ustream-ssl: mbedtls: fix ssl client verification
authorDaniel Danzberger <daniel@dd-wrt.com>
Sun, 8 Dec 2019 20:14:08 +0000 (21:14 +0100)
committerHauke Mehrtens <hauke@hauke-m.de>
Sun, 5 Jan 2020 16:23:11 +0000 (17:23 +0100)
The ustream_ssl_update_own_cert() function should, like the name suggests, only
update the local ssl peer's own certificate and not the any of the CA's.

By overwriting the CA's certifcates when setting the own certificate, the code
broke SSL client verification.

This bug was only triggerd when:
 ustream_ssl_context_set_crt_file()
was called after
 ustream_ssl_context_add_ca_crt_file()

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
ustream-mbedtls.c

index 85bbb1c7c9ea18c04ba9bfcbba1e919a72e13c68..74c27a51b8c67db2339de8fe49eb1b1502c75a50 100644 (file)
@@ -182,16 +182,9 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx)
        if (!ctx->cert.version)
                return;
 
-       if (!ctx->server) {
-               mbedtls_ssl_conf_ca_chain(&ctx->conf, &ctx->cert, NULL);
-               return;
-       }
-
        if (!ctx->key.pk_info)
                return;
 
-       if (ctx->cert.next)
-               mbedtls_ssl_conf_ca_chain(&ctx->conf, ctx->cert.next, NULL);
        mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
 }