[PATCH ustream-ssl 10/12] ustream-mbedtls: fix certificate verification
Petr Štetiar
ynezz at true.cz
Thu Dec 10 10:41:32 EST 2020
Fixes certificate verification if no CA certificates are available, it's
visible when you run:
$ uclient-fetch https://www.openwrt.org
(so no explicit certificate is given) and have *not* installed
`ca-certificates` or `ca-bundle` package, mbed TLS obviously can't do
verification since no root certificates are available. But then it
simply ignores the issue and continues SSL handshake without warning.
Further, if you run it like:
$ uclient-fetch --ca-certificate=/dev/null https://www.openwrt.org
ustream-mbedtls also does not do verification at all (gives no warning
either).
References: https://lists.infradead.org/pipermail/openwrt-devel/2018-August/019183.html
Suggested-by: Paul Wassi <p.wassi at gmx.at>
Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
ustream-mbedtls.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 1bea9832617f..e79e37ba5051 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -159,15 +159,17 @@ __ustream_ssl_context_new(bool server)
mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
- mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(conf, _urandom, NULL);
if (server) {
+ mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server);
mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_3);
- } else
+ } else {
+ mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client);
+ }
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(conf, &ctx->cache,
More information about the openwrt-devel
mailing list