From d260a95256f26f285ab69af3041fefc9d54d76e6 Mon Sep 17 00:00:00 2001
From: SciLor <scilor@users.noreply.github.com>
Date: Sat, 14 Sep 2024 14:13:11 +0000
Subject: [PATCH] disable CA checking, as no SubCA available

---
 src/server.c | 39 +++++++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/src/server.c b/src/server.c
index f29b2ea1..10764c5c 100644
--- a/src/server.c
+++ b/src/server.c
@@ -680,32 +680,50 @@ error_t httpServerTlsInitCallbackBase(HttpConnection *connection, TlsContext *tl
 }
 error_t httpServerTlsInitCallback(HttpConnection *connection, TlsContext *tlsContext)
 {
-    return httpServerTlsInitCallbackBase(connection, tlsContext, TLS_CLIENT_AUTH_OPTIONAL);
+    return httpServerTlsInitCallbackBase(connection, tlsContext, TLS_CLIENT_AUTH_NONE);
 }
 error_t httpServerBoxTlsInitCallback(HttpConnection *connection, TlsContext *tlsContext)
 {
-    settings_t *settings = get_settings();
+    settings_t *settings = get_settings(); // Overlay is currently unknown and settings in the context empty
     TlsClientAuthMode authMode = TLS_CLIENT_AUTH_OPTIONAL;
+    error_t error = NO_ERROR;
+    /*
     if (settings->core.boxCertAuth)
     {
         authMode = TLS_CLIENT_AUTH_REQUIRED;
     }
-    error_t error = httpServerTlsInitCallbackBase(connection, tlsContext, authMode);
+    */
+    error = httpServerTlsInitCallbackBase(connection, tlsContext, authMode);
     if (error)
         return error;
 
-    if (settings->core.boxCertAuth)
+    if (settings->core.boxCertAuth && 1 == 0)
     {
         // TODO add client certs and check if this works.
-        const char *trustedCaList = NULL;
-        for (uint8_t settingsId = 0; settingsId < MAX_OVERLAYS; settingsId++)
+        // CA cannot be used - the intermedia CAs are not available
+        // Doesn't work, because cyclone checks for the chain
+        uint32_t trustedCaListLen = 0;
+        for (uint8_t settingsId = 1; settingsId < MAX_OVERLAYS; settingsId++)
         {
-            if (trustedCaList != NULL && trustedCaList[0] != 0)
-                break;
-            trustedCaList = get_settings_id(settingsId)->internal.client.ca;
+            const char *cert = get_settings_id(settingsId)->internal.client.crt;
+            if (cert != NULL)
+            {
+                trustedCaListLen += osStrlen(cert);
+            }
         }
-        if (trustedCaList != NULL)
+
+        if (trustedCaListLen > 0)
         {
+            char *trustedCaList = osAllocMem(trustedCaListLen + 1);
+            trustedCaList[0] = '\0';
+            for (uint8_t settingsId = 1; settingsId < MAX_OVERLAYS; settingsId++)
+            {
+                const char *cert = get_settings_id(settingsId)->internal.client.crt;
+                if (cert != NULL)
+                {
+                    osStrcat(trustedCaList, cert);
+                }
+            }
             error = tlsSetTrustedCaList(tlsContext, trustedCaList, osStrlen(trustedCaList));
         }
         else
@@ -714,6 +732,7 @@ error_t httpServerBoxTlsInitCallback(HttpConnection *connection, TlsContext *tls
             error = ERROR_FAILURE; // TODO which error
         }
     }
+
     return error;
 }