From 43556537e38a0a5ab683fbe829ac6b4b4206877b Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Tue, 7 Oct 2014 23:20:46 +0100
Subject: [PATCH] Don't ask for client cert when require_certificate is false.

---
 ChangeLog.txt | 3 +++
 src/net.c     | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index b16d8595..e7bfd836 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -43,6 +43,9 @@ Broker:
 - Add support for use_username_as_clientid which can be used with
   authentication to restrict ownership of client ids and hence prevent one
   client disconnecting another by using the same client id.
+- When "require_certificate" was false, the broker was incorrectly asking for
+  a certificate (but not checking it). This caused problems with some clients
+  and has been fixed so the broker no longer asks.
 
 Clients:
 - Both clients can now load default configuration options from a file.
diff --git a/src/net.c b/src/net.c
index 2c9c3e93..d7527571 100644
--- a/src/net.c
+++ b/src/net.c
@@ -425,7 +425,7 @@ int mqtt3_socket_listen(struct _mqtt3_listener *listener)
 			if(listener->require_certificate){
 				SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, client_certificate_verify);
 			}else{
-				SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_PEER, client_certificate_verify);
+				SSL_CTX_set_verify(listener->ssl_ctx, SSL_VERIFY_NONE, client_certificate_verify);
 			}
 			rc = SSL_CTX_use_certificate_chain_file(listener->ssl_ctx, listener->certfile);
 			if(rc != 1){