From 0060af62c5b51566ee19c9c519106518c260d9b0 Mon Sep 17 00:00:00 2001
From: Petar Paradzik <petar.paradzik@sartura.hr>
Date: Tue, 31 Oct 2017 14:37:41 +0100
Subject: [PATCH] mbedtls: add support for optional peer certificate

Check for LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED...

AG: Fix missing stanza needed to confirm client cert needed at all

Signed-off-by: Petar Paradzik <petar.paradzik@sartura.hr>
---
 lib/tls/mbedtls/server.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/tls/mbedtls/server.c b/lib/tls/mbedtls/server.c
index d88e39c8..a14bbc18 100644
--- a/lib/tls/mbedtls/server.c
+++ b/lib/tls/mbedtls/server.c
@@ -25,7 +25,18 @@ int
 lws_tls_server_client_cert_verify_config(struct lws_context_creation_info *info,
 					 struct lws_vhost *vh)
 {
-	SSL_CTX_set_verify(vh->ssl_ctx, SSL_VERIFY_PEER, NULL);
+	int verify_options = SSL_VERIFY_PEER;
+
+	/* as a server, are we requiring clients to identify themselves? */
+
+	if (!lws_check_opt(info->options,
+			  LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT))
+		return 0;
+
+	if (lws_check_opt(info->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
+		verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+
+	SSL_CTX_set_verify(vh->ssl_ctx, verify_options, NULL);
 
 	return 0;
 }