diff --git a/CMakeLists.txt b/CMakeLists.txt index 64b38834..103b3e00 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -34,6 +34,7 @@ if(GIT_EXECUTABLE) endif() option(LWS_WITH_SSL "Include SSL support (default OpenSSL, CyaSSL if LWS_USE_CYASSL is set)" ON) +option(LWS_SSL_CLIENT_USE_OS_CA_CERTS "SSL support should make use of OS installed CA root certs" ON) option(LWS_USE_EXTERNAL_ZLIB "Search the system for ZLib instead of using the included one (on Windows)" OFF) option(LWS_USE_CYASSL "Use CyaSSL replacement for OpenSSL. When settings this, you also need to specify LWS_CYASSL_LIB and LWS_CYASSL_INCLUDE_DIRS" OFF) option(LWS_WITHOUT_BUILTIN_GETIFADDRS "Don't use BSD getifaddrs implementation from libwebsockets if it is missing (this will result in a compilation error) ... Default is your libc provides it. On some systems such as uclibc it doesn't exist." OFF) @@ -88,6 +89,10 @@ if (LWS_WITH_SSL) set(LWS_OPENSSL_SUPPORT 1) endif() +if (LWS_SSL_CLIENT_USE_OS_CA_CERTS) + set(LWS_SSL_CLIENT_USE_OS_CA_CERTS 1) +endif() + if (LWS_WITH_LATENCY) set(LWS_LATENCY 1) endif() @@ -841,6 +846,7 @@ message("---------------------------------------------------------------------") message(" Settings: (For more help do cmake -LH ") message("---------------------------------------------------------------------") message(" LWS_WITH_SSL = ${LWS_WITH_SSL} (SSL Support)") +message(" LWS_SSL_CLIENT_USE_OS_CA_CERTS = ${LWS_SSL_CLIENT_USE_OS_CA_CERTS}") message(" LWS_USE_CYASSL = ${LWS_USE_CYASSL} (CyaSSL replacement for OpenSSL)") if (LWS_USE_CYASSL) message(" LWS_CYASSL_LIB = ${LWS_CYASSL_LIB}") diff --git a/changelog b/changelog index e2f56f0d..f9ceaa23 100644 --- a/changelog +++ b/changelog @@ -51,6 +51,12 @@ that without getting involved in having to send the header by hand. A new info member http_proxy_address may be used at context creation time to set the http proxy. If non-NULL, it overrides http_proxy environment var. +Cmake supports LWS_SSL_CLIENT_USE_OS_CA_CERTS defaulting to on, which gets +the client to use the OS CA Roots. If you're worried somebody with the +ability to forge for force creation of a client cert from the root CA in +your OS, you should disable this since your selfsigned $0 cert is a lot safer +then... + v1.23-chrome32-firefox24 ======================== diff --git a/config.h.cmake b/config.h.cmake index e1dd8c09..87bd9498 100644 --- a/config.h.cmake +++ b/config.h.cmake @@ -17,6 +17,9 @@ /* Build with OpenSSL support */ #cmakedefine LWS_OPENSSL_SUPPORT +/* The client should load and trust CA root certs it finds in the OS */ +#cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS + /* Sets the path where the client certs should be installed. */ #cmakedefine LWS_OPENSSL_CLIENT_CERTS "${LWS_OPENSSL_CLIENT_CERTS}" diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c index 3cc5635f..4fd8f4d3 100644 --- a/lib/libwebsockets.c +++ b/lib/libwebsockets.c @@ -2268,6 +2268,11 @@ libwebsocket_create_context(struct lws_context_creation_info *info) SSL_CTX_set_cipher_list(context->ssl_client_ctx, info->ssl_cipher_list); +#ifdef LWS_SSL_CLIENT_USE_OS_CA_CERTS + /* loads OS default CA certs */ + SSL_CTX_set_default_verify_paths(context->ssl_client_ctx); +#endif + /* openssl init for cert verification (for client sockets) */ if (!info->ssl_ca_filepath) { if (!SSL_CTX_load_verify_locations(