From 4b3a44facec7978b6b3cebbc6d3a27836c13434b Mon Sep 17 00:00:00 2001
From: Michael Stoll <michael.stoll@de-signo.de>
Date: Mon, 3 Mar 2025 18:10:54 +0100
Subject: [PATCH] fix: Force validate when using the default crt bundle

---
 .../wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
index 55a76a0300..7922b9be7b 100644
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@@ -543,6 +543,7 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
 
 #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 	if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) {
+		mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 		wpa_printf(MSG_INFO, "Using default cert bundle");
 		if (esp_crt_bundle_attach_fn) {
 			ret = (*esp_crt_bundle_attach_fn)(&tls->conf);