From 44208455f61fe2e8644c080625f286e8f3bef9d6 Mon Sep 17 00:00:00 2001
From: vishalnayak <vishalnayakv@gmail.com>
Date: Tue, 1 Mar 2016 16:43:51 -0500
Subject: [PATCH] continue if non-CA policy is not found

---
 builtin/credential/cert/path_login.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go
index 2ecdbdd46..6ad76c6f8 100644
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@@ -140,8 +140,10 @@ func (b *backend) verifyCredentials(req *logical.Request) (*ParsedCert, *logical
 	// If trustedNonCAs is not empty it means that client had registered a non-CA cert
 	// with the backend.
 	if len(trustedNonCAs) != 0 {
-		// Match the trusted chain with the policy
-		return b.matchNonCAPolicy(connState.PeerCertificates[0], trustedNonCAs), nil, nil
+		policy := b.matchNonCAPolicy(connState.PeerCertificates[0], trustedNonCAs)
+		if policy != nil {
+			return policy, nil, nil
+		}
 	}
 
 	// Validate the connection state is trusted