mbedtls: use our own certificate validation

Otherwise REQUIRED means that `git_stream_certificate` will always error. We're doing the mbedtls check in verify_server_cert though.

mbedtls: use our own certificate validation
Otherwise REQUIRED means that `git_stream_certificate` will always error. We're doing the mbedtls check in verify_server_cert though.
4165bb7f · Etienne Samson · 262dfcf0 · 4165bb7f
Commit 4165bb7f authored Mar 29, 2018 by Etienne Samson
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletions

src/streams/mbedtls.c
+5 -1

No files found.
--- a/src/streams/mbedtls.c
+++ b/src/streams/mbedtls.c
@@ -82,7 +82,11 @@ int git_mbedtls_stream_global_init(void)

 	/* configure TLSv1 */
 	mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
-	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+
+	/* verify_server_cert is responsible for making the check.
+	 * OPTIONAL because REQUIRED drops the certificate as soon as the check
+	 * is made, so we can never see the certificate and override it. */
+	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL);

 	/* set the list of allowed ciphersuites */
 	ciphers_list = calloc(GIT_SSL_DEFAULT_CIPHERS_COUNT, sizeof(int));