[Libwebsockets] Verifying client certificate

Andy Green andy at warmcat.com
Sat Dec 10 01:36:01 CET 2016


On Fri, 2016-12-09 at 19:55 +0100, Denis Osvald wrote:
> Hi,
> 
> I'd like to both authenticate and identify incoming websocket clients
> using the TLS client certificates they provide.

Right.

> I can authenticate the clients by using
> LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT and
> LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION.

Yes.

> I'd like to store information derived from the certificate (whether
> it
> was valid, values of some fields...) somewhere per-wsi and use that
> data
> to identify / discriminate clients. However, the wsi
> provided in the verify callback is a fake one.

Right.

> In a related thread with a very similar problem [1], there was a
> proposed patch that however didn't correctly map
> the certificate info to correct per-protocol wsi struct.

Alexander's code can be simplified quite a bit... he doesn't need a
struct to hold a compounding of context + wsi, every wsi has a context
* in it.  So if what he was doing works more or less, just passing the
wsi * in the ex_data instead of the vhost as currently is enough.

> Andy, do you think it would be useful to expose in wsi a public SSL /
> X509 certificate info getter if the wsi is SSL?

Yeah, if you're offering.

I assume it's something like an api that given a wsi, can return things
like common names from the cert.  And ideally, not tied to openssl,
although I guess using its enums if it has them for certificate
elements would be OK, since other implementations can translate them. 
But the public part should preferably not use any openssl types or
objects.

-Andy

> [1] https://libwebsockets.org/pipermail/libwebsockets/2015-
> August/001875.html
> 
> Regards,
> 
> Denis
> 
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> http://libwebsockets.org/mailman/listinfo/libwebsockets



More information about the Libwebsockets mailing list