docs: clarify difference between client and server ssl members in creation_info struct

Update test-client from the deprecated server ssl members that still work for backwards compatibility to the preferred client-specific ones. Remove .client_ssl_... member dependency on OPENSSL https://github.com/warmcat/libwebsockets/issues/1022
2025-03-09 00:00:04 +01:00 · 2017-09-14 07:37:10 +08:00 · 2017-09-14 07:37:10 +08:00 · 9b484ff507
commit 9b484ff507
parent 7379e5ad6b
2 changed files with 35 additions and 24 deletions
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@ -2071,23 +2071,38 @@ struct lws_context_creation_info {
 	/**< CONTEXT: NULL or struct lws_token_limits pointer which is initialized
 	 * with a token length limit for each possible WSI_TOKEN_ */
 	const char *ssl_private_key_password;
-	/**< VHOST: NULL or the passphrase needed for the private key */
+	/**< VHOST: NULL or the passphrase needed for the private key. (For
+	 * backwards compatibility, this can also be used to pass the client
+	 * cert passphrase when setting up a vhost client SSL context, but it is
+	 * preferred to use .client_ssl_private_key_password for that.) */
 	const char *ssl_cert_filepath;
 	/**< VHOST: If libwebsockets was compiled to use ssl, and you want
 	 * to listen using SSL, set to the filepath to fetch the
- 	 * server cert from, otherwise NULL for unencrypted */
+	 * server cert from, otherwise NULL for unencrypted.  (For backwards
+	 * compatibility, this can also be used to pass the client certificate
+	 * when setting up a vhost client SSL context, but it is preferred to
+	 * use .client_ssl_cert_filepath for that.) */
 	const char *ssl_private_key_filepath;
 	/**<  VHOST: filepath to private key if wanting SSL mode;
-	 * if this is set to NULL but sll_cert_filepath is set, the
+	 * if this is set to NULL but ssl_cert_filepath is set, the
 	 * OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY callback is called
 	 * to allow setting of the private key directly via openSSL
-	 * library calls */
+	 * library calls.   (For backwards compatibility, this can also be used
+	 * to pass the client cert private key filepath when setting up a
+	 * vhost client SSL context, but it is preferred to use
+	 * .client_ssl_private_key_filepath for that.) */
 	const char *ssl_ca_filepath;
-	/**< VHOST: CA certificate filepath or NULL */
+	/**< VHOST: CA certificate filepath or NULL.  (For backwards
+	 * compatibility, this can also be used to pass the client CA
+	 * filepath when setting up a vhost client SSL context,
+	 * but it is preferred to use .client_ssl_ca_filepath for that.) */
 	const char *ssl_cipher_list;
 	/**< VHOST: List of valid ciphers to use (eg,
 	 * "RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:HIGH:!DSS:!aNULL"
-	 * or you can leave it as NULL to get "DEFAULT" */
+	 * or you can leave it as NULL to get "DEFAULT" (For backwards
+	 * compatibility, this can also be used to pass the client cipher
+	 * list when setting up a vhost client SSL context,
+	 * but it is preferred to use .client_ssl_cipher_list for that.)*/
 	const char *http_proxy_address;
 	/**< VHOST: If non-NULL, attempts to proxy via the given address.
 	 * If proxy auth is required, use format "username:password\@server:port" */
@ -2218,28 +2233,24 @@ struct lws_context_creation_info {
 	 * succeeded to create.
 	 */

-#ifdef LWS_OPENSSL_SUPPORT
-	 /**< CONTEXT: NULL or struct lws_token_limits pointer which is initialized
-	 * with a token length limit for each possible WSI_TOKEN_ */
 	const char *client_ssl_private_key_password;
-	/**< VHOST: NULL or the passphrase needed for the private key */
+	/**< VHOST: Client SSL context init: NULL or the passphrase needed
+	 * for the private key */
 	const char *client_ssl_cert_filepath;
-	/**< VHOST: If libwebsockets was compiled to use ssl, and you want
-	* to listen using SSL, set to the filepath to fetch the
-	* server cert from, otherwise NULL for unencrypted */
+	/**< VHOST: Client SSL context init:T he certificate the client
+	 * should present to the peer on connection */
 	const char *client_ssl_private_key_filepath;
-	/**<  VHOST: filepath to private key if wanting SSL mode;
-	* if this is set to NULL but sll_cert_filepath is set, the
-	* OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY callback is called
-	* to allow setting of the private key directly via openSSL
-	* library calls */
+	/**<  VHOST: Client SSL context init: filepath to client private key
+	 * if this is set to NULL but client_ssl_cert_filepath is set, you
+	 * can handle the LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS
+	 * callback of protocols[0] to allow setting of the private key directly
+	 * via openSSL library calls */
 	const char *client_ssl_ca_filepath;
-	/**< VHOST: CA certificate filepath or NULL */
+	/**< VHOST: Client SSL context init: CA certificate filepath or NULL */
 	const char *client_ssl_cipher_list;
-	/**< VHOST: List of valid ciphers to use (eg,
+	/**< VHOST: Client SSL context init: List of valid ciphers to use (eg,
 	* "RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:HIGH:!DSS:!aNULL"
 	* or you can leave it as NULL to get "DEFAULT" */
-#endif

 	const struct lws_plat_file_ops *fops;
 	/**< CONTEXT: NULL, or pointer to an array of fops structs, terminated
--- a/test-server/test-client.c
+++ b/test-server/test-client.c
@ -579,15 +579,15 @@ int main(int argc, char **argv)
 		 */

 		if (cert_path[0])
-			info.ssl_cert_filepath = cert_path;
+			info.client_ssl_cert_filepath = cert_path;
 		if (key_path[0])
-			info.ssl_private_key_filepath = key_path;
+			info.client_ssl_private_key_filepath = key_path;

 		/*
 		 * A CA cert and CRL can be used to validate the cert send by the server
 		 */
 		if (ca_path[0])
-			info.ssl_ca_filepath = ca_path;
+			info.client_ssl_ca_filepath = ca_path;

 #if defined(LWS_OPENSSL_SUPPORT) && defined(LWS_HAVE_SSL_CTX_set1_param)
 		else if (crl_path[0])