Skip to content

Fixed CERT_REQUIRED Not Requiring Client Verification#61

Closed
MatanRad wants to merge 1 commit intowolfSSL:masterfrom
MatanRad:bugfix/cert-required-is-optional
Closed

Fixed CERT_REQUIRED Not Requiring Client Verification#61
MatanRad wants to merge 1 commit intowolfSSL:masterfrom
MatanRad:bugfix/cert-required-is-optional

Conversation

@MatanRad
Copy link

@MatanRad MatanRad commented Dec 14, 2025

Fixed a bug where Python's CERT_REQUIRED mapped only to WOLFSSL_VERIFY_PEER instead of also including WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT.
As a result, setting verify_mode = wolfssl.CERT_REQUIRED caused wolfSSL_CTX_set_verify to be called with just WOLFSSL_VERIFY_PEER flag, making the WolfSSL server request a client certificate but still accept the connection when none was provided.

Added CERT_OPTIONAL which now takes the previous value of CERT_REQUIRED and provides the correctly functionality.
This variable was mentioned multiple times (in wrap_socket and in verify_mode's getter and setter).

@wolfSSL-Bot
Copy link

wolfSSL-Bot commented Dec 14, 2025

Can one of the admins verify this patch?

@kareem-wolfssl
Copy link
Contributor

kareem-wolfssl commented Dec 15, 2025

Thanks again for the report @MatanRad! As discussed on Zendesk, since you don't currently have a contributor agreement on file, we are treating this PR as a bug report.

I have opened a PR based on this bug report here: #62

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kareem-wolfssl kareem-wolfssl Awaiting requested review from kareem-wolfssl

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MatanRad @wolfSSL-Bot @kareem-wolfssl