summaryrefslogtreecommitdiff
path: root/lib/ssl/src/ssl.erl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/src/ssl.erl')
-rw-r--r--lib/ssl/src/ssl.erl10
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 4e766ac1f5..c96173e98b 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -264,7 +264,7 @@
secp160r1 |
secp160r2.
--type group() :: secp256r1 | secp384r1 | secp521r1 | ffdhe2048 |
+-type group() :: x25519 | x448 | secp256r1 | secp384r1 | secp521r1 | ffdhe2048 |
ffdhe3072 | ffdhe4096 | ffdhe6144 | ffdhe8192. % exported
-type srp_param_type() :: srp_1024 |
@@ -1703,18 +1703,22 @@ validate_versions(dtls, Vsns0) ->
opt_verification(UserOpts, Opts0, #{role := Role} = Env) ->
{Verify, Opts1} =
case get_opt_of(verify, [verify_none, verify_peer], default_verify(Role), UserOpts, Opts0) of
+ {old, Val} ->
+ {Val, Opts0};
{_, verify_none} ->
{verify_none, Opts0#{verify => verify_none, verify_fun => {none_verify_fun(), []}}};
{_, verify_peer} ->
%% If 'verify' is changed from verify_none to verify_peer, (via update_options/3)
%% the 'verify_fun' must also be changed to undefined.
%% i.e remove verify_none fun
- {verify_peer, Opts0#{verify => verify_peer, verify_fun => undefined}}
+ Temp = Opts0#{verify => verify_peer, verify_fun => undefined},
+ {verify_peer, maps:remove(fail_if_no_peer_cert, Temp)}
end,
Opts2 = opt_cacerts(UserOpts, Opts1, Env),
{_, PartialChain} = get_opt_fun(partial_chain, 1, fun(_) -> unknown_ca end, UserOpts, Opts2),
- {_, FailNoPeerCert} = get_opt_bool(fail_if_no_peer_cert, false, UserOpts, Opts2),
+ DefFailNoPeer = Role =:= server andalso Verify =:= verify_peer,
+ {_, FailNoPeerCert} = get_opt_bool(fail_if_no_peer_cert, DefFailNoPeer, UserOpts, Opts2),
assert_server_only(Role, FailNoPeerCert, fail_if_no_peer_cert),
option_incompatible(FailNoPeerCert andalso Verify =:= verify_none,
[{verify, verify_none}, {fail_if_no_peer_cert, true}]),