check if a client certificate exists and is valid, both

It should be SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but it was only SSL_VERIFY_FAIL_IF_NO_PEER_CERT, so it didn't verify the cert, it only checked its existence. To fix that, turn on both just like openssl-server.c does.
2025-03-09 00:00:04 +01:00 · 2024-10-30 22:19:37 +09:00 · 2024-10-30 22:19:37 +09:00 · 7cd240f30f
commit 7cd240f30f
parent 6b950e8666
1 changed files with 1 additions and 1 deletions
--- a/lib/tls/mbedtls/mbedtls-server.c
+++ b/lib/tls/mbedtls/mbedtls-server.c
@ -39,7 +39,7 @@ lws_tls_server_client_cert_verify_config(struct lws_vhost *vh)
 	}

 	if (!lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
-		verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+		verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;

 	lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name,
 		    verify_options);