tls: openssl: Fail verification if client certificate is not provided

edbingo · edbingo · commit 0819c37314e4 · 2025-12-04T15:29:48.000+01:00
diff --git a/src/tls/openssl.c b/src/tls/openssl.c
@@ -801,7 +801,11 @@ static void *tls_context_create(int verify,
         SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, NULL);
     }
     else {
-        SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+        int verify_flags = SSL_VERIFY_PEER;
+        if (mode == FLB_TLS_SERVER_MODE) {
+            verify_flags |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+        }
+        SSL_CTX_set_verify(ssl_ctx, verify_flags, NULL);
     }
 
     /* ca_path | ca_file */

Original file line number	Diff line number	Diff line change
`@@ -801,7 +801,11 @@ static void *tls_context_create(int verify,`
`801`	`801`	`SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, NULL);`
`802`	`802`	`}`
`803`	`803`	`else {`
`804`		`- SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);`
	`804`	`+ int verify_flags = SSL_VERIFY_PEER;`
	`805`	`+ if (mode == FLB_TLS_SERVER_MODE) {`
	`806`	`+ verify_flags \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;`
	`807`	`+ }`
	`808`	`+ SSL_CTX_set_verify(ssl_ctx, verify_flags, NULL);`
`805`	`809`	`}`
`806`	`810`
`807`	`811`	`/* ca_path \| ca_file */`