From a86e320ac19fbbd6034d0447f048beb8b4a0ad1d Mon Sep 17 00:00:00 2001
From: Attila Molnar <attilamolnar@hush.com>
Date: Mon, 8 Aug 2016 16:42:54 +0200
Subject: m_ssl_* Add option to sslprofile controlling whether to request
 client certificates

---
 src/modules/extra/m_ssl_mbedtls.cpp | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'src/modules/extra/m_ssl_mbedtls.cpp')

diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp
index 845d02aa3..a465d06ee 100644
--- a/src/modules/extra/m_ssl_mbedtls.cpp
+++ b/src/modules/extra/m_ssl_mbedtls.cpp
@@ -257,7 +257,6 @@ namespace mbedTLS
 			mbedtls_debug_set_threshold(INT_MAX);
 			mbedtls_ssl_conf_dbg(&conf, DebugLogFunc, NULL);
 #endif
-			mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
 			// TODO: check ret of mbedtls_ssl_config_defaults
 			mbedtls_ssl_config_defaults(&conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
@@ -308,6 +307,11 @@ namespace mbedTLS
 			mbedtls_ssl_conf_ca_chain(&conf, certs.get(), crl.get());
 		}
 
+		void SetOptionalVerifyCert()
+		{
+			mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+		}
+
 		const mbedtls_ssl_config* GetConf() const { return &conf; }
 	};
 
@@ -376,7 +380,8 @@ namespace mbedTLS
 				const std::string& castr, const std::string& crlstr,
 				unsigned int recsize,
 				CTRDRBG& ctrdrbg,
-				int minver, int maxver
+				int minver, int maxver,
+				bool requestclientcert
 				)
 			: name(profilename)
 			, x509cred(certstr, keystr)
@@ -414,7 +419,13 @@ namespace mbedTLS
 				serverctx.SetDHParams(dhparams);
 			}
 
-			serverctx.SetCA(cacerts, crl);
+			clientctx.SetOptionalVerifyCert();
+			// The default for servers is to not request a client certificate from the peer
+			if (requestclientcert)
+			{
+				serverctx.SetOptionalVerifyCert();
+				serverctx.SetCA(cacerts, crl);
+			}
 		}
 
 		static std::string ReadFile(const std::string& filename)
@@ -451,7 +462,8 @@ namespace mbedTLS
 			int minver = tag->getInt("minver");
 			int maxver = tag->getInt("maxver");
 			unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
-			return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver);
+			const bool requestclientcert = tag->getBool("requestclientcert", true);
+			return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver, requestclientcert);
 		}
 
 		/** Set up the given session with the settings in this profile
-- 
cgit v1.2.3