From 56974c099e686e8acce617ce933ba6d9c3444cd8 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 6 Aug 2018 10:44:56 -0700
Subject: [PATCH] Improved the logic for `WOLFSSL_ALWAYS_VERIFY_CB` to be more
 explicit and updated comments.

---
 src/internal.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 7a197882e..2b916b142 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -8390,13 +8390,13 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
         }
     }
 #ifdef WOLFSSL_ALWAYS_VERIFY_CB
-    /* use verify callback for success on peer leaf cert (not just failure) */
-    if (args->certIdx == 0 && ret == 0) {
+    /* always use verify callback on peer leaf cert */
+    if (args->certIdx == 0) {
         use_cb = 1;
     }
 #endif
 #ifdef WOLFSSL_VERIFY_CB_ALL_CERTS
-    /* only perform verify callback if not peer leaf cert at index 0 */
+    /* perform verify callback on other intermediate certs (not just peer) */
     if (args->certIdx > 0) {
         use_cb = 1;
     }