libwebsockets

mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-23 00:00:06 +01:00

History

Daniel Danzberger 4144c1e61b mbedtls-server: Fix broken client verification This fixes clients being able to connect with a certicate that was not signed by the configured CA when SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set. The issue only appeared when a client connects via IP address directly and not use a hostname. When the hostname was used to connect, the SNI 'callback lws_mbedtls_sni_cb' overwrote the invalid verfiy mode of MBEDTLS_SSL_VERIFY_OPTIONAL with MBEDTLS_SSL_VERIFY_REQUIRED by calling SSL_set_SSL_CTX. Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>	2023-09-28 11:06:05 +01:00
..
ssl_pm.c	mbedtls-server: Fix broken client verification	2023-09-28 11:06:05 +01:00
ssl_port.c	tls: split out common, openssl and mbedtls code	2017-10-25 07:17:29 +08:00

Daniel Danzberger 4144c1e61b mbedtls-server: Fix broken client verification

This fixes clients being able to connect with a certicate that was not
signed by the configured CA when SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set.

The issue only appeared when a client connects via IP address directly and
not use a hostname.

When the hostname was used to connect, the SNI 'callback lws_mbedtls_sni_cb'
overwrote the invalid verfiy mode of
MBEDTLS_SSL_VERIFY_OPTIONAL with MBEDTLS_SSL_VERIFY_REQUIRED by
calling SSL_set_SSL_CTX.

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>

2023-09-28 11:06:05 +01:00

ssl_pm.c

mbedtls-server: Fix broken client verification

2023-09-28 11:06:05 +01:00

ssl_port.c

tls: split out common, openssl and mbedtls code

2017-10-25 07:17:29 +08:00