From bdc525dd6d4368f19a4c7b7807604a379c072510 Mon Sep 17 00:00:00 2001
From: Alex Lanzano <lanzano.alex@gmail.com>
Date: Wed, 14 Jan 2026 11:30:13 -0500
Subject: [PATCH] [TLS 1.2, TLS 1.3] Fail immediately if server sends empty
 certificate message for TLS 1.2 and beyond

---
 src/internal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 155a64394c..4ba29aef90 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -15608,14 +15608,14 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 /* Empty certificate message. */
                 if ((ssl->options.side == WOLFSSL_SERVER_END) &&
                     (ssl->options.mutualAuth || (ssl->options.failNoCert &&
-                                             IsAtLeastTLSv1_3(ssl->version)))) {
+                                             IsAtLeastTLSv1_2(ssl)))) {
                     WOLFSSL_MSG("No peer cert from Client");
                     ret = NO_PEER_CERT;
                     WOLFSSL_ERROR_VERBOSE(ret);
                     DoCertFatalAlert(ssl, ret);
                 }
                 else if ((ssl->options.side == WOLFSSL_CLIENT_END) &&
-                         IsAtLeastTLSv1_3(ssl->version)) {
+                         IsAtLeastTLSv1_2(ssl)) {
                     WOLFSSL_MSG("No peer cert from Server");
                     ret = NO_PEER_CERT;
                     WOLFSSL_ERROR_VERBOSE(ret);