From 519023f202b9ccf1c1fabff515714b34e165242c Mon Sep 17 00:00:00 2001
From: aineoae86-sys <ai.neo.ae86@gmail.com>
Date: Sat, 27 Jun 2026 03:37:03 +0800
Subject: [PATCH] lwip: require TLS certificate verification when CA is
 configured

---
 .../lwip/lwip-2.1.2/src/apps/altcp_tls/altcp_tls_mbedtls.c  | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/components/net/lwip/lwip-2.1.2/src/apps/altcp_tls/altcp_tls_mbedtls.c b/components/net/lwip/lwip-2.1.2/src/apps/altcp_tls/altcp_tls_mbedtls.c
index d642decb54f..10dc720a5e6 100644
--- a/components/net/lwip/lwip-2.1.2/src/apps/altcp_tls/altcp_tls_mbedtls.c
+++ b/components/net/lwip/lwip-2.1.2/src/apps/altcp_tls/altcp_tls_mbedtls.c
@@ -732,7 +732,11 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
     altcp_mbedtls_free_config(conf);
     return NULL;
   }
-  mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+  if (!is_server && have_ca) {
+    mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+  } else {
+    mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+  }
 
   mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &conf->ctr_drbg);
 #if ALTCP_MBEDTLS_DEBUG != LWIP_DBG_OFF