Set SSL_VERIFY_FAIL_IF_NO_PEER_CERT. (#107)

Motivation:

When server users turn on certificate verification, they usually expect
that they'll actually require the certificate from their peer. Sadly,
this is not the BoringSSL default behaviour.

Modifications:

Set `SSL_VERIFY_FAIL_IF_NO_PEER_CERT` when requesting certificate
validation.

Result:

Better certificate validation.

Author: Lukasa

Sources/NIOSSL/SSLContext.swift

@@ -345,7 +345,7 @@ extension NIOSSLContext {
         // If validation is turned on, set the trust roots and turn on cert validation.
         switch verification {
         case .fullVerification, .noHostnameVerification:
-            CNIOBoringSSL_SSL_CTX_set_verify(context, SSL_VERIFY_PEER, nil)
+            CNIOBoringSSL_SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nil)
 
             switch trustRoots {
             case .some(.default), .none:

Tests/NIOSSLTests/TLSConfigurationTest+XCTest.swift

@@ -32,6 +32,8 @@ extension TLSConfigurationTest {
                 ("testServerCannotValidateClientPreTLS13", testServerCannotValidateClientPreTLS13),
                 ("testServerCannotValidateClientPostTLS13", testServerCannotValidateClientPostTLS13),
                 ("testMutualValidation", testMutualValidation),
+                ("testMutualValidationRequiresClientCertificatePreTLS13", testMutualValidationRequiresClientCertificatePreTLS13),
+                ("testMutualValidationRequiresClientCertificatePostTLS13", testMutualValidationRequiresClientCertificatePostTLS13),
                 ("testNonexistentFileObject", testNonexistentFileObject),
                 ("testComputedApplicationProtocols", testComputedApplicationProtocols),
            ]

Tests/NIOSSLTests/TLSConfigurationTest.swift

@@ -246,6 +246,28 @@ class TLSConfigurationTest: XCTestCase {
         try flushFuture.wait()
     }
 
+    func testMutualValidationRequiresClientCertificatePreTLS13() throws {
+        let clientConfig = TLSConfiguration.forClient(maximumTLSVersion: .tlsv12, certificateVerification: .none)
+        let serverConfig = TLSConfiguration.forServer(certificateChain: [.certificate(TLSConfigurationTest.cert1)],
+                                                      privateKey: .privateKey(TLSConfigurationTest.key1),
+                                                      maximumTLSVersion: .tlsv12,
+                                                      certificateVerification: .noHostnameVerification,
+                                                      trustRoots: .certificates([TLSConfigurationTest.cert2]))
+
+        try assertHandshakeError(withClientConfig: clientConfig, andServerConfig: serverConfig, errorTextContainsAnyOf: ["ALERT_HANDSHAKE_FAILURE"])
+    }
+
+    func testMutualValidationRequiresClientCertificatePostTLS13() throws {
+        let clientConfig = TLSConfiguration.forClient(minimumTLSVersion: .tlsv13, certificateVerification: .none)
+        let serverConfig = TLSConfiguration.forServer(certificateChain: [.certificate(TLSConfigurationTest.cert1)],
+                                                      privateKey: .privateKey(TLSConfigurationTest.key1),
+                                                      minimumTLSVersion: .tlsv13,
+                                                      certificateVerification: .noHostnameVerification,
+                                                      trustRoots: .certificates([TLSConfigurationTest.cert2]))
+
+        try assertPostHandshakeError(withClientConfig: clientConfig, andServerConfig: serverConfig, errorTextContainsAnyOf: ["CERTIFICATE_REQUIRED"])
+    }
+
     func testNonexistentFileObject() throws {
         let clientConfig = TLSConfiguration.forClient(trustRoots: .file("/thispathbetternotexist/bogus.foo"))