Don't ask for client cert when require_certificate is false.

2014-10-07 23:20:46 +01:00 · 2014-10-07 23:20:46 +01:00 · 43556537e3
commit 43556537e3
parent ac00949793
2 changed files with 4 additions and 1 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -43,6 +43,9 @@ Broker:
 - Add support for use_username_as_clientid which can be used with
  authentication to restrict ownership of client ids and hence prevent one
  client disconnecting another by using the same client id.
+- When "require_certificate" was false, the broker was incorrectly asking for
+  a certificate (but not checking it). This caused problems with some clients
+  and has been fixed so the broker no longer asks.

 Clients:
 - Both clients can now load default configuration options from a file.
--- a/src/net.c
+++ b/src/net.c
@ -425,7 +425,7 @@ int mqtt3_socket_listen(struct _mqtt3_listener *listener)
 			if(listener->require_certificate){
 				SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, client_certificate_verify);
 			}else{
-				SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_PEER, client_certificate_verify);
+				SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_NONE, client_certificate_verify);
 			}
 			rc = SSL_CTX_use_certificate_chain_file(listener->ssl_ctx, listener->certfile);
 			if(rc != 1){