It should be SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, but it was only SSL_VERIFY_FAIL_IF_NO_PEER_CERT, so it didn't verify the cert, it only checked its existence.
To fix that, turn on both just like openssl-server.c does.
After mbedtls version 3.0, support for TLS 1.0 and 1.1 has been removed. For details, please see https://github.com/Mbed-TLS/mbedtls/issues/4286.
If use a new version of mbedtls, connection errors may occur due to version reasons. So we hope it can be configured according to the supported version.
Signed-off-by: makejian <makejian@xiaomi.com>
Adds a reference to the libwebsockets context to the OpenSSL context
used by the client vhost. This allows SSL info callbacks to work
correctly for clients, like it currently does for servers.
Co-authored-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Marty Flickinger <marty.flickinger@garmin.com>
Signed-off-by: Nate Karstens <nate.karstens@garmin.com>
In case of an SSL_ERROR_SSL in lws_tls_client_connect, the
lws_ssl_get_error call was calling lws_tls_err_describe_clear which
cleared the OpenSSL error from the stack. Thus, the tls.err_helper
attribute was set to the default value from ERR_error_string_n, masking
the actual OpenSSL error message from client code.
This fixes clients being able to connect with a certicate that was not
signed by the configured CA when SSL_VERIFY_FAIL_IF_NO_PEER_CERT is set.
The issue only appeared when a client connects via IP address directly and
not use a hostname.
When the hostname was used to connect, the SNI 'callback lws_mbedtls_sni_cb'
overwrote the invalid verfiy mode of
MBEDTLS_SSL_VERIFY_OPTIONAL with MBEDTLS_SSL_VERIFY_REQUIRED by
calling SSL_set_SSL_CTX.
Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
When a certificate for a TLS connection is provided, but a private
key is not, the SSL_CTX initialization exits early, before the
CONTEXT_REQUIRES_PRIVATE_KEY callback can be issued.
Remove the now obsolete callback and update the vhost
field description to state that the LOAD_EXTRA_SERVER_VERIFY_CERTS
callback should be used instead.
openssl can be built without threads resulting in the following build
failure:
-- Looking for HMAC_CTX_new
-- Looking for HMAC_CTX_new - not found
[...]
In file included from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets.h:661,
from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/core/./private-lib-core.h:140,
from /home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/lib/plat/unix/unix-misc.c:28:
/home/buildroot/autobuild/instance-0/output-1/build/libwebsockets-4.3.1/include/libwebsockets/lws-genhash.h:85:18: error: field 'ctx' has incomplete type
85 | HMAC_CTX ctx;
| ^~~
To fix this build failure, don't unconditionally add pthread if openssl
has been found through pkg-config as openssl.pc will contain the
appropriate dependencies (i.e. -lpthread but also -lz or -latomic)
Fixes:
- http://autobuild.buildroot.org/results/2ae9e3249b6fcc9e6c30e7783e264fc6599e61df
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Use pkg-config to search for wolfssl.pc which is available since version
3.3.3 and
a50af85e95
This will avoid setting manually LWS_WOLFSSL_{INCLUDE_DIRS,LIBRARIES}
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
mbedtls seemed to realize that they went overboard with the privacy stuff
on v3.0 and removed some of it. Introduce support for those members that
are only private on exactly v3.0 and unprotected before and after.
Ensure we still work with mbedtls_ssl_conf_verify() as well as
mbedtls_ssl_set_verify() if that's what we have got.
Make sure mbedtls tls validation is noisy and fast.
Disable Xenial + mbedtls in sai, it fails but not when the same
tests are run from the commandline. Very few people will be
using Xenial (2016 Ubuntu release) with mbedtls.
This patch checks for the env var SSLKEYLOGFILE=path, if present, then
client connection tls secrets are appended into path.vhostname.
This allows decryption of captured encrypted data for debugging purposes.
SSKEYLOGFILE=path env var method is the same as provided by Firefox and
Chrome for this purpose.
Although many of the examples must be run from the example directory as
cwd, everyone getting started probably wants to try the examples, cmake
knows how to do it, so let's enable it by default.