diff --git a/CMakeLists.txt b/CMakeLists.txt index 24233dc9..fa359e40 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -320,7 +320,7 @@ if (WITH_SSL) if (USE_CYASSL) # Use CyaSSL as OpenSSL replacement. set(OPENSSL_LIBRARIES ${CYASSL_LIB}) - set(OPENSSL_INCLUDE_DIRS ${CYASSL_INCLUDE_DIRS}) + set(OPENSSL_INCLUDE_DIR ${CYASSL_INCLUDE_DIRS}) set(OPENSSL_FOUND 1) else() # TODO: Add support for STATIC also. diff --git a/lib/client.c b/lib/client.c index 6ddfdcaa..c92bc49f 100644 --- a/lib/client.c +++ b/lib/client.c @@ -114,17 +114,31 @@ int lws_client_socket_service(struct libwebsocket_context *context, struct libwe if (wsi->use_ssl && !wsi->ssl) { wsi->ssl = SSL_new(context->ssl_client_ctx); - wsi->client_bio = BIO_new_socket(wsi->sock, - BIO_NOCLOSE); + + #ifdef USE_CYASSL + /* CyaSSL does certificate verification differently from OpenSSL. + * If we should ignore the certificate, we need to set this before + * SSL_new and SSL_connect is called. Otherwise the connect will + * simply fail with error code -155 */ + if (wsi->use_ssl == 2) { + CyaSSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, NULL); + } + #endif // USE_CYASSL + + wsi->client_bio = BIO_new_socket(wsi->sock, BIO_NOCLOSE); SSL_set_bio(wsi->ssl, wsi->client_bio, wsi->client_bio); + #ifdef USE_CYASSL + CyaSSL_set_using_nonblock(wsi->ssl, 1); + #else BIO_set_nbio(wsi->client_bio, 1); /* nonblocking */ + #endif SSL_set_ex_data(wsi->ssl, openssl_websocket_private_data_index, context); - } + } if (wsi->use_ssl) { lws_latency_pre(context, wsi); @@ -167,6 +181,8 @@ int lws_client_socket_service(struct libwebsocket_context *context, struct libwe return 0; } + #ifndef USE_CYASSL + /* See note above about CyaSSL certificate verification */ lws_latency_pre(context, wsi); n = SSL_get_verify_result(wsi->ssl); lws_latency(context, wsi, "SSL_get_verify_result LWS_CONNMODE_WS_CLIENT_ISSUE_HANDSHAKE", n, n > 0); @@ -180,6 +196,7 @@ int lws_client_socket_service(struct libwebsocket_context *context, struct libwe wsi, LWS_CLOSE_STATUS_NOSTATUS); return 0; } + #endif // USE_CYASSL } else wsi->ssl = NULL; #endif diff --git a/lib/server.c b/lib/server.c index b30d4e97..e3914a06 100644 --- a/lib/server.c +++ b/lib/server.c @@ -291,6 +291,9 @@ int lws_server_socket_service(struct libwebsocket_context *context, SSL_set_fd(new_wsi->ssl, accept_fd); + #ifdef USE_CYASSL + CyaSSL_set_using_nonblock(new_wsi->ssl, 1); + #else bio = SSL_get_rbio(new_wsi->ssl); if (bio) BIO_set_nbio(bio, 1); /* nonblocking */ @@ -301,6 +304,7 @@ int lws_server_socket_service(struct libwebsocket_context *context, BIO_set_nbio(bio, 1); /* nonblocking */ else lwsl_notice("NULL rbio\n"); + #endif /* * we are not accepted yet, but we need to enter ourselves