From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Mon, 12 Jun 2023 17:57:32 +0000 (-0400)
Subject: tls: SSL_set_verify is used in the session alloc functions, so we don't need to call... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1860d2b32f99781695cc1cfe60179383c6fd020;p=thirdparty%2Ffreeradius-server.git

tls: SSL_set_verify is used in the session alloc functions, so we don't need to call it in the SSL_CTX alloc function
---

diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c
index 6dea0304cf2..b253f419a97 100644
--- a/src/lib/tls/ctx.c
+++ b/src/lib/tls/ctx.c
@@ -979,14 +979,11 @@ post_ca:
 #endif
 
 	/*
-	 *	Set verify modes
-	 *	Always verify the peer certificate
+	 *	SSL_ctx_set_verify is now called in the session
+	 *	alloc functions so they can set custom behaviour
+	 *	depending on the code area the SSL * will be used
+	 *	and whether we're acting as a client or server.
 	 */
-	verify_mode |= SSL_VERIFY_PEER;
-	verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-	verify_mode |= SSL_VERIFY_CLIENT_ONCE;
-	SSL_CTX_set_verify(ctx, verify_mode, fr_tls_verify_cert_cb);
-
 	if (conf->verify_depth) {
 		SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
 	}