From 30cebb4fc78e49e0432a404f7c9dd8c9a93b3cc3 Mon Sep 17 00:00:00 2001 From: Daniel Danzberger Date: Sun, 8 Dec 2019 21:14:08 +0100 Subject: [PATCH] ustream-ssl: mbedtls: fix ssl client verification The ustream_ssl_update_own_cert() function should, like the name suggests, only update the local ssl peer's own certificate and not the any of the CA's. By overwriting the CA's certifcates when setting the own certificate, the code broke SSL client verification. This bug was only triggerd when: ustream_ssl_context_set_crt_file() was called after ustream_ssl_context_add_ca_crt_file() Signed-off-by: Daniel Danzberger --- ustream-mbedtls.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c index 85bbb1c..74c27a5 100644 --- a/ustream-mbedtls.c +++ b/ustream-mbedtls.c @@ -182,16 +182,9 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx) if (!ctx->cert.version) return; - if (!ctx->server) { - mbedtls_ssl_conf_ca_chain(&ctx->conf, &ctx->cert, NULL); - return; - } - if (!ctx->key.pk_info) return; - if (ctx->cert.next) - mbedtls_ssl_conf_ca_chain(&ctx->conf, ctx->cert.next, NULL); mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key); } -- 2.25.1