ustream-mbedtls: fix certificate verification

[project/ustream-ssl.git] / ustream-mbedtls.c

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 1bea9832617f514acaf81372b863e4411eb52dc2..e79e37ba5051e05642e83911526cce5831766a25 100644 (file)
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -159,15 +159,17 @@ __ustream_ssl_context_new(bool server)
 
        mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
                                    MBEDTLS_SSL_PRESET_DEFAULT);
-       mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
        mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
        if (server) {
+               mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
                mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server);
                mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
                                             MBEDTLS_SSL_MINOR_VERSION_3);
-       } else
+       } else {
+               mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
                mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client);
+       }
 
 #if defined(MBEDTLS_SSL_CACHE_C)
        mbedtls_ssl_conf_session_cache(conf, &ctx->cache,