diff --git a/CMakeLists.txt b/CMakeLists.txt index 780972c7..9d2079aa 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -943,6 +943,7 @@ endforeach() set (temp ${CMAKE_REQUIRED_LIBRARIES}) set(CMAKE_REQUIRED_LIBRARIES ${LIB_LIST}) CHECK_FUNCTION_EXISTS(SSL_CTX_set1_param LWS_HAVE_SSL_CTX_set1_param) +CHECK_FUNCTION_EXISTS(X509_VERIFY_PARAM_set1_host LWS_HAVE_X509_VERIFY_PARAM_set1_host) set(CMAKE_REQUIRED_LIBRARIES ${temp}) # Generate the lws_config.h that includes all the public compilation settings. configure_file( diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h index 74569136..b71b78d8 100644 --- a/lib/private-libwebsockets.h +++ b/lib/private-libwebsockets.h @@ -221,6 +221,7 @@ static inline int compatible_close(int fd) { return close(fd); } #ifdef LWS_HAVE_OPENSSL_ECDH_H #include #endif +#include #endif /* not USE_MBEDTLS */ #endif /* not USE_POLARSSL */ #endif /* not USE_WOLFSSL */ diff --git a/lib/ssl-client.c b/lib/ssl-client.c index c5a144b0..79e947fe 100644 --- a/lib/ssl-client.c +++ b/lib/ssl-client.c @@ -38,11 +38,24 @@ lws_ssl_client_bio_create(struct lws *wsi) #if defined(LWS_USE_MBEDTLS) #else struct lws_context *context = wsi->context; -#if defined(CYASSL_SNI_HOST_NAME) || defined(WOLFSSL_SNI_HOST_NAME) || defined(SSL_CTRL_SET_TLSEXT_HOSTNAME) const char *hostname = lws_hdr_simple_ptr(wsi, _WSI_TOKEN_CLIENT_HOST); -#endif + X509_VERIFY_PARAM *param; + + (void)hostname; + (void)param; wsi->ssl = SSL_new(wsi->vhost->ssl_client_ctx); + +#if defined LWS_HAVE_X509_VERIFY_PARAM_set1_host + param = SSL_get0_param(wsi->ssl); + /* Enable automatic hostname checks */ + X509_VERIFY_PARAM_set_hostflags(param, + X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + X509_VERIFY_PARAM_set1_host(param, hostname, 0); + /* Configure a non-zero callback if desired */ + SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, 0); +#endif + #ifndef USE_WOLFSSL SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); #endif diff --git a/lws_config.h.in b/lws_config.h.in index 9e61d6f1..0e929b90 100644 --- a/lws_config.h.in +++ b/lws_config.h.in @@ -82,6 +82,7 @@ /* SSL server using ECDH certificate */ #cmakedefine LWS_SSL_SERVER_WITH_ECDH_CERT #cmakedefine LWS_HAVE_SSL_CTX_set1_param +#cmakedefine LWS_HAVE_X509_VERIFY_PARAM_set1_host /* CGI apis */ #cmakedefine LWS_WITH_CGI