thodg/libgit2

Browse

Commit 4165bb7f4b767801c2142ec521e275f6560197a5

Etienne Samson 2018-03-29T22:14:06

mbedtls: use our own certificate validation Otherwise REQUIRED means that `git_stream_certificate` will always error. We're doing the mbedtls check in verify_server_cert though. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
index fa7d31e..b2f02cc 100644
--- a/src/streams/mbedtls.c
+++ b/src/streams/mbedtls.c
@@ -82,7 +82,11 @@ int git_mbedtls_stream_global_init(void)
 
 	/* configure TLSv1 */
 	mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
-	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+
+	/* verify_server_cert is responsible for making the check.
+	 * OPTIONAL because REQUIRED drops the certificate as soon as the check
+	 * is made, so we can never see the certificate and override it. */
+	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
 	/* set the list of allowed ciphersuites */
 	ciphers_list = calloc(GIT_SSL_DEFAULT_CIPHERS_COUNT, sizeof(int));
kmx.io     mail     discord kmxgit v0.4.0