5 files changed, 26 insertions, 15 deletions

diff --git a/src/stls/stls-internal.h b/src/stls/stls-internal.h
index 85fc825..48a119e 100644
--- a/src/stls/stls-internal.h
+++ b/src/stls/stls-internal.h
@@ -4,6 +4,7 @@
 #define STLS_INTERNAL_H
 
 #include <sys/types.h>
+#include <stdint.h>
 
 extern pid_t stls_clean_tls_and_spawn (char const *const *, char const *const *, int *, uint32_t) ;
 
diff --git a/src/stls/stls_clean_tls_and_spawn.c b/src/stls/stls_clean_tls_and_spawn.c
index 37ea619..b7ee911 100644
--- a/src/stls/stls_clean_tls_and_spawn.c
+++ b/src/stls/stls_clean_tls_and_spawn.c
@@ -1,6 +1,7 @@
 /* ISC license. */
 
 #include <sys/types.h>
+#include <stdint.h>
 #include <skalibs/env.h>
 #include <skalibs/djbunix.h>
 #include "stls-internal.h"
diff --git a/src/stls/stls_run.c b/src/stls/stls_run.c
index 86e0faa..0ba10b0 100644
--- a/src/stls/stls_run.c
+++ b/src/stls/stls_run.c
@@ -2,6 +2,7 @@
 
 #include <skalibs/nonposix.h>
 #include <sys/types.h>
+#include <stdint.h>
 #include <sys/socket.h>
 #include <errno.h>
 #include <signal.h>
diff --git a/src/stls/stls_s6tlsc.c b/src/stls/stls_s6tlsc.c
index 9c30b60..001953d 100644
--- a/src/stls/stls_s6tlsc.c
+++ b/src/stls/stls_s6tlsc.c
@@ -1,6 +1,7 @@
 /* ISC license. */
 
 #include <sys/types.h>
+#include <stdint.h>
 #include <unistd.h>
 #include <errno.h>
 #include <tls.h>
diff --git a/src/stls/stls_s6tlsd.c b/src/stls/stls_s6tlsd.c
index 0e82ab0..4b04560 100644
--- a/src/stls/stls_s6tlsd.c
+++ b/src/stls/stls_s6tlsd.c
@@ -1,6 +1,7 @@
 /* ISC license. */
 
 #include <sys/types.h>
+#include <stdint.h>
 #include <unistd.h>
 #include <errno.h>
 #include <tls.h>
@@ -27,20 +28,6 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
   cfg = tls_config_new() ;
   if (!cfg) strerr_diefu1sys(111, "tls_config_new") ;
 
-  x = env_get2(envp, "CAFILE") ;
-  if (x)
-  {
-    if (tls_config_set_ca_file(cfg, x) < 0)
-      diecfg(cfg, "tls_config_set_ca_file") ;
-  }
-
-  x = env_get2(envp, "CADIR") ;
-  if (x)
-  {
-    if (tls_config_set_ca_path(cfg, x) < 0)
-      diecfg(cfg, "tls_config_set_ca_path") ;
-  }
-
   x = env_get2(envp, "CERTFILE") ;
   if (!x) strerr_dienotset(100, "CERTFILE") ;
   if (tls_config_set_cert_file(cfg, x) < 0)
@@ -60,7 +47,27 @@ int stls_s6tlsd (char const *const *argv, char const *const *envp, tain_t const
   if (tls_config_set_ecdhecurve(cfg, "auto") < 0)
     diecfg(cfg, "tls_config_set_ecdhecurve") ;
 
-  if (preoptions & 1) tls_config_verify_client(cfg) ;
+  if (preoptions & 1)
+  {
+    x = env_get2(envp, "CADIR") ;
+    if (x)
+    {
+      if (tls_config_set_ca_path(cfg, x) < 0)
+        diecfg(cfg, "tls_config_set_ca_path") ;
+    }
+    else
+    {
+      x = env_get2(envp, "CAFILE") ;
+      if (x)
+      {
+        if (tls_config_set_ca_file(cfg, x) < 0)
+          diecfg(cfg, "tls_config_set_ca_file") ;
+      }
+      else strerr_dienotset(100, "CADIR or CAFILE") ;
+    }
+    if (preoptions & 4) tls_config_verify_client(cfg) ;
+    else tls_config_verify_client_optional(cfg) ;
+  }
   else tls_config_insecure_noverifycert(cfg) ;
 
   tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ;