From cee6791b362a1b778b6e0630433052bd819943f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0tetiar?= Date: Thu, 10 Dec 2020 14:51:25 +0100 Subject: ustream-mbedtls: fix certificate verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes certificate verification if no CA certificates are available, it's visible when you run: $ uclient-fetch https://www.openwrt.org (so no explicit certificate is given) and have *not* installed `ca-certificates` or `ca-bundle` package, mbed TLS obviously can't do verification since no root certificates are available. But then it simply ignores the issue and continues SSL handshake without warning. Further, if you run it like: $ uclient-fetch --ca-certificate=/dev/null https://www.openwrt.org ustream-mbedtls also does not do verification at all (gives no warning either). References: https://lists.infradead.org/pipermail/openwrt-devel/2018-August/019183.html Suggested-by: Paul Wassi Signed-off-by: Petr Štetiar --- ustream-mbedtls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 1bea983..e79e37b 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -159,15 +159,17 @@ __ustream_ssl_context_new(bool server) mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); - mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_rng(conf, _urandom, NULL); if (server) { + mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server); mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3); - } else + } else { + mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL); mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client); + } #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_conf_session_cache(conf, &ctx->cache, -- cgit v1.2.1