X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fextra%2Fm_ssl_mbedtls.cpp;h=ffe0a71b8fd3540fea3e91df55a65b6a230fba63;hb=5d7003df82b839ed64439a819c6b825265d434df;hp=845d02aa3fb2ad266559cb7e27edc2544d14a8d3;hpb=eef55acb1dbb2ae6c0202fec54e12506c064f892;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp
index 845d02aa3..ffe0a71b8 100644
--- a/src/modules/extra/m_ssl_mbedtls.cpp
+++ b/src/modules/extra/m_ssl_mbedtls.cpp
@@ -257,7 +257,6 @@ namespace mbedTLS
 			mbedtls_debug_set_threshold(INT_MAX);
 			mbedtls_ssl_conf_dbg(&conf, DebugLogFunc, NULL);
 #endif
-			mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
 			// TODO: check ret of mbedtls_ssl_config_defaults
 			mbedtls_ssl_config_defaults(&conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
@@ -308,6 +307,11 @@ namespace mbedTLS
 			mbedtls_ssl_conf_ca_chain(&conf, certs.get(), crl.get());
 		}
 
+		void SetOptionalVerifyCert()
+		{
+			mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+		}
+
 		const mbedtls_ssl_config* GetConf() const { return &conf; }
 	};
 
@@ -376,7 +380,8 @@ namespace mbedTLS
 				const std::string& castr, const std::string& crlstr,
 				unsigned int recsize,
 				CTRDRBG& ctrdrbg,
-				int minver, int maxver
+				int minver, int maxver,
+				bool requestclientcert
 				)
 			: name(profilename)
 			, x509cred(certstr, keystr)
@@ -414,7 +419,14 @@ namespace mbedTLS
 				serverctx.SetDHParams(dhparams);
 			}
 
-			serverctx.SetCA(cacerts, crl);
+			clientctx.SetOptionalVerifyCert();
+			clientctx.SetCA(cacerts, crl);			
+			// The default for servers is to not request a client certificate from the peer
+			if (requestclientcert)
+			{
+				serverctx.SetOptionalVerifyCert();
+				serverctx.SetCA(cacerts, crl);
+			}
 		}
 
 		static std::string ReadFile(const std::string& filename)
@@ -451,7 +463,8 @@ namespace mbedTLS
 			int minver = tag->getInt("minver");
 			int maxver = tag->getInt("maxver");
 			unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
-			return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver);
+			const bool requestclientcert = tag->getBool("requestclientcert", true);
+			return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver, requestclientcert);
 		}
 
 		/** Set up the given session with the settings in this profile