[Libwebsockets] Bug for SSL client connection ?

"Andy Green (林安廸)" andy at warmcat.com
Sat Mar 15 03:54:54 CET 2014


On 13/03/14 10:27, the mail apparently from luc Renambot included:
> Hi,
>
> Here's my setup:
>    - https server with a valid certificate (not self-signed)
>       server written in node.js  on Linux
>    - clients (web browsers) can access the pages fine, showing a validated
> certificate
>
> I'm writing a client using libwebsockets using a SSL connection (wss://....)
> and I keep getting "error 20"
>     X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer
> certificate
>
> Indeed, if I try to verify the certificate:
>     openssl s_client -connect myserver:443
>     that fails
>
> but: openssl s_client -connect myserver:443  -CApath /etc/ssl
>      succeeds
>
> Apparently, clients need a call to 'SSL_CTX_set_default_verify_paths'

I see, it seems to be so.

> So in the client code of libwebsockets, I added (lib/client.c line 128):
>       SSL_CTX_set_default_verify_paths(context->ssl_client_ctx)

That's the wrong place I think.

You just need to do it once when the context is created.

> And now it all works again.
>
> Can anybody with more knowledge of OpenSSL confirm this ?

What's going on is you need to make this call to get openssl to load the 
default CA root certs from your OS.

Most people want this, but some people who might feel they face an 
adversary who can create his own certs forging the one you bought 
(because he owns the CA, he compromised the CA, he threatens the CA etc) 
definitely do not want this.

It's not that paranoid

https://bugzilla.mozilla.org/show_bug.cgi?id=542689

the Chinese government CNNIC can make certs that will be accepted for 
your site if your OS has the CNNIC CA root cert like Mozilla does...

So I moved it and added an option to cmake, defaulting to ON, which 
controls if the client trusts the CA certs in the OS or not.

Please give it a try

http://git.libwebsockets.org/cgi-bin/cgit/libwebsockets/commit/?id=d2ec7adbab4bfb162ea3df516bd8e9bbf6957647

-Anndy


> Thanks,
>
>
>
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
>




More information about the Libwebsockets mailing list