From 9e9abbe8beff603fe3239a02b4f17a66469e1401 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Tue, 3 Dec 2019 10:14:16 +0200
Subject: [PATCH] MXS-2786: Require certificates when verifying peers

When peer verification is enabled, clients must present a certificate.
---
 server/core/listener.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/core/listener.cc b/server/core/listener.cc
index 01f47a9a7..6b81f355f 100644
--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@@ -414,7 +414,7 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
     /* Set to require peer (client) certificate verification */
     if (ssl->ssl_verify_peer_certificate)
     {
-        SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+        SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
     }
 
     /* Set the verification depth */