From 4681854edf9370e888a8af364e9bc95edac6dbf7 Mon Sep 17 00:00:00 2001
From: koarz <lihao@selectdb.com>
Date: Thu, 6 Nov 2025 17:31:07 +0800
Subject: [PATCH 1/2] feat: support more ssl verify mode

---
 src/brpc/details/ssl_helper.cpp | 15 +++++++++++++--
 src/brpc/ssl_options.h          | 12 ++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/brpc/details/ssl_helper.cpp b/src/brpc/details/ssl_helper.cpp
index d33d0ee783..f38b16d6a5 100644
--- a/src/brpc/details/ssl_helper.cpp
+++ b/src/brpc/details/ssl_helper.cpp
@@ -17,6 +17,7 @@
 
 
 
+#include "brpc/ssl_options.h"
 #include <openssl/bio.h>
 #ifndef USE_MESALINK
 
@@ -412,8 +413,18 @@ static int SetSSLOptions(SSL_CTX* ctx, const std::string& ciphers,
 
     // TODO: Verify the CNAME in certificate matches the requesting host
     if (verify.verify_depth > 0) {
-        SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
-                                 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+        if (verify.verify_mode == VerifyMode::VERIFY_FAIL_IF_NO_PEER_CERT) {
+            SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
+                                     | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+        } else if (verify.verify_mode == VerifyMode::VERIFY_PEER) {
+            SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+        } else if (verify.verify_mode == VerifyMode::VERIFY_NONE) {
+            SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+        } else {
+            // for forward compatibility
+            SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
+                                     | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+        }
         SSL_CTX_set_verify_depth(ctx, verify.verify_depth);
         std::string cafile = verify.ca_file_path;
         if (cafile.empty()) {
diff --git a/src/brpc/ssl_options.h b/src/brpc/ssl_options.h
index bbe9ccf1c3..8ddda248a6 100644
--- a/src/brpc/ssl_options.h
+++ b/src/brpc/ssl_options.h
@@ -41,6 +41,13 @@ struct CertInfo {
     std::vector<std::string> sni_filters;
 };
 
+enum class VerifyMode {
+    NOT_SET,
+    VERIFY_NONE,
+    VERIFY_PEER,
+    VERIFY_FAIL_IF_NO_PEER_CERT,
+};
+
 struct VerifyOptions {
     // Constructed with default options
     VerifyOptions();
@@ -50,6 +57,11 @@ struct VerifyOptions {
     // Default: 0
     int verify_depth;
 
+    // Set ssl verify mode for openssl
+    // If VERIFY_FAIL_IF_NO_PEER_CERT, it will set `SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER`
+    // Default: NOT_SET
+    VerifyMode verify_mode;
+
     // Set the trusted CA file to verify the peer's certificate
     // If empty, use the system default CA files
     // Default: ""

From 603967115ad8535a4ed7909fdaf2e5f76578125b Mon Sep 17 00:00:00 2001
From: koarz <lihao@selectdb.com>
Date: Wed, 3 Dec 2025 10:45:26 +0800
Subject: [PATCH 2/2] 1

---
 src/brpc/ssl_options.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/brpc/ssl_options.cpp b/src/brpc/ssl_options.cpp
index e3b8f5b184..748749ae82 100644
--- a/src/brpc/ssl_options.cpp
+++ b/src/brpc/ssl_options.cpp
@@ -20,7 +20,10 @@
 
 namespace brpc {
 
-VerifyOptions::VerifyOptions() : verify_depth(0) {}
+VerifyOptions::VerifyOptions()
+    : verify_depth(0)
+    , verify_mode(VerifyMode::NOT_SET)
+{}
 
 ChannelSSLOptions::ChannelSSLOptions()
     : ciphers("DEFAULT")