Prevent KSSL server from requesting a client certificate.

Submitted by Jeffrey Altman <jaltman@columbia.edu>

ssl/kssl.c

@@ -1909,10 +1909,13 @@ krb5_error_code  kssl_check_authent(
 	if (authentp == NULL  ||  authentp->length == 0)  return 0;
 
 #ifdef KSSL_DEBUG
+        {
+        unsigned int ui;
 	printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
 	p = authentp->data; 
-	for (padl=0; padl < authentp->length; padl++)  printf("%02x ",p[padl]);
+	for (ui=0; ui < authentp->length; ui++)  printf("%02x ",p[ui]);
 	printf("\n");
+        }
 #endif	/* KSSL_DEBUG */
 
 	unencbufsize = 2 * authentp->length;

ssl/s3_srvr.c

@@ -311,7 +311,9 @@ int ssl3_accept(SSL *s)
 				((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
 				 /* ... except when the application insists on verification
 				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
-				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
+				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
+                                 /* never request cert in Kerberos ciphersuites */
+                                (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
 				{
 				/* no cert request */
 				skip=1;

ssl/t1_enc.c

@@ -493,7 +493,7 @@ int tls1_enc(SSL *s, int send)
 
 #ifdef KSSL_DEBUG
 		{
-                unsigned long i;
+                unsigned long ui;
 		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
                         ds,rec->data,rec->input,l);
 		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
@@ -504,7 +504,7 @@ int tls1_enc(SSL *s, int send)
 		for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
 		printf("\n");
 		printf("\trec->input=");
-		for (i=0; i<l; i++) printf(" %02x", rec->input[i]);
+		for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
 		printf("\n");
 		}
 #endif	/* KSSL_DEBUG */