diff mbox series

[OpenWrt-Devel,2/2] ustream-ssl: mbedtls: fix ssl client verification

Message ID 20191208201408.130971-1-daniel@dd-wrt.com
State Accepted
Delegated to: Hauke Mehrtens
Headers show
Series None | expand

Commit Message

Daniel Danzberger Dec. 8, 2019, 8:14 p.m. UTC
The ustream_ssl_update_own_cert() function should, like the name suggests, only
update the local ssl peer's own certificate and not the any of the CA's.

By overwriting the CA's certifcates when setting the own certificate, the code
broke SSL client verification.

This bug was only triggerd when:
was called after

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
 ustream-mbedtls.c | 7 -------
 1 file changed, 7 deletions(-)
diff mbox series


diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 85bbb1c..74c27a5 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -182,16 +182,9 @@  static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx)
 	if (!ctx->cert.version)
-	if (!ctx->server) {
-		mbedtls_ssl_conf_ca_chain(&ctx->conf, &ctx->cert, NULL);
-		return;
-	}
 	if (!ctx->key.pk_info)
-	if (ctx->cert.next)
-		mbedtls_ssl_conf_ca_chain(&ctx->conf, ctx->cert.next, NULL);
 	mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);