mbedtls: add support for optional peer certificate

Check for LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED...

AG: Fix missing stanza needed to confirm client cert needed at all

Signed-off-by: Petar Paradzik <petar.paradzik@sartura.hr>

lib/tls/mbedtls/server.c

@@ -25,7 +25,18 @@ int
 lws_tls_server_client_cert_verify_config(struct lws_context_creation_info *info,
 					 struct lws_vhost *vh)
 {
-	SSL_CTX_set_verify(vh->ssl_ctx, SSL_VERIFY_PEER, NULL);
+	int verify_options = SSL_VERIFY_PEER;
+
+	/* as a server, are we requiring clients to identify themselves? */
+
+	if (!lws_check_opt(info->options,
+			  LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT))
+		return 0;
+
+	if (lws_check_opt(info->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
+		verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+
+	SSL_CTX_set_verify(vh->ssl_ctx, verify_options, NULL);
 
 	return 0;
 }