mbedtls: server: enforce client cert check when vhost requires

2025-03-09 00:00:04 +01:00 · 2021-05-23 08:17:25 +01:00 · 2021-05-23 08:17:25 +01:00 · 16328b1918
commit 16328b1918
parent 8ebe1d9323
3 changed files with 5 additions and 12 deletions
--- a/lib/tls/mbedtls/mbedtls-server.c
+++ b/lib/tls/mbedtls/mbedtls-server.c
@ -38,15 +38,7 @@ lws_tls_server_client_cert_verify_config(struct lws_vhost *vh)
 		return 0;
 	}

-	/*
-	 * The wrapper has this messed-up mapping:
-	 *
-	 * 	   else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-	 *     mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
-	 *
-	 * ie the meaning is inverted.  So where we should test for ! we don't
-	 */
-	if (lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
+	if (!lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
 		verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;

 	lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name,
--- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
@ -234,7 +234,7 @@ static int ssl_pm_reload_crt(SSL *ssl)
    if (ssl->verify_mode == SSL_VERIFY_PEER)
        mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
    else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-        mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+        mode = MBEDTLS_SSL_VERIFY_REQUIRED;
    else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
        mode = MBEDTLS_SSL_VERIFY_UNSET;
    else
@ -935,10 +935,11 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
 	ssl->cert = __ssl_cert_new(ctx->cert);

 #if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
+
 	if (ctx->verify_mode == SSL_VERIFY_PEER)
 		mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
 	else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-		mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
 	else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
 		mode = MBEDTLS_SSL_VERIFY_UNSET;
 	else
--- a/minimal-examples/http-server/minimal-http-server-smp/minimal-http-server-smp.c
+++ b/minimal-examples/http-server/minimal-http-server-smp/minimal-http-server-smp.c
@ -108,7 +108,7 @@ int main(int argc, const char **argv)

 #if defined(LWS_WITH_TLS)
 	if (lws_cmdline_option(argc, argv, "-s")) {
-		info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT;
+		info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
 		info.ssl_cert_filepath = "localhost-100y.cert";
 		info.ssl_private_key_filepath = "localhost-100y.key";
 	}