Added context creation parameter for CA certificates file.

lib/libwebsockets.c

@@ -2484,6 +2484,7 @@ OpenSSL_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
  *			server cert from, otherwise NULL for unencrypted
  * @ssl_private_key_filepath: filepath to private key if wanting SSL mode,
  *			else ignored
+ * @ssl_ca_filepath: CA certificate filepath or NULL
  * @gid:	group id to change to after setting listen socket, or -1.
  * @uid:	user id to change to after setting listen socket, or -1.
  * @options:	0, or LWS_SERVER_OPTION_DEFEAT_CLIENT_MASK
@@ -2522,8 +2523,9 @@ libwebsocket_create_context(int port, const char *interf,
 			       struct libwebsocket_extension *extensions,
 			       const char *ssl_cert_filepath,
 			       const char *ssl_private_key_filepath,
+			       const char *ssl_ca_filepath,
 			       int gid, int uid, unsigned int options,
-                   void *user)
+			       void *user)
 {
 	int n;
 	int m;
@@ -2743,15 +2745,23 @@ libwebsocket_create_context(int port, const char *interf,
 		}
 
 		/* openssl init for cert verification (for client sockets) */
-
-		if (!SSL_CTX_load_verify_locations(
-					context->ssl_client_ctx, NULL,
-						      LWS_OPENSSL_CLIENT_CERTS))
-			fprintf(stderr,
-			    "Unable to load SSL Client certs from %s "
-			    "(set by --with-client-cert-dir= in configure) -- "
-				" client ssl isn't going to work",
-						      LWS_OPENSSL_CLIENT_CERTS);
+		if (!ssl_ca_filepath) {
+			if (!SSL_CTX_load_verify_locations(
+				context->ssl_client_ctx, NULL,
+						     LWS_OPENSSL_CLIENT_CERTS))
+				fprintf(stderr,
+					"Unable to load SSL Client certs from %s "
+					"(set by --with-client-cert-dir= in configure) -- "
+					" client ssl isn't going to work",
+						     LWS_OPENSSL_CLIENT_CERTS);
+		} else
+			if (!SSL_CTX_load_verify_locations(
+				context->ssl_client_ctx, ssl_ca_filepath,
+								  NULL))
+				fprintf(stderr,
+					"Unable to load SSL Client certs "
+					"file from %s -- client ssl isn't "
+					"going to work", ssl_ca_filepath);
 
 		/*
 		 * callback allowing user code to load extra verification certs

lib/libwebsockets.h

@@ -646,7 +646,9 @@ libwebsocket_create_context(int port, const char * interf,
 		  struct libwebsocket_protocols *protocols,
 		  struct libwebsocket_extension *extensions,
 		  const char *ssl_cert_filepath,
-		  const char *ssl_private_key_filepath, int gid, int uid,
+		  const char *ssl_private_key_filepath,
+		  const char *ssl_ca_filepath,
+		  int gid, int uid,
 		  unsigned int options, void *user);
 
 LWS_EXTERN void

libwebsockets-api-doc.html

@@ -224,6 +224,7 @@ has been created.
 <i>struct libwebsocket_extension *</i> <b>extensions</b>,
 <i>const char *</i> <b>ssl_cert_filepath</b>,
 <i>const char *</i> <b>ssl_private_key_filepath</b>,
+<i>const char *</i> <b>ssl_ca_filepath</b>,
 <i>int</i> <b>gid</b>,
 <i>int</i> <b>uid</b>,
 <i>unsigned int</i> <b>options</b>,
@@ -252,6 +253,9 @@ server cert from, otherwise NULL for unencrypted
 <dt><b>ssl_private_key_filepath</b>
 <dd>filepath to private key if wanting SSL mode,
 else ignored
+<dt><b>ssl_ca_filepath</b>
+<dd>filepath to CA certificates file if wanting SSL mode,
+else ignored
 <dt><b>gid</b>
 <dd>group id to change to after setting listen socket, or -1.
 <dt><b>uid</b>

test-server/test-client.c

@@ -258,7 +258,7 @@ int main(int argc, char **argv)
 
 	context = libwebsocket_create_context(CONTEXT_PORT_NO_LISTEN, NULL,
 				protocols, libwebsocket_internal_extensions,
-							 NULL, NULL, -1, -1, 0, NULL);
+				NULL, NULL, NULL, -1, -1, 0, NULL);
 	if (context == NULL) {
 		fprintf(stderr, "Creating libwebsocket context failed\n");
 		return 1;

test-server/test-fraggle.c

@@ -301,7 +301,7 @@ int main(int argc, char **argv)
 
 	context = libwebsocket_create_context(server_port, interface, protocols,
 				libwebsocket_internal_extensions,
-				cert_path, key_path, -1, -1, opts, NULL);
+				cert_path, key_path, NULL, -1, -1, opts, NULL);
 	if (context == NULL) {
 		fprintf(stderr, "libwebsocket init failed\n");
 		return -1;

test-server/test-ping.c

@@ -403,7 +403,7 @@ int main(int argc, char **argv)
 	context = libwebsocket_create_context(CONTEXT_PORT_NO_LISTEN, NULL,
 					      protocols,
 					      libwebsocket_internal_extensions,
-					      NULL, NULL, -1, -1, 0, NULL);
+					      NULL, NULL, NULL, -1, -1, 0, NULL);
 	if (context == NULL) {
 		fprintf(stderr, "Creating libwebsocket context failed\n");
 		return 1;

test-server/test-server-extpoll.c

@@ -484,7 +484,8 @@ int main(int argc, char **argv)
 
 	context = libwebsocket_create_context(port, interface_ptr, protocols,
 					libwebsocket_internal_extensions,
-					cert_path, key_path, -1, -1, opts, NULL);
+					cert_path, key_path, NULL, -1, -1,
+					opts, NULL);
 	if (context == NULL) {
 		fprintf(stderr, "libwebsocket init failed\n");
 		return -1;

test-server/test-server.c

@@ -447,7 +447,7 @@ int main(int argc, char **argv)
 
 	context = libwebsocket_create_context(port, interface, protocols,
 				libwebsocket_internal_extensions,
-				cert_path, key_path, -1, -1, opts, NULL);
+				cert_path, key_path, NULL, -1, -1, opts, NULL);
 	if (context == NULL) {
 		fprintf(stderr, "libwebsocket init failed\n");
 		return -1;