LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED

Requested by Bruce Perens

http://ml.libwebsockets.org/pipermail/libwebsockets/2015-June/001834.html

Signed-off-by: Andy Green <andy.green@linaro.org>

changelog

@@ -9,6 +9,9 @@ User api changes
 LWS_CALLBACK_CLIENT_CONNECTION_ERROR may provide an error string if in is
 non-NULL.  If so, the string has length len.
 
+LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED is available to relax the requirement
+for peer certs if you are using the option to require client certs.
+
 v1.4-chrome43-firefox36
 =======================
 

lib/libwebsockets.h

@@ -177,6 +177,7 @@ enum libwebsocket_context_options {
 	LWS_SERVER_OPTION_LIBEV = 16,
 	LWS_SERVER_OPTION_DISABLE_IPV6 = 32,
 	LWS_SERVER_OPTION_DISABLE_OS_CA_CERTS = 64,
+	LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED = 128,
 };
 
 enum libwebsocket_callback_reasons {

lib/ssl.c

@@ -158,14 +158,18 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 	if (info->options &
 			LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT) {
 		
+		int verify_options = SSL_VERIFY_PEER;
+	
+		if (!(info->options & LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
+			verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+		
 		SSL_CTX_set_session_id_context(context->ssl_ctx,
 				(unsigned char *)context, sizeof(void *));
 
 		/* absolutely require the client cert */
 
 		SSL_CTX_set_verify(context->ssl_ctx,
-		       SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-						       OpenSSL_verify_callback);
+		       verify_options, OpenSSL_verify_callback);
 
 		/*
 		 * give user code a chance to load certs into the server