From b0e5c4aa1b0806f25c16199b921a0b75c8e70ffe Mon Sep 17 00:00:00 2001
From: Zhi Guan <guanzhi1980@gmail.com>
Date: Wed, 17 Jun 2026 16:42:29 +0800
Subject: [PATCH] Add client_cert_optional to tlcp/tls12

---
 CMakeLists.txt          |  2 +-
 include/gmssl/tls.h     |  2 +-
 include/gmssl/version.h |  2 +-
 src/tls.c               | 10 ++++++++++
 src/tls13.c             | 10 ----------
 tools/tlcp_client.c     |  7 +++++++
 tools/tls12_client.c    |  7 +++++++
 tools/tls12_server.c    |  2 +-
 tools/tls13_client.c    |  2 +-
 tools/tls13_server.c    |  2 +-
 10 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 53b66043..2583d5cb 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -819,7 +819,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1083")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1084")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/include/gmssl/tls.h b/include/gmssl/tls.h
index 7f63e219..e04b1055 100644
--- a/include/gmssl/tls.h
+++ b/include/gmssl/tls.h
@@ -1441,7 +1441,7 @@ int tls13_record_get_handshake_certificate_request(const uint8_t *record,
 	const uint8_t **exts, size_t *exts_len);
 int tls13_certificate_request_print(FILE *fp, int fmt, int ind, const uint8_t *d, size_t dlen);
 
-int tls13_ctx_enable_client_certificate_optional(TLS_CTX *ctx, int enable);
+int tls_ctx_enable_client_certificate_optional(TLS_CTX *ctx, int enable);
 
 
 // EndOfEarlyData
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index 766cc82d..dfd026b6 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1083"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1084"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/src/tls.c b/src/tls.c
index f5b209f4..78240bc3 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -3015,6 +3015,16 @@ int tls_ctx_set_key_update_seq_num_limit(TLS_CTX *ctx, size_t max_seq_num)
 	return 1;
 }
 
+int tls_ctx_enable_client_certificate_optional(TLS_CTX *ctx, int enable)
+{
+	if (!ctx) {
+		error_print();
+		return -1;
+	}
+	ctx->client_certificate_optional = enable ? 1 : 0;
+	return 1;
+}
+
 static int tls_ctx_get_certificate_chain(const TLS_CTX *ctx, size_t idx,
 	const uint8_t **cert_chain, size_t *cert_chain_len)
 {
diff --git a/src/tls13.c b/src/tls13.c
index 912512fa..fe1289a4 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3447,16 +3447,6 @@ int tls13_certificate_request_print(FILE *fp, int fmt, int ind, const uint8_t *d
 	return 1;
 }
 
-int tls13_ctx_enable_client_certificate_optional(TLS_CTX *ctx, int enable)
-{
-	if (!ctx) {
-		error_print();
-		return -1;
-	}
-	ctx->client_certificate_optional = enable ? 1 : 0;
-	return 1;
-}
-
 /*
 CertificateVerify
 
diff --git a/tools/tlcp_client.c b/tools/tlcp_client.c
index f92c2ff2..10b2b5fe 100644
--- a/tools/tlcp_client.c
+++ b/tools/tlcp_client.c
@@ -401,6 +401,13 @@ bad:
 		}
 	}
 
+	if (client_cert_optional) {
+		if (tls_ctx_enable_client_certificate_optional(&ctx, 1) != 1) {
+			error_print();
+			goto end;
+		}
+	}
+
 	if (alpn_protocols_cnt) {
 		if (tls_ctx_set_application_layer_protocol_negotiation(&ctx,
 			alpn_protocols, alpn_protocols_cnt) != 1) {
diff --git a/tools/tls12_client.c b/tools/tls12_client.c
index 99584146..22a592a1 100644
--- a/tools/tls12_client.c
+++ b/tools/tls12_client.c
@@ -386,6 +386,13 @@ bad:
 		}
 	}
 
+	if (client_cert_optional) {
+		if (tls_ctx_enable_client_certificate_optional(&ctx, 1) != 1) {
+			error_print();
+			goto end;
+		}
+	}
+
 	if (cacertfile) {
 		if (tls_ctx_set_ca_certificates(&ctx, cacertfile, verify_depth) != 1) {
 			fprintf(stderr, "%s: failed to load CA certificate\n", prog);
diff --git a/tools/tls12_server.c b/tools/tls12_server.c
index 324dfce9..788fbf71 100644
--- a/tools/tls12_server.c
+++ b/tools/tls12_server.c
@@ -354,7 +354,7 @@ bad:
 			goto end;
 		}
 		if (client_cert_optional) {
-			if (tls13_ctx_enable_client_certificate_optional(&ctx, 1) != 1) {
+			if (tls_ctx_enable_client_certificate_optional(&ctx, 1) != 1) {
 				error_print();
 				goto end;
 			}
diff --git a/tools/tls13_client.c b/tools/tls13_client.c
index 13af7c68..969756bf 100644
--- a/tools/tls13_client.c
+++ b/tools/tls13_client.c
@@ -600,7 +600,7 @@ bad:
 
 	// CertificateRequest
 	if (client_cert_optional) {
-		if (tls13_ctx_enable_client_certificate_optional(&ctx, 1) != 1) {
+		if (tls_ctx_enable_client_certificate_optional(&ctx, 1) != 1) {
 			error_print();
 			goto end;
 		}
diff --git a/tools/tls13_server.c b/tools/tls13_server.c
index d0fea6d0..ac82bef6 100644
--- a/tools/tls13_server.c
+++ b/tools/tls13_server.c
@@ -418,7 +418,7 @@ bad:
 			goto end;
 		}
 		if (client_cert_optional) {
-			if (tls13_ctx_enable_client_certificate_optional(&ctx, 1) != 1) {
+			if (tls_ctx_enable_client_certificate_optional(&ctx, 1) != 1) {
 				error_print();
 				goto end;
 			}