For incoming ssl context with verifypem != NULL, we can set

SSL_VERIFY_FAIL_IF_NO_PEER_CERT that can reject client
connections without peer cert during the handshake, which is nicer
than just a connection drop to the client (when we then check
for no peer certificate afterwards).

diff --git a/util/net_help.c b/util/net_help.c
index 2a392781db8c5266e2fc8cd8fc9b1a564eb62b6b..8f75da07f10258c1c30676a19567a4054f8424a3 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -996,7 +996,7 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
                }
                SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
                        verifypem));
-               SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+               SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
        }
        return ctx;
 #else