Skip to content

Commit 4165bb7

Browse files
committed
mbedtls: use our own certificate validation
Otherwise REQUIRED means that `git_stream_certificate` will always error. We're doing the mbedtls check in verify_server_cert though.
1 parent 262dfcf commit 4165bb7

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

src/streams/mbedtls.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,11 @@ int git_mbedtls_stream_global_init(void)
8282

8383
/* configure TLSv1 */
8484
mbedtls_ssl_conf_min_version(git__ssl_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
85-
mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
85+
86+
/* verify_server_cert is responsible for making the check.
87+
* OPTIONAL because REQUIRED drops the certificate as soon as the check
88+
* is made, so we can never see the certificate and override it. */
89+
mbedtls_ssl_conf_authmode(git__ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
8690

8791
/* set the list of allowed ciphersuites */
8892
ciphers_list = calloc(GIT_SSL_DEFAULT_CIPHERS_COUNT, sizeof(int));

0 commit comments

Comments
 (0)