mbedtls: use our own certificate validation

Otherwise REQUIRED means that `git_stream_certificate` will always error. We're doing the mbedtls check in verify_server_cert though.
author: Etienne Samson <samson.etienne@gmail.com> 2018-03-29 22:14:06 +0200
committer: Etienne Samson <samson.etienne@gmail.com> 2018-04-11 21:02:43 +0200
commit: 4165bb7f4b767801c2142ec521e275f6560197a5 (patch)
tree: 6aea5b0b259a9fefa00cd76051ce97e4bdc9c2ed /src/streams
parent: 262dfcf0bf7416ddac5012737dfa1686e013824f (diff)
download: libgit2-4165bb7f4b767801c2142ec521e275f6560197a5.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/src/streams/mbedtls.c b/src/streams/mbedtls.c
index fa7d31e71..b2f02ccd3 100644
--- a/src/streams/mbedtls.c
+++ b/src/streams/mbedtls.c
@@ -82,7 +82,11 @@ int git_mbedtls_stream_global_init(void)
 
 	/* configure TLSv1 */
 	mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
-	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+
+	/* verify_server_cert is responsible for making the check.
+	 * OPTIONAL because REQUIRED drops the certificate as soon as the check
+	 * is made, so we can never see the certificate and override it. */
+	mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
 	/* set the list of allowed ciphersuites */
 	ciphers_list = calloc(GIT_SSL_DEFAULT_CIPHERS_COUNT, sizeof(int));
author	Etienne Samson <samson.etienne@gmail.com>	2018-03-29 22:14:06 +0200
committer	Etienne Samson <samson.etienne@gmail.com>	2018-04-11 21:02:43 +0200
commit	4165bb7f4b767801c2142ec521e275f6560197a5 (patch)
tree	6aea5b0b259a9fefa00cd76051ce97e4bdc9c2ed /src/streams
parent	262dfcf0bf7416ddac5012737dfa1686e013824f (diff)
download	libgit2-4165bb7f4b767801c2142ec521e275f6560197a5.tar.gz