diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c index f94b11c0..aaf991aa 100644 --- a/lib/libwebsockets.c +++ b/lib/libwebsockets.c @@ -1596,6 +1596,16 @@ libwebsocket_create_context(int port, const char *interface, LWS_OPENSSL_CLIENT_CERTS); } + /* + * callback allowing user code to load extra verification certs + * helping the client to verify server identity + */ + + this->protocols[0].callback(this, wsi, + LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS, + this->ssl_client_ctx, NULL, 0); + + if (this->use_ssl) { /* openssl init for server sockets */ diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h index acb27b13..0890c9b1 100644 --- a/lib/libwebsockets.h +++ b/lib/libwebsockets.h @@ -43,6 +43,7 @@ enum libwebsocket_callback_reasons { LWS_CALLBACK_BROADCAST, LWS_CALLBACK_FILTER_NETWORK_CONNECTION, LWS_CALLBACK_FILTER_PROTOCOL_CONNECTION, + LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS, /* external poll() management support */ LWS_CALLBACK_ADD_POLL_FD, @@ -201,6 +202,12 @@ struct libwebsocket_context; * content before deciding to allow the handshake to proceed or * to kill the connection. * + * LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS: if configure for + * including OpenSSL support, this callback allows your user code + * to perform extra SSL_CTX_load_verify_locations() or similar + * calls to direct OpenSSL where to find certificates the client + * can use to confirm the remote server identity. @user is the + * OpenSSL SSL_CTX* * * The next four reasons are optional and only need taking care of if you * will be integrating libwebsockets sockets into an external polling diff --git a/libwebsockets-api-doc.html b/libwebsockets-api-doc.html index cd3e70d0..ecb17ca7 100644 --- a/libwebsockets-api-doc.html +++ b/libwebsockets-api-doc.html @@ -580,7 +580,15 @@ use the header enums lws_token_indexes from libwebsockets.h to check for and read the supported header presence and content before deciding to allow the handshake to proceed or to kill the connection. -

+ +

LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS

+
+if configure for +including OpenSSL support, this callback allows your user code +to perform extra SSL_CTX_load_verify_locations or similar +calls to direct OpenSSL where to find certificates the client +can use to confirm the remote server identity. user is the +OpenSSL SSL_CTX*

The next four reasons are optional and only need taking care of if you will be integrating libwebsockets sockets into an external polling