This is a simplified version of a patch that went on master before v2.1
675c349cc5
It enforces hostname checking for client SSL certs; perviously it was
not performed.
On v2.1+, you can control if this checking is applied or not. But to
avoid changing to public API, it is enforced on v2.0-stable.
There is no legit reason to disable this check... if you want to disable it,
upgrade to v2.1+ or stay on v2.0-stable behind this patch.
https://github.com/warmcat/libwebsockets/issues/715
Openssl v1.0.2 and above have support for checking the hostname
the client side connected to against the hostname on the cert the
server presented.
This enables that feature if the necessary API is available in the
openssl version, meaning the connection will fail at ssl negotiation if the
cert isn't for the requested server
It's very easy to test, add a fake entry to /etc/hosts for the server IP with
a different name, using that will fail at ssl but using the correct dns name
matching the certificate will work.
polarssl is the old name for mbedtls. Unfortunately the two are confused in eg,
Fedora. For our purposes, polarssl or mbedtls < 2.0 has includes in
/usr/include/polarssl and polarssl_ apis and we call that "polarssl".
polarssl or mbedtls >=2.0 has includes in /usr/include/mbedtls and mbedtls_ apis,
we call that "mbedtls".
This has to be spelled out clearly because eg Fedora has a package "mbedtls" which
is 1.3.x and has the polarssl_ apis and include path. We will deal with that as
"polarssl" despite the package name then.
This patch lets you use LWS_USE_POLARSSL or LWS_USE_MBEDTLS and set the include and
library path like this
cmake .. -DLWS_USE_POLARSSL=1 -DLWS_POLARSSL_INCLUDE_DIRS=/usr/include -DLWS_POLARSSL_LIBRARIES=/usr/lib64/libmbedtls.so.9
This patch adds the cmake support and adapts [private-]libwebsockets.h but doesn't
modify the apis in ssl[-*].c yet.
Signed-off-by: Andy Green <andy@warmcat.com>
Most of ssl.c is under a #ifdef for client or server disabled...
let's get rid of it and have CMake just build the appropriate
files
Signed-off-by: Andy Green <andy@warmcat.com>
