err_str = X509_verify_cert_error_string(err);
#ifdef CONFIG_SHA256
- if (depth == 0 && conn->server_cert_only) {
- if (depth == 0 && conn->server_cert_cb) {
+ if (depth == 0) {
+ if (conn->server_cert_cb) {
preverify_ok = conn->server_cert_cb(preverify_ok, err_cert, conn->server_cert_ctx);
wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb: server_cert_cb returned %d", preverify_ok);
}
- else {
+ if (conn->server_cert_only) {
/*
* Do not require preverify_ok so we can explicity allow otherwise
* invalid pinned server certificates.