From 96d602ac84d856c26a9065bfccbe2b98237db271 Mon Sep 17 00:00:00 2001
From: Lee Clagett <code@leeclagett.com>
Date: Sun, 17 Mar 2019 16:11:42 -0400
Subject: [PATCH] Add `verify_fail_if_no_cert` option for proper client
 authentication

Using `verify_peer` on server side requests a certificate from the
client. If no certificate is provided, the server silently accepts the
connection and rejects if the client sends an unexpected certificate.
Adding `verify_fail_if_no_cert` has no affect on client and for server
requires that the peer sends a certificate or fails the handshake. This
is the desired behavior when the user specifies a fingerprint or CA file.
---
 contrib/epee/src/net_ssl.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp
index 1d137219a..a87792fb8 100644
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@@ -330,7 +330,7 @@ bool ssl_options_t::handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::soc
     socket.set_verify_mode(boost::asio::ssl::verify_none);
   else
   {
-    socket.set_verify_mode(boost::asio::ssl::verify_peer);
+    socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
     socket.set_verify_callback([&](bool preverified, boost::asio::ssl::verify_context &ctx)
     {
       // preverified means it passed system or user CA check. System CA is never loaded