diff --git a/lib/tls/mbedtls/server.c b/lib/tls/mbedtls/server.c index d88e39c8..a14bbc18 100644 --- a/lib/tls/mbedtls/server.c +++ b/lib/tls/mbedtls/server.c @@ -25,7 +25,18 @@ int lws_tls_server_client_cert_verify_config(struct lws_context_creation_info *info, struct lws_vhost *vh) { - SSL_CTX_set_verify(vh->ssl_ctx, SSL_VERIFY_PEER, NULL); + int verify_options = SSL_VERIFY_PEER; + + /* as a server, are we requiring clients to identify themselves? */ + + if (!lws_check_opt(info->options, + LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) + return 0; + + if (lws_check_opt(info->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED)) + verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + + SSL_CTX_set_verify(vh->ssl_ctx, verify_options, NULL); return 0; }