From ef0ab70bd278ac547032bca2a0240fc13e92962f Mon Sep 17 00:00:00 2001
From: Michael Stoll <michael.stoll@de-signo.de>
Date: Mon, 3 Mar 2025 18:10:54 +0100
Subject: [PATCH] fix: Force validate when using the default crt bundle

---
 .../wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
index c1c8a9d96d..6e0bea5f64 100644
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@@ -536,6 +536,7 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
 
 #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 	if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) {
+		mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 		wpa_printf(MSG_INFO, "Using default cert bundle");
 		if (esp_crt_bundle_attach_fn) {
 			ret = (*esp_crt_bundle_attach_fn)(&tls->conf);