Set authmode to optional, if not set Set authmode to `MBEDTLS_SSL_VERIFY_REQUIRED` when using dtls-srtp, in case authmode was not set. This is to support self signed certificates received by the server, which is the case with webRTC. Certificate fingerprints are verified outside the dtls stack, as defined in RFC 5763. Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>

commit: 1c399bdffe2054b8b0ad9729f9e218f8eb469492 [log] [tgz]
author: Ron Eldor <Ron.Eldor@arm.com> Wed Jul 04 18:45:27 2018 +0300
committer: Johan Pascal <johan.pascal@belledonne-communications.com> Thu Oct 29 01:14:49 2020 +0100
tree: 7acd642bc1bdfde1f67d051ff37b700f80bc8c6c
parent: 12c6eaddd505919160852d98291d3d4f390b7479 [diff] [blame]
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 82baeca..0054964 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -3021,9 +3021,9 @@
     else
 #endif
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
-    /* check if we have a chosen srtp protection profile */
-    if ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) {
-        authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+    /* check if we have a chosen srtp protection profile, force verify mode to be at least OPTIONAL */
+    if ( ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) && ( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) ) {
+        authmode = MBEDTLS_SSL_VERIFY_OPTIONAL;
     }
         else
 #endif
commit	1c399bdffe2054b8b0ad9729f9e218f8eb469492	[log] [tgz]
author	Ron Eldor <Ron.Eldor@arm.com>	Wed Jul 04 18:45:27 2018 +0300
committer	Johan Pascal <johan.pascal@belledonne-communications.com>	Thu Oct 29 01:14:49 2020 +0100
tree	7acd642bc1bdfde1f67d051ff37b700f80bc8c6c
parent	12c6eaddd505919160852d98291d3d4f390b7479 [diff] [blame]