From 4144c1e61bfc69b08f52e727f687430026ebb608 Mon Sep 17 00:00:00 2001 From: Daniel Danzberger Date: Mon, 5 Jun 2023 21:24:59 +0200 Subject: [PATCH] mbedtls-server: Fix broken client verification This fixes clients being able to connect with a certicate that was not signed by the configured CA when SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set. The issue only appeared when a client connects via IP address directly and not use a hostname. When the hostname was used to connect, the SNI 'callback lws_mbedtls_sni_cb' overwrote the invalid verfiy mode of MBEDTLS_SSL_VERIFY_OPTIONAL with MBEDTLS_SSL_VERIFY_REQUIRED by calling SSL_set_SSL_CTX. Signed-off-by: Daniel Danzberger --- lib/tls/mbedtls/wrapper/platform/ssl_pm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c index 7b378fa801..d7e7c399c9 100755 --- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c +++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c @@ -251,9 +251,9 @@ static int ssl_pm_reload_crt(SSL *ssl) struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm; if (ssl->verify_mode == SSL_VERIFY_PEER) - mode = MBEDTLS_SSL_VERIFY_REQUIRED; - else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT) mode = MBEDTLS_SSL_VERIFY_OPTIONAL; + else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT) + mode = MBEDTLS_SSL_VERIFY_REQUIRED; else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE) mode = MBEDTLS_SSL_VERIFY_UNSET; else