From 7cd240f30f011595f02c48075b94da6a21a3b6a0 Mon Sep 17 00:00:00 2001 From: Jeongik Cha Date: Wed, 30 Oct 2024 22:19:37 +0900 Subject: [PATCH] check if a client certificate exists and is valid, both It should be SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but it was only SSL_VERIFY_FAIL_IF_NO_PEER_CERT, so it didn't verify the cert, it only checked its existence. To fix that, turn on both just like openssl-server.c does. --- lib/tls/mbedtls/mbedtls-server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/tls/mbedtls/mbedtls-server.c b/lib/tls/mbedtls/mbedtls-server.c index a972952b9..0af459ca1 100644 --- a/lib/tls/mbedtls/mbedtls-server.c +++ b/lib/tls/mbedtls/mbedtls-server.c @@ -39,7 +39,7 @@ lws_tls_server_client_cert_verify_config(struct lws_vhost *vh) } if (!lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED)) - verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name, verify_options);