From 20702cc389a83fabce446c142cd89f289fe780c6 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Mon, 11 Dec 2023 09:40:21 -0500
Subject: [PATCH] MT#55283 verify "zero" DTLS cert

... instead of "current" if available

closes #1771

Change-Id: Id1b742b2446d4d59b3de251a1d1a5dcbed86834a
(cherry picked from commit 8fba68f2c977090cc901e3a4fd3d5934f32b49a1)
---
 daemon/dtls.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/daemon/dtls.c b/daemon/dtls.c
index d5ba441e53..068de37a1d 100644
--- a/daemon/dtls.c
+++ b/daemon/dtls.c
@@ -418,7 +418,13 @@ static int verify_callback(int ok, X509_STORE_CTX *store) {
 
 	if (ps->dtls_cert)
 		X509_free(ps->dtls_cert);
-	ps->dtls_cert = X509_dup(X509_STORE_CTX_get_current_cert(store));
+	ps->dtls_cert = NULL;
+	X509 *cert = X509_STORE_CTX_get0_cert(store);
+	if (!cert)
+		cert = X509_STORE_CTX_get_current_cert(store);
+	if (!cert)
+		return 0;
+	ps->dtls_cert = X509_dup(cert);
 
 	if (!media->fingerprint.hash_func)
 		return 1; /* delay verification */