From b12c2a13c08d5ad45734c2260df5de48d5945b68 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 1 Apr 2017 13:41:41 +0900
Subject: [PATCH] nghttpx: Fail handshake if server certificate verification
 fails

Previously, we drop connection if server certificate verification
fails after handshake.  With this commit, we fail handshake if that
happens.
---
 src/shrpx_ssl.cc | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index 698511ac..b9ce118b 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -962,6 +962,10 @@ SSL_CTX *create_ssl_client_context(
     }
   }
 
+  if (!tlsconf.insecure) {
+    SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, nullptr);
+  }
+
   if (!cert_file.empty()) {
     if (SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file.c_str()) != 1) {
 
@@ -1284,12 +1288,6 @@ int check_cert(SSL *ssl, const Address *addr, const StringRef &host) {
     return 0;
   }
   auto cert_deleter = defer(X509_free, cert);
-  auto verify_res = SSL_get_verify_result(ssl);
-  if (verify_res != X509_V_OK) {
-    LOG(ERROR) << "Certificate verification failed: "
-               << X509_verify_cert_error_string(verify_res);
-    return -1;
-  }
 
   if (verify_hostname(cert, host, addr) != 0) {
     LOG(ERROR) << "Certificate verification failed: hostname does not match";