api: use ordinary tls with ca_file parameter

themilchenko · themilchenko · commit acf615ace200 · 2025-11-01T17:41:51.000+03:00
By default server checked server and client certificates which should do with mTLS configuration. Since it is not expected behaviour, after the patch `ca_file` configuration won't ask for client certificates authorization Closes #217
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - Do not recreate server if it's address and port were not changed (#219).
 - Server doesn't change after updating parameters on config reload (#216).
+- Mutual TLS with `ca_file` option enabled (#217).
 
 ## [1.8.0] - 2025-07-07
 
diff --git a/http/server.lua b/http/server.lua
@@ -1328,7 +1328,7 @@ local function create_ssl_ctx(host, port, opts)
             )
         end
 
-        sslsocket.ctx_set_verify(ctx, 0x01 + 0x02)
+        sslsocket.ctx_set_verify(ctx, 0x00)
     end
 
     if opts.ssl_ciphers ~= nil then
diff --git a/test/integration/http_tls_enabled_test.lua b/test/integration/http_tls_enabled_test.lua
@@ -96,10 +96,6 @@ local client_test_cases = {
             ssl_cert_file = fio.pathjoin(ssl_data_dir, 'server.crt'),
             ssl_ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
         },
-        request_opts = {
-            ssl_cert = fio.pathjoin(ssl_data_dir, 'client.crt'),
-            ssl_key = fio.pathjoin(ssl_data_dir, 'client.key'),
-        },
     },
     test_client_password_key_missing = {
         ssl_opts = {

Original file line number	Diff line number	Diff line change
`@@ -1328,7 +1328,7 @@ local function create_ssl_ctx(host, port, opts)`
`1328`	`1328`	`)`
`1329`	`1329`	`end`
`1330`	`1330`
`1331`		`- sslsocket.ctx_set_verify(ctx, 0x01 + 0x02)`
	`1331`	`+ sslsocket.ctx_set_verify(ctx, 0x00)`
`1332`	`1332`	`end`
`1333`	`1333`
`1334`	`1334`	`if opts.ssl_ciphers ~= nil then`