From cf2ed9f758407827e772ad9ade89d4cd4767e060 Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Mon, 16 Mar 2020 16:59:17 +0000
Subject: [PATCH] ss: use system trust store if none given in policy

For general OpenSSL case, we leave connection validity to system trust
store bundle to decide; even for mbedtls it may have been passed a
bundle externally and we don't want to have to list the x.509 stack
explicitly for a server we don't have any control over.

Instead of erroring out, allow the case no trust store is specified,
just use vhost[0] and let the system trust store decide if it likes
the server's cert or not.


No ABI change.
---
 lib/secure-streams/secure-streams.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/lib/secure-streams/secure-streams.c b/lib/secure-streams/secure-streams.c
index 8de02b917..c4578861c 100644
--- a/lib/secure-streams/secure-streams.c
+++ b/lib/secure-streams/secure-streams.c
@@ -212,19 +212,17 @@ lws_ss_client_connect(lws_ss_handle_t *h)
 		lwsl_info("%s: using tls\n", __func__);
 		i.ssl_connection = LCCSCF_USE_SSL;
 
-		if (!h->policy->trust_store) {
-			lwsl_err("%s: tls required but no policy trust store\n",
-				 __func__);
+		if (!h->policy->trust_store)
+			lwsl_info("%s: using platform trust store\n", __func__);
+		else {
 
-			return -1;
-		}
+			i.vhost = lws_get_vhost_by_name(h->context,
+							h->policy->trust_store->name);
+			if (!i.vhost) {
+				lwsl_err("%s: missing vh for policy ca\n", __func__);
 
-		i.vhost = lws_get_vhost_by_name(h->context,
-						h->policy->trust_store->name);
-		if (!i.vhost) {
-			lwsl_err("%s: missing vh for policy ca\n", __func__);
-
-			return -1;
+				return -1;
+			}
 		}
 	}