Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1754388958, "reponame":"libwebsockets", "desc":"libwebsockets lightweight C networking library", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://libwebsockets.org/repo/libwebsockets", "f":3, "items": [ {"schema":"libjg2-1", "cid":"649935645ff2f8cf986192898fa795b4", "commit": {"type":"commit", "time": 1522982283, "time_ofs": 480, "oid_tree": { "oid": "42f81e577c6c10f4130c14d29181584aa1be7597", "alias": []}, "oid":{ "oid": "94f3981bef12424116ce907f417e024579c73b5e", "alias": []}, "msg": "mbedtls: wrapper: client: Force mbedTLS to attemp to verify cert", "sig_commit": { "git_time": { "time": 1522982283, "offset": 480 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }, "sig_author": { "git_time": { "time": 1521910377, "offset": 60 }, "name": "Fabio Alessandrelli", "email": "fabio.alessandrelli@gmail.com", "md5": "d4ea787dcd3cc9a18f035ab3fae561a0" }}, "body": "mbedtls: wrapper: client: Force mbedTLS to attemp to verify cert\n\nAG: unlike openssl, mbedtls does not load the system trust store.\nSo this change will make client tls operations that work OK on openssl fail on\nmbedtls unless you provide the correct CA cert.\n\nThis allows lws to distinguish between untrusted CAs, hostname\nmismatches, expired certificates.\n\nNOTE: LCCSCF_ALLOW_SELFSIGNED actually allows for untrusted CAs, and\nwill also skip hostname verification. This is somewhat a limitiation of\nthe current lws verification process.\n\nAG: improve error reporting up to the CLIENT_CONNECTION_ERROR argument\nand add a note specific to mbedtls in the test client. Adapt the test\nclient to note the CA requirement if built with mbedTLS. Adapt the\nminimal test clients to have the CAs available and use them if mbedTLS." , "diff": "diff --git a/READMEs/README.build.md b/READMEs/README.build.md\nindex 3ca4320..f06628d 100644\n--- a/READMEs/README.build.md\n+++ b/READMEs/README.build.md\n@@ -282,6 +282,13 @@ Lws supports both almost the same, so instead of taking my word for it you are\n invited to try it both ways and see which the results (including, eg, binary\n size and memory usage as well as speed) suggest you use.\n \n+NOTE: one major difference with mbedTLS is it does not load the system trust\n+store by default. That has advantages and disadvantages, but the disadvantage\n+is you must provide the CA cert to lws built against mbedTLS for it to be able\n+to validate it, ie, use -A with the test client. The minimal test clients\n+have the CA cert for warmcat.com and libwebsockets.org and use it if they see\n+they were built with mbedTLS.\n+\n @section optee Building for OP-TEE\n \n OP-TEE is a \u0022Secure World\u0022 Trusted Execution Environment.\ndiff --git a/lib/client/client.c b/lib/client/client.c\nindex 4a02304..3b69f38 100644\n--- a/lib/client/client.c\n+++ b/lib/client/client.c\n@@ -82,7 +82,7 @@ lws_client_socket_service(struct lws_context *context, struct lws *wsi,\n \t\t\t struct lws_pollfd *pollfd)\n {\n \tstruct lws_context_per_thread *pt \u003d \u0026context-\u003ept[(int)wsi-\u003etsi];\n-\tchar *p \u003d (char *)\u0026pt-\u003eserv_buf[0];\n+\tchar *p \u003d (char *)\u0026pt-\u003eserv_buf[0], ebuf[128];\n \tconst char *cce \u003d NULL;\n \tunsigned char c;\n \tchar *sb \u003d p;\n@@ -286,11 +286,11 @@ start_ws_handshake:\n \tcase LWSCM_WSCL_WAITING_SSL:\n \n \t\tif (wsi-\u003euse_ssl) {\n-\t\t\tn \u003d lws_ssl_client_connect2(wsi);\n+\t\t\tn \u003d lws_ssl_client_connect2(wsi, ebuf, sizeof(ebuf));\n \t\t\tif (!n)\n \t\t\t\treturn 0;\n \t\t\tif (n \u003c 0) {\n-\t\t\t\tcce \u003d \u0022lws_ssl_client_connect2 failed\u0022;\n+\t\t\t\tcce \u003d ebuf;\n \t\t\t\tgoto bail3;\n \t\t\t}\n \t\t} else\ndiff --git a/lib/client/ssl-client.c b/lib/client/ssl-client.c\nindex 50f5dd0..fbe7a9b 100644\n--- a/lib/client/ssl-client.c\n+++ b/lib/client/ssl-client.c\n@@ -51,7 +51,7 @@ lws_ssl_client_connect1(struct lws *wsi)\n }\n \n int\n-lws_ssl_client_connect2(struct lws *wsi)\n+lws_ssl_client_connect2(struct lws *wsi, char *errbuf, int len)\n {\n \tint n \u003d 0;\n \n@@ -65,6 +65,7 @@ lws_ssl_client_connect2(struct lws *wsi)\n \n \t\tswitch (n) {\n \t\tcase LWS_SSL_CAPABLE_ERROR:\n+\t\t\tlws_snprintf(errbuf, len, \u0022client connect failed\u0022);\n \t\t\treturn -1;\n \t\tcase LWS_SSL_CAPABLE_DONE:\n \t\t\tbreak; /* connected */\n@@ -79,7 +80,7 @@ lws_ssl_client_connect2(struct lws *wsi)\n \t\t}\n \t}\n \n-\tif (lws_tls_client_confirm_peer_cert(wsi))\n+\tif (lws_tls_client_confirm_peer_cert(wsi, errbuf, len))\n \t\treturn -1;\n \n \treturn 1;\ndiff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h\nindex d6604a9..4fcc60c 100644\n--- a/lib/private-libwebsockets.h\n+++ b/lib/private-libwebsockets.h\n@@ -2373,7 +2373,7 @@ lws_ssl_client_bio_create(struct lws *wsi);\n LWS_EXTERN int\n lws_ssl_client_connect1(struct lws *wsi);\n LWS_EXTERN int\n-lws_ssl_client_connect2(struct lws *wsi);\n+lws_ssl_client_connect2(struct lws *wsi, char *errbuf, int len);\n LWS_EXTERN void\n lws_ssl_elaborate_error(void);\n LWS_EXTERN int\n@@ -2440,7 +2440,7 @@ __lws_tls_shutdown(struct lws *wsi);\n LWS_EXTERN enum lws_ssl_capable_status\n lws_tls_client_connect(struct lws *wsi);\n LWS_EXTERN int\n-lws_tls_client_confirm_peer_cert(struct lws *wsi);\n+lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len);\n LWS_EXTERN int\n lws_tls_client_create_vhost_context(struct lws_vhost *vh,\n \t\t\t\t struct lws_context_creation_info *info,\ndiff --git a/lib/tls/mbedtls/mbedtls-client.c b/lib/tls/mbedtls/mbedtls-client.c\nindex 2fbe8a6..990edc6 100644\n--- a/lib/tls/mbedtls/mbedtls-client.c\n+++ b/lib/tls/mbedtls/mbedtls-client.c\n@@ -72,12 +72,8 @@ lws_ssl_client_bio_create(struct lws *wsi)\n \t * use server name indication (SNI), if supported,\n \t * when establishing connection\n \t */\n-\tif (wsi-\u003evhost-\u003ex509_client_CA)\n-\t\tSSL_set_verify(wsi-\u003essl, SSL_VERIFY_PEER,\n-\t\t\t OpenSSL_client_verify_callback);\n-\telse\n-\t\tSSL_set_verify(wsi-\u003essl, SSL_VERIFY_NONE,\n-\t\t\t OpenSSL_client_verify_callback);\n+\tSSL_set_verify(wsi-\u003essl, SSL_VERIFY_PEER,\n+\t\t OpenSSL_client_verify_callback);\n \n \tSSL_set_fd(wsi-\u003essl, wsi-\u003edesc.sockfd);\n \n@@ -112,9 +108,12 @@ lws_tls_client_connect(struct lws *wsi)\n }\n \n int\n-lws_tls_client_confirm_peer_cert(struct lws *wsi)\n+lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len)\n {\n+\tint n;\n \tX509 *peer \u003d SSL_get_peer_certificate(wsi-\u003essl);\n+\tstruct lws_context_per_thread *pt \u003d \u0026wsi-\u003econtext-\u003ept[(int)wsi-\u003etsi];\n+\tchar *sb \u003d (char *)\u0026pt-\u003eserv_buf[0];\n \n \tif (!peer) {\n \t\tlwsl_info(\u0022peer did not provide cert\u005cn\u0022);\n@@ -123,7 +122,41 @@ lws_tls_client_confirm_peer_cert(struct lws *wsi)\n \t}\n \tlwsl_info(\u0022peer provided cert\u005cn\u0022);\n \n-\treturn 0;\n+\tn \u003d SSL_get_verify_result(wsi-\u003essl);\n+\tlws_latency(wsi-\u003econtext, wsi,\n+\t\t\t\u0022SSL_get_verify_result LWS_CONNMODE..HANDSHAKE\u0022, n, n \u003e 0);\n+\n+ lwsl_debug(\u0022get_verify says %d\u005cn\u0022, n);\n+\n+\tif (n \u003d\u003d X509_V_OK)\n+\t\treturn 0;\n+\n+\tif (n \u003d\u003d X509_V_ERR_HOSTNAME_MISMATCH \u0026\u0026\n+\t (wsi-\u003euse_ssl \u0026 LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {\n+\t\tlwsl_info(\u0022accepting certificate for invalid hostname\u005cn\u0022);\n+\t\treturn 0;\n+\t}\n+\n+\tif (n \u003d\u003d X509_V_ERR_INVALID_CA \u0026\u0026\n+\t (wsi-\u003euse_ssl \u0026 LCCSCF_ALLOW_SELFSIGNED)) {\n+\t\tlwsl_info(\u0022accepting certificate from untrusted CA\u005cn\u0022);\n+\t\treturn 0;\n+\t}\n+\n+\tif ((n \u003d\u003d X509_V_ERR_CERT_NOT_YET_VALID ||\n+\t n \u003d\u003d X509_V_ERR_CERT_HAS_EXPIRED) \u0026\u0026\n+\t (wsi-\u003euse_ssl \u0026 LCCSCF_ALLOW_EXPIRED)) {\n+\t\tlwsl_info(\u0022accepting expired or not yet valid certificate\u005cn\u0022);\n+\n+\t\treturn 0;\n+\t}\n+\tlws_snprintf(ebuf, ebuf_len,\n+\t\t\u0022server's cert didn't look good, X509_V_ERR \u003d %d: %s\u005cn\u0022,\n+\t\t n, ERR_error_string(n, sb));\n+\tlwsl_info(\u0022%s\u005cn\u0022, ebuf);\n+\tlws_ssl_elaborate_error();\n+\n+\treturn -1;\n }\n \n int\ndiff --git a/lib/tls/mbedtls/wrapper/library/ssl_lib.c b/lib/tls/mbedtls/wrapper/library/ssl_lib.c\nindex cf553e2..22cc24b 100644\n--- a/lib/tls/mbedtls/wrapper/library/ssl_lib.c\n+++ b/lib/tls/mbedtls/wrapper/library/ssl_lib.c\n@@ -1594,11 +1594,34 @@ void ERR_free_strings(void)\n \n char *ERR_error_string(unsigned long e, char *buf)\n {\n-\tif (buf) {\n-\t\tstrcpy(buf, \u0022unknown\u0022);\n+\tif (!buf)\n+\t\treturn \u0022unknown\u0022;\n+\n+\tswitch(e) {\n+\t\tcase X509_V_ERR_INVALID_CA:\n+\t\t\tstrcpy(buf, \u0022CA is not trusted\u0022);\n+\t\t\tbreak;\n+\t\tcase X509_V_ERR_HOSTNAME_MISMATCH:\n+\t\t\tstrcpy(buf, \u0022Hostname mismatch\u0022);\n+\t\t\tbreak;\n+\t\tcase X509_V_ERR_CA_KEY_TOO_SMALL:\n+\t\t\tstrcpy(buf, \u0022CA key too small\u0022);\n+\t\t\tbreak;\n+\t\tcase X509_V_ERR_CA_MD_TOO_WEAK:\n+\t\t\tstrcpy(buf, \u0022MD key too weak\u0022);\n+\t\t\tbreak;\n+\t\tcase X509_V_ERR_CERT_NOT_YET_VALID:\n+\t\t\tstrcpy(buf, \u0022Cert from the future\u0022);\n+\t\t\tbreak;\n+\t\tcase X509_V_ERR_CERT_HAS_EXPIRED:\n+\t\t\tstrcpy(buf, \u0022Cert expired\u0022);\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tstrcpy(buf, \u0022unknown\u0022);\n+\t\t\tbreak;\n \t}\n \n-\treturn \u0022unknown\u0022;\n+\treturn buf;\n }\n \n void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)\ndiff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c\nindex 1d7d093..3d70275 100755\n--- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c\n+++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c\n@@ -224,7 +224,7 @@ static int ssl_pm_reload_crt(SSL *ssl)\n struct x509_pm *crt_pm \u003d (struct x509_pm *)ssl-\u003ecert-\u003ex509-\u003ex509_pm;\n \n if (ssl-\u003everify_mode \u003d\u003d SSL_VERIFY_PEER)\n- mode \u003d MBEDTLS_SSL_VERIFY_REQUIRED;\n+ mode \u003d MBEDTLS_SSL_VERIFY_OPTIONAL;\n else if (ssl-\u003everify_mode \u003d\u003d SSL_VERIFY_FAIL_IF_NO_PEER_CERT)\n mode \u003d MBEDTLS_SSL_VERIFY_OPTIONAL;\n else if (ssl-\u003everify_mode \u003d\u003d SSL_VERIFY_CLIENT_ONCE)\n@@ -267,7 +267,7 @@ static int mbedtls_handshake( mbedtls_ssl_context *ssl )\n while (ssl-\u003estate !\u003d MBEDTLS_SSL_HANDSHAKE_OVER) {\n ret \u003d mbedtls_ssl_handshake_step(ssl);\n \n- lwsl_notice(\u0022%s: ssl ret -%x state %d\u005cn\u0022, __func__, -ret, ssl-\u003estate);\n+ lwsl_info(\u0022%s: ssl ret -%x state %d\u005cn\u0022, __func__, -ret, ssl-\u003estate);\n \n if (ret !\u003d 0)\n break;\n@@ -283,8 +283,6 @@ int ssl_pm_handshake(SSL *ssl)\n int ret;\n struct ssl_pm *ssl_pm \u003d (struct ssl_pm *)ssl-\u003essl_pm;\n \n- lwsl_notice(\u0022%s\u005cn\u0022, __func__);\n-\n ssl-\u003eerr \u003d 0;\n errno \u003d 0;\n \n@@ -761,18 +759,44 @@ void ssl_pm_set_bufflen(SSL *ssl, int len)\n \n long ssl_pm_get_verify_result(const SSL *ssl)\n {\n- uint32_t ret;\n- long verify_result;\n- struct ssl_pm *ssl_pm \u003d (struct ssl_pm *)ssl-\u003essl_pm;\n+\tuint32_t ret;\n+\tlong verify_result;\n+\tstruct ssl_pm *ssl_pm \u003d (struct ssl_pm *)ssl-\u003essl_pm;\n \n- ret \u003d mbedtls_ssl_get_verify_result(\u0026ssl_pm-\u003essl);\n- if (ret) {\n- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, \u0022mbedtls_ssl_get_verify_result() return 0x%x\u0022, ret);\n- verify_result \u003d X509_V_ERR_UNSPECIFIED;\n- } else\n- verify_result \u003d X509_V_OK;\n+\tret \u003d mbedtls_ssl_get_verify_result(\u0026ssl_pm-\u003essl);\n+\tif (!ret)\n+\t\treturn X509_V_OK;\n+\n+\tif (ret \u0026 MBEDTLS_X509_BADCERT_NOT_TRUSTED ||\n+\t\t(ret \u0026 MBEDTLS_X509_BADCRL_NOT_TRUSTED))\n+\t\tverify_result \u003d X509_V_ERR_INVALID_CA;\n+\n+\telse if (ret \u0026 MBEDTLS_X509_BADCERT_CN_MISMATCH)\n+\t\tverify_result \u003d X509_V_ERR_HOSTNAME_MISMATCH;\n \n- return verify_result;\n+\telse if ((ret \u0026 MBEDTLS_X509_BADCERT_BAD_KEY) ||\n+\t\t(ret \u0026 MBEDTLS_X509_BADCRL_BAD_KEY))\n+\t\tverify_result \u003d X509_V_ERR_CA_KEY_TOO_SMALL;\n+\n+\telse if ((ret \u0026 MBEDTLS_X509_BADCERT_BAD_MD) ||\n+\t\t(ret \u0026 MBEDTLS_X509_BADCRL_BAD_MD))\n+\t\tverify_result \u003d X509_V_ERR_CA_MD_TOO_WEAK;\n+\n+\telse if ((ret \u0026 MBEDTLS_X509_BADCERT_FUTURE) ||\n+\t\t(ret \u0026 MBEDTLS_X509_BADCRL_FUTURE))\n+\t\tverify_result \u003d X509_V_ERR_CERT_NOT_YET_VALID;\n+\n+\telse if ((ret \u0026 MBEDTLS_X509_BADCERT_EXPIRED) ||\n+\t\t(ret \u0026 MBEDTLS_X509_BADCRL_EXPIRED))\n+\t\tverify_result \u003d X509_V_ERR_CERT_HAS_EXPIRED;\n+\n+\telse\n+\t\tverify_result \u003d X509_V_ERR_UNSPECIFIED;\n+\n+\tSSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,\n+\t\t \u0022mbedtls_ssl_get_verify_result() return 0x%x\u0022, ret);\n+\n+\treturn verify_result;\n }\n \n /**\n@@ -856,13 +880,13 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)\n \tssl-\u003ectx \u003d ctx;\n \tssl-\u003ecert \u003d __ssl_cert_new(ctx-\u003ecert);\n \n-\t if (ctx-\u003everify_mode \u003d\u003d SSL_VERIFY_PEER)\n-\t mode \u003d MBEDTLS_SSL_VERIFY_REQUIRED;\n-\t else if (ctx-\u003everify_mode \u003d\u003d SSL_VERIFY_FAIL_IF_NO_PEER_CERT)\n-\t mode \u003d MBEDTLS_SSL_VERIFY_OPTIONAL;\n-\t else if (ctx-\u003everify_mode \u003d\u003d SSL_VERIFY_CLIENT_ONCE)\n-\t mode \u003d MBEDTLS_SSL_VERIFY_UNSET;\n-\t else\n+\tif (ctx-\u003everify_mode \u003d\u003d SSL_VERIFY_PEER)\n+\t\tmode \u003d MBEDTLS_SSL_VERIFY_OPTIONAL;\n+\telse if (ctx-\u003everify_mode \u003d\u003d SSL_VERIFY_FAIL_IF_NO_PEER_CERT)\n+\t\tmode \u003d MBEDTLS_SSL_VERIFY_OPTIONAL;\n+\telse if (ctx-\u003everify_mode \u003d\u003d SSL_VERIFY_CLIENT_ONCE)\n+\t\tmode \u003d MBEDTLS_SSL_VERIFY_UNSET;\n+\telse\n \t mode \u003d MBEDTLS_SSL_VERIFY_NONE;\n \n \t // printf(\u0022ssl: %p, client ca x509_crt %p, mbedtls mode %d\u005cn\u0022, ssl, x509_pm_ca-\u003ex509_crt, mode);\ndiff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c\nindex 2f8c8df..d074cee 100644\n--- a/lib/tls/openssl/openssl-client.c\n+++ b/lib/tls/openssl/openssl-client.c\n@@ -228,9 +228,9 @@ lws_tls_client_connect(struct lws *wsi)\n }\n \n int\n-lws_tls_client_confirm_peer_cert(struct lws *wsi)\n+lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len)\n {\n-#ifndef USE_WOLFSSL\n+#if !defined(USE_WOLFSSL)\n \tstruct lws_context_per_thread *pt \u003d \u0026wsi-\u003econtext-\u003ept[(int)wsi-\u003etsi];\n \tchar *p \u003d (char *)\u0026pt-\u003eserv_buf[0];\n \tchar *sb \u003d p;\n@@ -243,28 +243,38 @@ lws_tls_client_confirm_peer_cert(struct lws *wsi)\n \n \tlwsl_debug(\u0022get_verify says %d\u005cn\u0022, n);\n \n-\tif (n !\u003d X509_V_OK) {\n-\t\tif ((n \u003d\u003d X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||\n-\t\t n \u003d\u003d X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \u0026\u0026\n-\t\t (wsi-\u003euse_ssl \u0026 LCCSCF_ALLOW_SELFSIGNED)) {\n-\t\t\tlwsl_notice(\u0022accepting self-signed certificate\u005cn\u0022);\n-\t\t} else if ((n \u003d\u003d X509_V_ERR_CERT_NOT_YET_VALID ||\n-\t\t n \u003d\u003d X509_V_ERR_CERT_HAS_EXPIRED) \u0026\u0026\n-\t\t (wsi-\u003euse_ssl \u0026 LCCSCF_ALLOW_EXPIRED)) {\n-\t\t\tlwsl_notice(\u0022accepting expired certificate\u005cn\u0022);\n-\t\t} else if (n \u003d\u003d X509_V_ERR_CERT_NOT_YET_VALID) {\n-\t\t\tlwsl_notice(\u0022Cert is from the future... \u0022\n-\t\t\t\t \u0022probably our clock... accepting...\u005cn\u0022);\n-\t\t} else {\n-\t\t\tlwsl_err(\u0022server's cert didn't look good, X509_V_ERR \u003d %d: %s\u005cn\u0022,\n-\t\t\t\t n, ERR_error_string(n, sb));\n-\t\t\tlws_ssl_elaborate_error();\n-\t\t\treturn -1;\n-\t\t}\n+\tif (n \u003d\u003d X509_V_OK)\n+\t\treturn 0;\n+\n+\tif ((n \u003d\u003d X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||\n+\t n \u003d\u003d X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \u0026\u0026\n+\t (wsi-\u003euse_ssl \u0026 LCCSCF_ALLOW_SELFSIGNED)) {\n+\t\tlwsl_info(\u0022accepting self-signed certificate\u005cn\u0022);\n+\n+\t\treturn 0;\n \t}\n-#endif /* USE_WOLFSSL */\n+\tif ((n \u003d\u003d X509_V_ERR_CERT_NOT_YET_VALID ||\n+\t n \u003d\u003d X509_V_ERR_CERT_HAS_EXPIRED) \u0026\u0026\n+\t (wsi-\u003euse_ssl \u0026 LCCSCF_ALLOW_EXPIRED)) {\n+\t\tlwsl_info(\u0022accepting expired certificate\u005cn\u0022);\n+\t\treturn 0;\n+\t}\n+\tif (n \u003d\u003d X509_V_ERR_CERT_NOT_YET_VALID) {\n+\t\tlwsl_info(\u0022Cert is from the future... \u0022\n+\t\t\t \u0022probably our clock... accepting...\u005cn\u0022);\n+\t\treturn 0;\n+\t}\n+\tlws_snprintf(ebuf, ebuf_len,\n+\t\t\u0022server's cert didn't look good, X509_V_ERR \u003d %d: %s\u005cn\u0022,\n+\t\t n, ERR_error_string(n, sb));\n+\tlwsl_info(\u0022%s\u005cn\u0022, ebuf);\n+\tlws_ssl_elaborate_error();\n \n+\treturn -1;\n+\n+#else /* USE_WOLFSSL */\n \treturn 0;\n+#endif\n }\n \n int\ndiff --git a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c\nindex ad19c0f..67b0076 100644\n--- a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c\n+++ b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c\n@@ -110,6 +110,14 @@ int main(int argc, char **argv)\n \tinfo.port \u003d CONTEXT_PORT_NO_LISTEN; /* we do not run any server */\n \tinfo.protocols \u003d protocols;\n \n+#if defined(LWS_WITH_MBEDTLS)\n+\t/*\n+\t * OpenSSL uses the system trust store. mbedTLS has to be told which\n+\t * CA to trust explicitly.\n+\t */\n+\tinfo.client_ssl_ca_filepath \u003d \u0022./warmcat.com.cer\u0022;\n+#endif\n+\n \tcontext \u003d lws_create_context(\u0026info);\n \tif (!context) {\n \t\tlwsl_err(\u0022lws init failed\u005cn\u0022);\ndiff --git a/minimal-examples/http-client/minimal-http-client/warmcat.com.cer b/minimal-examples/http-client/minimal-http-client/warmcat.com.cer\nnew file mode 100644\nindex 0000000..67de129\n--- /dev/null\n+++ b/minimal-examples/http-client/minimal-http-client/warmcat.com.cer\n@@ -0,0 +1,92 @@\n+-----BEGIN CERTIFICATE-----\n+MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB\n+hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G\n+A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV\n+BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy\n+MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT\n+EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR\n+Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh\n+bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n+ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh\n+bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0\n+Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6\n+ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51\n+UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n\n+c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY\n+MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz\n+30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV\n+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG\n+BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv\n+bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB\n+AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E\n+T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v\n+ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p\n+mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/\n+e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps\n+P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY\n+dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc\n+2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG\n+V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4\n+HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX\n+j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII\n+0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap\n+lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf\n++AZxAeKCINT+b72x\n+-----END CERTIFICATE-----\n+-----BEGIN CERTIFICATE-----\n+MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv\n+MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk\n+ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF\n+eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow\n+gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO\n+BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD\n+VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq\n+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw\n+AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6\n+2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr\n+ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt\n+4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq\n+m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/\n+vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT\n+8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE\n+IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO\n+KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO\n+GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/\n+s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g\n+JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD\n+AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9\n+MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy\n+bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6\n+Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ\n+zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj\n+Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY\n+Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5\n+B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx\n+PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR\n+pu/xO28QOG8\u003d\n+-----END CERTIFICATE-----\n+-----BEGIN CERTIFICATE-----\n+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU\n+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs\n+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290\n+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux\n+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h\n+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v\n+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt\n+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9\n+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX\n+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX\n+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN\n+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0\n+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD\n+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0\n+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU\n+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx\n+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN\n+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH\n+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5\n+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC\n+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX\n+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a\n+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ\u003d\n+-----END CERTIFICATE-----\ndiff --git a/minimal-examples/ws-client/minimal-ws-client-rx/libwebsockets.org.cer b/minimal-examples/ws-client/minimal-ws-client-rx/libwebsockets.org.cer\nnew file mode 100644\nindex 0000000..67de129\n--- /dev/null\n+++ b/minimal-examples/ws-client/minimal-ws-client-rx/libwebsockets.org.cer\n@@ -0,0 +1,92 @@\n+-----BEGIN CERTIFICATE-----\n+MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB\n+hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G\n+A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV\n+BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy\n+MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT\n+EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR\n+Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh\n+bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n+ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh\n+bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0\n+Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6\n+ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51\n+UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n\n+c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY\n+MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz\n+30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV\n+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG\n+BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv\n+bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB\n+AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E\n+T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v\n+ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p\n+mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/\n+e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps\n+P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY\n+dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc\n+2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG\n+V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4\n+HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX\n+j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII\n+0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap\n+lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf\n++AZxAeKCINT+b72x\n+-----END CERTIFICATE-----\n+-----BEGIN CERTIFICATE-----\n+MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv\n+MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk\n+ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF\n+eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow\n+gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO\n+BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD\n+VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq\n+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw\n+AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6\n+2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr\n+ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt\n+4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq\n+m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/\n+vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT\n+8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE\n+IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO\n+KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO\n+GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/\n+s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g\n+JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD\n+AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9\n+MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy\n+bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6\n+Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ\n+zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj\n+Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY\n+Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5\n+B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx\n+PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR\n+pu/xO28QOG8\u003d\n+-----END CERTIFICATE-----\n+-----BEGIN CERTIFICATE-----\n+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU\n+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs\n+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290\n+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux\n+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h\n+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v\n+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt\n+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9\n+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX\n+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX\n+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN\n+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0\n+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD\n+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0\n+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU\n+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx\n+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN\n+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH\n+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5\n+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC\n+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX\n+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a\n+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ\u003d\n+-----END CERTIFICATE-----\ndiff --git a/minimal-examples/ws-client/minimal-ws-client-rx/minimal-ws-client.c b/minimal-examples/ws-client/minimal-ws-client-rx/minimal-ws-client.c\nindex 1ae557f..1892a35 100644\n--- a/minimal-examples/ws-client/minimal-ws-client-rx/minimal-ws-client.c\n+++ b/minimal-examples/ws-client/minimal-ws-client-rx/minimal-ws-client.c\n@@ -6,7 +6,7 @@\n * This file is made available under the Creative Commons CC0 1.0\n * Universal Public Domain Dedication.\n *\n- * This demonstrates the a minimal http client using lws.\n+ * This demonstrates the a minimal ws client using lws.\n *\n * It connects to https://libwebsockets.org/ and makes a\n * wss connection to the dumb-increment protocol there. While\n@@ -92,6 +92,13 @@ int main(int argc, char **argv)\n \tinfo.options \u003d LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;\n \tinfo.port \u003d CONTEXT_PORT_NO_LISTEN; /* we do not run any server */\n \tinfo.protocols \u003d protocols;\n+#if defined(LWS_WITH_MBEDTLS)\n+\t/*\n+\t * OpenSSL uses the system trust store. mbedTLS has to be told which\n+\t * CA to trust explicitly.\n+\t */\n+\tinfo.client_ssl_ca_filepath \u003d \u0022./libwebsockets.org.cer\u0022;\n+#endif\n \n \tcontext \u003d lws_create_context(\u0026info);\n \tif (!context) {\n@@ -102,12 +109,12 @@ int main(int argc, char **argv)\n \tmemset(\u0026i, 0, sizeof i); /* otherwise uninitialized garbage */\n \ti.context \u003d context;\n \n-\ti.port \u003d 7681;\n-\ti.address \u003d \u0022localhost\u0022;\n+\ti.port \u003d 443;\n+\ti.address \u003d \u0022libwebsockets.org\u0022;\n \ti.path \u003d \u0022/\u0022;\n \ti.host \u003d i.address;\n \ti.origin \u003d i.address;\n-\ti.ssl_connection \u003d 0;\n+\ti.ssl_connection \u003d 1;\n \n \ti.protocol \u003d protocols[0].name; /* \u0022dumb-increment-protocol\u0022 */\n \ti.pwsi \u003d \u0026client_wsi;\ndiff --git a/test-apps/test-client.c b/test-apps/test-client.c\nindex c5acd60..91049ea 100644\n--- a/test-apps/test-client.c\n+++ b/test-apps/test-client.c\n@@ -724,8 +724,13 @@ int main(int argc, char **argv)\n #endif\n \t}\n \n-\tif (use_ssl \u0026 LCCSCF_USE_SSL)\n+\tif (use_ssl \u0026 LCCSCF_USE_SSL) {\n \t\tlwsl_notice(\u0022 Using SSL\u005cn\u0022);\n+#if defined(LWS_WITH_MBEDTLS)\n+\t\tlwsl_notice(\u0022 (NOTE: mbedtls needs to be given the remote\u005cn\u0022);\n+\t\tlwsl_notice(\u0022 CA cert to trust (with -A) to validate it)\u005cn\u0022);\n+#endif\n+\t}\n \telse\n \t\tlwsl_notice(\u0022 SSL disabled\u005cn\u0022);\n \tif (use_ssl \u0026 LCCSCF_ALLOW_SELFSIGNED)\n","s":{"c":1754388958,"u": 8912}} ],"g": 11108,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}