From 99e6aff5374ebdddd36ebbc8c33f3472692dd07a Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Sun, 15 Mar 2020 04:55:21 +0000
Subject: [PATCH] ss: use system trust store if none given in policy

For general OpenSSL case, we leave connection validity to system trust
store bundle to decide; even for mbedtls it may have been passed a
bundle externally and we don't want to have to list the x.509 stack
explicitly for a server we don't have any control over.

Instead of erroring out, allow the case no trust store is specified,
just use vhost[0] and let the system trust store decide if it likes
the server's cert or not.


No ABI change.
---
 lib/secure-streams/secure-streams.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/lib/secure-streams/secure-streams.c b/lib/secure-streams/secure-streams.c
index 3c8eff3f7..407137f25 100644
--- a/lib/secure-streams/secure-streams.c
+++ b/lib/secure-streams/secure-streams.c
@@ -257,19 +257,17 @@ lws_ss_client_connect(lws_ss_handle_t *h)
 		lwsl_info("%s: using tls\n", __func__);
 		i.ssl_connection = LCCSCF_USE_SSL;
 
-		if (!h->policy->trust_store) {
-			lwsl_err("%s: tls required but no policy trust store\n",
-				 __func__);
+		if (!h->policy->trust_store)
+			lwsl_info("%s: using platform trust store\n", __func__);
+		else {
 
-			return -1;
-		}
+			i.vhost = lws_get_vhost_by_name(h->context,
+							h->policy->trust_store->name);
+			if (!i.vhost) {
+				lwsl_err("%s: missing vh for policy ca\n", __func__);
 
-		i.vhost = lws_get_vhost_by_name(h->context,
-						h->policy->trust_store->name);
-		if (!i.vhost) {
-			lwsl_err("%s: missing vh for policy ca\n", __func__);
-
-			return -1;
+				return -1;
+			}
 		}
 	}