set ASYNC for non-certificate case, too

alandekok · alandekok · commit 27cb0b1cdc16 · 2026-03-19T04:47:20.000-04:00
diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c
@@ -553,6 +553,7 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
 	X509_STORE	*cert_vpstore;
 	X509_STORE	*verify_store;
 	int		ctx_options = 0;
+	int		mode= SSL_MODE_ASYNC;
 
 	ctx = SSL_CTX_new(TLS_method());
 	if (!ctx) {
@@ -656,37 +657,31 @@ SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
 			goto error;
 		}
 
+		SSL_CTX_set_mode(ctx, mode);
 		goto post_ca;
 	}
 #else
 	(void) client;	/* -Wunused */
 #endif
 
 	/*
-	 *	Set mode before processing any certifictes
-	 */
-	{
-		int mode = SSL_MODE_ASYNC;
-
-		/*
-		 *	OpenSSL will automatically create certificate chains,
-		 *	unless we tell it to not do that.  The problem is that
-		 *	it sometimes gets the chains right from a certificate
-		 *	signature view, but wrong from the clients view.
-		 *
-		 *	It's better just to have users specify the complete
-		 *	chains.
+	 *	OpenSSL will automatically create certificate chains,
+	 *	unless we tell it to not do that.  The problem is that
+	 *	it sometimes gets the chains right from a certificate
+	 *	signature view, but wrong from the clients view.
+	 *
+	 *	It's better just to have users specify the complete
+	 *	chains.
 		 */
-		mode |= SSL_MODE_NO_AUTO_CHAIN;
+	mode |= SSL_MODE_NO_AUTO_CHAIN;
 
-		if (client) {
-			mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
-			mode |= SSL_MODE_AUTO_RETRY;
-		}
-
-		if (mode) SSL_CTX_set_mode(ctx, mode);
+	if (client) {
+		mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
+		mode |= SSL_MODE_AUTO_RETRY;
 	}
 
+	SSL_CTX_set_mode(ctx, mode);
+
 	/*
 	 *	Initialise a separate store for verifying user
 	 *      certificates.
