 
-		if (!hostname.IsEmpty() && identity != hostname) {
-			Log(LogInformation, "ApiListener")
-			    << "Unexpected certificate common name while connecting to endpoint '" << hostname << "': got '" << identity << "'";
-			return;
-		}
-
 		verify_ok = tlsStream->IsVerifyOK();
+		if (!hostname.IsEmpty()) {
+			if (identity != hostname) {
+				Log(LogWarning, "ApiListener")
+					<< "Unexpected certificate common name while connecting to endpoint '"
+				    << hostname << "': got '" << identity << "'";
+				return;
+			} else if (!verify_ok) {
+				Log(LogWarning, "ApiListener")
+					<< "Peer certificate for endpoint '" << hostname
+					<< "' is not signed by the certificate authority.";
+				return;
+			}
+		}
 
 		Log(LogInformation, "ApiListener")
-		    << "New client connection for identity '" << identity << "'" << (verify_ok ? "" : " (unauthenticated)");
+		    << "New client connection for identity '" << identity << "'"
+		    << (verify_ok ? "" : " (client certificate not signed by CA)");
 
 		if (verify_ok)
 			endpoint = Endpoint::GetByName(identity);
-- 
2.40.0