Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Code Issues Releases Wiki Activity

ssl client use OS CA root certs by default

Browse source 
Signed-off-by: Andy Green <andy.green@linaro.org>
This commit is contained in:
Andy Green 2014-03-15 10:39:29 +08:00
parent 5ac7e7ad5a
commit d2ec7adbab
4 changed files with 20 additions and 0 deletions

6
CMakeLists.txt
View file

@ -34,6 +34,7 @@ if(GIT_EXECUTABLE)
endif() endif()
option(LWS_WITH_SSL "Include SSL support (default OpenSSL, CyaSSL if LWS_USE_CYASSL is set)" ON) option(LWS_WITH_SSL "Include SSL support (default OpenSSL, CyaSSL if LWS_USE_CYASSL is set)" ON)
option(LWS_SSL_CLIENT_USE_OS_CA_CERTS "SSL support should make use of OS installed CA root certs" ON)
option(LWS_USE_EXTERNAL_ZLIB "Search the system for ZLib instead of using the included one (on Windows)" OFF) option(LWS_USE_EXTERNAL_ZLIB "Search the system for ZLib instead of using the included one (on Windows)" OFF)
option(LWS_USE_CYASSL "Use CyaSSL replacement for OpenSSL. When settings this, you also need to specify LWS_CYASSL_LIB and LWS_CYASSL_INCLUDE_DIRS" OFF) option(LWS_USE_CYASSL "Use CyaSSL replacement for OpenSSL. When settings this, you also need to specify LWS_CYASSL_LIB and LWS_CYASSL_INCLUDE_DIRS" OFF)
option(LWS_WITHOUT_BUILTIN_GETIFADDRS "Don't use BSD getifaddrs implementation from libwebsockets if it is missing (this will result in a compilation error) ... Default is your libc provides it. On some systems such as uclibc it doesn't exist." OFF) option(LWS_WITHOUT_BUILTIN_GETIFADDRS "Don't use BSD getifaddrs implementation from libwebsockets if it is missing (this will result in a compilation error) ... Default is your libc provides it. On some systems such as uclibc it doesn't exist." OFF)
@ -88,6 +89,10 @@ if (LWS_WITH_SSL)
set(LWS_OPENSSL_SUPPORT 1) set(LWS_OPENSSL_SUPPORT 1)
endif() endif()
if (LWS_SSL_CLIENT_USE_OS_CA_CERTS)
set(LWS_SSL_CLIENT_USE_OS_CA_CERTS 1)
endif()
if (LWS_WITH_LATENCY) if (LWS_WITH_LATENCY)
set(LWS_LATENCY 1) set(LWS_LATENCY 1)
endif() endif()
@ -841,6 +846,7 @@ message("---------------------------------------------------------------------")
message(" Settings: (For more help do cmake -LH <srcpath>") message(" Settings: (For more help do cmake -LH <srcpath>")
message("---------------------------------------------------------------------") message("---------------------------------------------------------------------")
message(" LWS_WITH_SSL = ${LWS_WITH_SSL} (SSL Support)") message(" LWS_WITH_SSL = ${LWS_WITH_SSL} (SSL Support)")
message(" LWS_SSL_CLIENT_USE_OS_CA_CERTS = ${LWS_SSL_CLIENT_USE_OS_CA_CERTS}")
message(" LWS_USE_CYASSL = ${LWS_USE_CYASSL} (CyaSSL replacement for OpenSSL)") message(" LWS_USE_CYASSL = ${LWS_USE_CYASSL} (CyaSSL replacement for OpenSSL)")
if (LWS_USE_CYASSL) if (LWS_USE_CYASSL)
message(" LWS_CYASSL_LIB = ${LWS_CYASSL_LIB}") message(" LWS_CYASSL_LIB = ${LWS_CYASSL_LIB}")

6
changelog
View file

@ -51,6 +51,12 @@ that without getting involved in having to send the header by hand.
A new info member http_proxy_address may be used at context creation time to A new info member http_proxy_address may be used at context creation time to
set the http proxy. If non-NULL, it overrides http_proxy environment var. set the http proxy. If non-NULL, it overrides http_proxy environment var.
Cmake supports LWS_SSL_CLIENT_USE_OS_CA_CERTS defaulting to on, which gets
the client to use the OS CA Roots. If you're worried somebody with the
ability to forge for force creation of a client cert from the root CA in
your OS, you should disable this since your selfsigned $0 cert is a lot safer
then...
v1.23-chrome32-firefox24 v1.23-chrome32-firefox24
======================== ========================

3
config.h.cmake
View file

@ -17,6 +17,9 @@
/* Build with OpenSSL support */ /* Build with OpenSSL support */
#cmakedefine LWS_OPENSSL_SUPPORT #cmakedefine LWS_OPENSSL_SUPPORT
/* The client should load and trust CA root certs it finds in the OS */
#cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
/* Sets the path where the client certs should be installed. */ /* Sets the path where the client certs should be installed. */
#cmakedefine LWS_OPENSSL_CLIENT_CERTS "${LWS_OPENSSL_CLIENT_CERTS}" #cmakedefine LWS_OPENSSL_CLIENT_CERTS "${LWS_OPENSSL_CLIENT_CERTS}"

5
lib/libwebsockets.c
View file

@ -2268,6 +2268,11 @@ libwebsocket_create_context(struct lws_context_creation_info *info)
SSL_CTX_set_cipher_list(context->ssl_client_ctx, SSL_CTX_set_cipher_list(context->ssl_client_ctx,
info->ssl_cipher_list); info->ssl_cipher_list);
#ifdef LWS_SSL_CLIENT_USE_OS_CA_CERTS
/* loads OS default CA certs */
SSL_CTX_set_default_verify_paths(context->ssl_client_ctx);
#endif
/* openssl init for cert verification (for client sockets) */ /* openssl init for cert verification (for client sockets) */
if (!info->ssl_ca_filepath) { if (!info->ssl_ca_filepath) {
if (!SSL_CTX_load_verify_locations( if (!SSL_CTX_load_verify_locations(