Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-30 00:00:16 +01:00
Code Issues Releases Wiki Activity

mbedtls-server: Fix broken client verification

Browse source 
This fixes clients being able to connect with a certicate that was not
signed by the configured CA when SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set.

The issue only appeared when a client connects via IP address directly and
not use a hostname.

When the hostname was used to connect, the SNI 'callback lws_mbedtls_sni_cb'
overwrote the invalid verfiy mode of
MBEDTLS_SSL_VERIFY_OPTIONAL with MBEDTLS_SSL_VERIFY_REQUIRED by
calling SSL_set_SSL_CTX.

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
This commit is contained in:
Daniel Danzberger 2023-06-05 21:24:59 +02:00 committed by Andy Green
parent 7ef2065fdf
commit 4144c1e61b
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/tls/mbedtls/wrapper/platform/ssl_pm.c
View file

@ -251,9 +251,9 @@ static int ssl_pm_reload_crt(SSL *ssl)
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
if (ssl->verify_mode == SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
mode = MBEDTLS_SSL_VERIFY_UNSET;
else