diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index 0263c800..fd4196a1 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2484,6 +2484,7 @@ OpenSSL_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
* server cert from, otherwise NULL for unencrypted
* @ssl_private_key_filepath: filepath to private key if wanting SSL mode,
* else ignored
+ * @ssl_ca_filepath: CA certificate filepath or NULL
* @gid: group id to change to after setting listen socket, or -1.
* @uid: user id to change to after setting listen socket, or -1.
* @options: 0, or LWS_SERVER_OPTION_DEFEAT_CLIENT_MASK
@@ -2522,8 +2523,9 @@ libwebsocket_create_context(int port, const char *interf,
struct libwebsocket_extension *extensions,
const char *ssl_cert_filepath,
const char *ssl_private_key_filepath,
+ const char *ssl_ca_filepath,
int gid, int uid, unsigned int options,
- void *user)
+ void *user)
{
int n;
int m;
@@ -2743,15 +2745,23 @@ libwebsocket_create_context(int port, const char *interf,
}
/* openssl init for cert verification (for client sockets) */
-
- if (!SSL_CTX_load_verify_locations(
- context->ssl_client_ctx, NULL,
- LWS_OPENSSL_CLIENT_CERTS))
- fprintf(stderr,
- "Unable to load SSL Client certs from %s "
- "(set by --with-client-cert-dir= in configure) -- "
- " client ssl isn't going to work",
- LWS_OPENSSL_CLIENT_CERTS);
+ if (!ssl_ca_filepath) {
+ if (!SSL_CTX_load_verify_locations(
+ context->ssl_client_ctx, NULL,
+ LWS_OPENSSL_CLIENT_CERTS))
+ fprintf(stderr,
+ "Unable to load SSL Client certs from %s "
+ "(set by --with-client-cert-dir= in configure) -- "
+ " client ssl isn't going to work",
+ LWS_OPENSSL_CLIENT_CERTS);
+ } else
+ if (!SSL_CTX_load_verify_locations(
+ context->ssl_client_ctx, ssl_ca_filepath,
+ NULL))
+ fprintf(stderr,
+ "Unable to load SSL Client certs "
+ "file from %s -- client ssl isn't "
+ "going to work", ssl_ca_filepath);
/*
* callback allowing user code to load extra verification certs
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index 64166114..6a612e6c 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -646,7 +646,9 @@ libwebsocket_create_context(int port, const char * interf,
struct libwebsocket_protocols *protocols,
struct libwebsocket_extension *extensions,
const char *ssl_cert_filepath,
- const char *ssl_private_key_filepath, int gid, int uid,
+ const char *ssl_private_key_filepath,
+ const char *ssl_ca_filepath,
+ int gid, int uid,
unsigned int options, void *user);
LWS_EXTERN void
diff --git a/libwebsockets-api-doc.html b/libwebsockets-api-doc.html
index e908d143..6ed0b1c5 100644
--- a/libwebsockets-api-doc.html
+++ b/libwebsockets-api-doc.html
@@ -224,6 +224,7 @@ has been created.
struct libwebsocket_extension * extensions,
const char * ssl_cert_filepath,
const char * ssl_private_key_filepath,
+const char * ssl_ca_filepath,
int gid,
int uid,
unsigned int options,
@@ -252,6 +253,9 @@ server cert from, otherwise NULL for unencrypted
ssl_private_key_filepath
filepath to private key if wanting SSL mode,
else ignored
+ssl_ca_filepath
+filepath to CA certificates file if wanting SSL mode,
+else ignored
gid
group id to change to after setting listen socket, or -1.
uid
diff --git a/test-server/test-client.c b/test-server/test-client.c
index 6db609c8..babdea82 100644
--- a/test-server/test-client.c
+++ b/test-server/test-client.c
@@ -258,7 +258,7 @@ int main(int argc, char **argv)
context = libwebsocket_create_context(CONTEXT_PORT_NO_LISTEN, NULL,
protocols, libwebsocket_internal_extensions,
- NULL, NULL, -1, -1, 0, NULL);
+ NULL, NULL, NULL, -1, -1, 0, NULL);
if (context == NULL) {
fprintf(stderr, "Creating libwebsocket context failed\n");
return 1;
diff --git a/test-server/test-fraggle.c b/test-server/test-fraggle.c
index de544fea..9c2a1660 100644
--- a/test-server/test-fraggle.c
+++ b/test-server/test-fraggle.c
@@ -301,7 +301,7 @@ int main(int argc, char **argv)
context = libwebsocket_create_context(server_port, interface, protocols,
libwebsocket_internal_extensions,
- cert_path, key_path, -1, -1, opts, NULL);
+ cert_path, key_path, NULL, -1, -1, opts, NULL);
if (context == NULL) {
fprintf(stderr, "libwebsocket init failed\n");
return -1;
diff --git a/test-server/test-ping.c b/test-server/test-ping.c
index 476ef0ba..864a0288 100644
--- a/test-server/test-ping.c
+++ b/test-server/test-ping.c
@@ -403,7 +403,7 @@ int main(int argc, char **argv)
context = libwebsocket_create_context(CONTEXT_PORT_NO_LISTEN, NULL,
protocols,
libwebsocket_internal_extensions,
- NULL, NULL, -1, -1, 0, NULL);
+ NULL, NULL, NULL, -1, -1, 0, NULL);
if (context == NULL) {
fprintf(stderr, "Creating libwebsocket context failed\n");
return 1;
diff --git a/test-server/test-server-extpoll.c b/test-server/test-server-extpoll.c
index f2f68b4d..1eb2d10f 100644
--- a/test-server/test-server-extpoll.c
+++ b/test-server/test-server-extpoll.c
@@ -484,7 +484,8 @@ int main(int argc, char **argv)
context = libwebsocket_create_context(port, interface_ptr, protocols,
libwebsocket_internal_extensions,
- cert_path, key_path, -1, -1, opts, NULL);
+ cert_path, key_path, NULL, -1, -1,
+ opts, NULL);
if (context == NULL) {
fprintf(stderr, "libwebsocket init failed\n");
return -1;
diff --git a/test-server/test-server.c b/test-server/test-server.c
index 9617194f..d202c1d0 100644
--- a/test-server/test-server.c
+++ b/test-server/test-server.c
@@ -447,7 +447,7 @@ int main(int argc, char **argv)
context = libwebsocket_create_context(port, interface, protocols,
libwebsocket_internal_extensions,
- cert_path, key_path, -1, -1, opts, NULL);
+ cert_path, key_path, NULL, -1, -1, opts, NULL);
if (context == NULL) {
fprintf(stderr, "libwebsocket init failed\n");
return -1;