diff options
Diffstat (limited to 'lib/ssl/src/ssl.erl')
-rw-r--r-- | lib/ssl/src/ssl.erl | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index 4e766ac1f5..c96173e98b 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -264,7 +264,7 @@ secp160r1 | secp160r2. --type group() :: secp256r1 | secp384r1 | secp521r1 | ffdhe2048 | +-type group() :: x25519 | x448 | secp256r1 | secp384r1 | secp521r1 | ffdhe2048 | ffdhe3072 | ffdhe4096 | ffdhe6144 | ffdhe8192. % exported -type srp_param_type() :: srp_1024 | @@ -1703,18 +1703,22 @@ validate_versions(dtls, Vsns0) -> opt_verification(UserOpts, Opts0, #{role := Role} = Env) -> {Verify, Opts1} = case get_opt_of(verify, [verify_none, verify_peer], default_verify(Role), UserOpts, Opts0) of + {old, Val} -> + {Val, Opts0}; {_, verify_none} -> {verify_none, Opts0#{verify => verify_none, verify_fun => {none_verify_fun(), []}}}; {_, verify_peer} -> %% If 'verify' is changed from verify_none to verify_peer, (via update_options/3) %% the 'verify_fun' must also be changed to undefined. %% i.e remove verify_none fun - {verify_peer, Opts0#{verify => verify_peer, verify_fun => undefined}} + Temp = Opts0#{verify => verify_peer, verify_fun => undefined}, + {verify_peer, maps:remove(fail_if_no_peer_cert, Temp)} end, Opts2 = opt_cacerts(UserOpts, Opts1, Env), {_, PartialChain} = get_opt_fun(partial_chain, 1, fun(_) -> unknown_ca end, UserOpts, Opts2), - {_, FailNoPeerCert} = get_opt_bool(fail_if_no_peer_cert, false, UserOpts, Opts2), + DefFailNoPeer = Role =:= server andalso Verify =:= verify_peer, + {_, FailNoPeerCert} = get_opt_bool(fail_if_no_peer_cert, DefFailNoPeer, UserOpts, Opts2), assert_server_only(Role, FailNoPeerCert, fail_if_no_peer_cert), option_incompatible(FailNoPeerCert andalso Verify =:= verify_none, [{verify, verify_none}, {fail_if_no_peer_cert, true}]), |