@@ -47,10 +47,10 @@ tcp_to_tls(TCPSocket, Options) ->
4747 % and outgoing pools use Erlang SSL directly
4848 % Do not set `fail_if_no_peer_cert_opt` for SSL client
4949 % as it is a server only option.
50- {Ref , SSLOpts } = format_opts_with_ref (Options , false ),
50+ {Ref , SSLOpts } = format_opts_with_ref (Options , client ),
5151 {Ref , ssl :connect (TCPSocket , SSLOpts )};
5252 #{} ->
53- {Ref , SSLOpts } = format_opts_with_ref (Options , fail_if_no_peer_cert ),
53+ {Ref , SSLOpts } = format_opts_with_ref (Options , server ),
5454 {Ref , ssl :handshake (TCPSocket , SSLOpts , 5000 )}
5555 end ,
5656 VerifyResults = receive_verify_results (Ref1 ),
@@ -108,45 +108,45 @@ close(#tls_socket{ssl_socket = SSLSocket}) ->
108108% % The `disconnect_on_failure' option is expected to be unset or true
109109-spec make_ssl_opts (mongoose_tls :options ()) -> [ssl :tls_option ()].
110110make_ssl_opts (#{verify_mode := Mode } = Opts ) ->
111- SslOpts = format_opts (Opts , false ),
111+ SslOpts = format_opts (Opts , client ),
112112 [{verify_fun , verify_fun (Mode )} | SslOpts ].
113113
114114% % @doc Prepare SSL options for direct use of ssl:handshake/2 (server side)
115115% % The `disconnect_on_failure' option is expected to be unset or true
116116-spec make_cowboy_ssl_opts (mongoose_tls :options ()) -> [ssl :tls_option ()].
117117make_cowboy_ssl_opts (#{verify_mode := Mode } = Opts ) ->
118- SslOpts = format_opts (Opts , fail_if_no_peer_cert ),
118+ SslOpts = format_opts (Opts , server ),
119119 [{verify_fun , verify_fun (Mode )} | SslOpts ].
120120
121121% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
122122% % local functions
123123% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
124124
125- format_opts_with_ref (Opts , FailIfNoPeerCert ) ->
126- SslOpts0 = format_opts (Opts , FailIfNoPeerCert ),
125+ format_opts_with_ref (Opts , ClientOrServer ) ->
126+ SslOpts0 = format_opts (Opts , ClientOrServer ),
127127 {Ref , VerifyFun } = verify_fun_opt (Opts ),
128128 SslOpts = [{verify_fun , VerifyFun } | SslOpts0 ],
129129 {Ref , SslOpts }.
130130
131- format_opts (Opts , FailIfNoPeerCert ) ->
131+ format_opts (Opts , ClientOrServer ) ->
132132 SslOpts0 = maps :to_list (maps :with (ssl_option_keys (), Opts )),
133- SslOpts1 = sni_opts (SslOpts0 , Opts ),
134- SslOpts2 = verify_opts (SslOpts1 , Opts ),
135- SslOpts3 = hibernate_opts (SslOpts2 , Opts ),
136- fail_if_no_peer_cert_opts (SslOpts3 , Opts , FailIfNoPeerCert ).
133+ SslOpts1 = verify_opts (SslOpts0 , Opts ),
134+ SslOpts2 = hibernate_opts (SslOpts1 , Opts ),
135+ case ClientOrServer of
136+ client -> sni_opts (SslOpts2 , Opts );
137+ server -> fail_if_no_peer_cert_opts (SslOpts2 , Opts )
138+ end .
137139
138140ssl_option_keys () ->
139141 [certfile , cacertfile , ciphers , keyfile , password , versions , dhfile ].
140142
141143% % accept empty peer certificate if explicitly requested not to fail
142- fail_if_no_peer_cert_opts (Opts , #{}, false ) ->
143- [{fail_if_no_peer_cert , false } | Opts ];
144- fail_if_no_peer_cert_opts (Opts , #{disconnect_on_failure := false }, _ ) ->
144+ fail_if_no_peer_cert_opts (Opts , #{disconnect_on_failure := false }) ->
145145 [{fail_if_no_peer_cert , false } | Opts ];
146- fail_if_no_peer_cert_opts (Opts , #{verify_mode := Mode }, _ )
146+ fail_if_no_peer_cert_opts (Opts , #{verify_mode := Mode })
147147 when Mode =:= peer ; Mode =:= selfsigned_peer ->
148148 [{fail_if_no_peer_cert , true } | Opts ];
149- fail_if_no_peer_cert_opts (Opts , #{}, _ ) ->
149+ fail_if_no_peer_cert_opts (Opts , #{}) ->
150150 [{fail_if_no_peer_cert , false } | Opts ].
151151
152152hibernate_opts (Opts , #{hibernate_after := Timeout }) ->
0 commit comments