[OpenWrt-Devel] [PATCH 2/2] ustream-ssl: mbedtls: fix ssl client verification
Daniel Danzberger
daniel at dd-wrt.com
Sun Dec 8 15:14:08 EST 2019
The ustream_ssl_update_own_cert() function should, like the name suggests, only
update the local ssl peer's own certificate and not the any of the CA's.
By overwriting the CA's certifcates when setting the own certificate, the code
broke SSL client verification.
This bug was only triggerd when:
ustream_ssl_context_set_crt_file()
was called after
ustream_ssl_context_add_ca_crt_file()
Signed-off-by: Daniel Danzberger <daniel at dd-wrt.com>
---
ustream-mbedtls.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 85bbb1c..74c27a5 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -182,16 +182,9 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx)
if (!ctx->cert.version)
return;
- if (!ctx->server) {
- mbedtls_ssl_conf_ca_chain(&ctx->conf, &ctx->cert, NULL);
- return;
- }
-
if (!ctx->key.pk_info)
return;
- if (ctx->cert.next)
- mbedtls_ssl_conf_ca_chain(&ctx->conf, ctx->cert.next, NULL);
mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
}
--
2.24.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list