ustream-mbedtls: fix certificate verification

Fixes certificate verification if no CA certificates are available, it's
visible when you run:

 $ uclient-fetch https://www.openwrt.org

(so no explicit certificate is given) and have *not* installed
`ca-certificates` or `ca-bundle` package, mbed TLS obviously can't do
verification since no root certificates are available.  But then it
simply ignores the issue and continues SSL handshake without warning.

Further, if you run it like:

 $ uclient-fetch --ca-certificate=/dev/null https://www.openwrt.org

ustream-mbedtls also does not do verification at all (gives no warning
either).

References: https://lists.infradead.org/pipermail/openwrt-devel/2018-August/019183.html
Suggested-by: Paul Wassi <p.wassi@gmx.at>
Signed-off-by: Petr Štetiar <ynezz@true.cz>

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 1bea9832617f514acaf81372b863e4411eb52dc2..e79e37ba5051e05642e83911526cce5831766a25 100644 (file)
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -159,15 +159,17 @@ __ustream_ssl_context_new(bool server)
 
        mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
                                    MBEDTLS_SSL_PRESET_DEFAULT);
-       mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
        mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
        if (server) {
+               mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
                mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server);
                mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
                                             MBEDTLS_SSL_MINOR_VERSION_3);
-       } else
+       } else {
+               mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
                mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client);
+       }
 
 #if defined(MBEDTLS_SSL_CACHE_C)
        mbedtls_ssl_conf_session_cache(conf, &ctx->cache,