[Libwebsockets] Server cert verfication by client

Subi S S subi.s at cambiumnetworks.com
Mon Jan 4 05:03:10 CET 2016

Hi Techi,

When use_ssl is set to ‘1’  , server certificate will be verified by library itself using openssl ( see client.c)
                                    lws_latency_pre(context, wsi);
                                    n = SSL_get_verify_result(wsi->ssl);
                                    lws_latency(context, wsi,
                                                "SSL_get_verify_result LWS_CONNMODE..HANDSHAKE",
                                                                                                      n, n > 0);
                                    if ((n != X509_V_OK) && (
                                                n != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
                                                                                       wsi->use_ssl != 2)) {

                                                      "server's cert didn't look good %d\n", n);
                                                                        wsi, LWS_CLOSE_STATUS_NOSTATUS);
                                                return 0;

If you want to override the openssl validation or you want to do host name validation etc, you can set your own openSSL call backs.
for example SSL_CTX_set_cert_verify_callback under LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS

If you have multiple ca certs , you can set the directory path during libwebsocket compilation  for example -DLWS_OPENSSL_CLIENT_CERTS=/etc/cacerts/

There is also option to set a ca file during the  during ctx creation  ( set the path in ssl_ca_filepath attribute).


From: techi eth [mailto:andy.green at linaro.org]
Sent: 31 December 2015 18:32
To: libwebsockets at ml.libwebsockets.org
Subject: [Libwebsockets] Server cert verfication by client


In the case of encrypted ssl_connection (use_ssl = 1),if client needs to verify server certificate then what is the way to do the same.
I was just thinking LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS is used for same but I could not able to conclude.

If this callback needs to be used then do i need to do similar logic done in OpenSSL_verify_callback function.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://libwebsockets.org/pipermail/libwebsockets/attachments/20160104/d738a6c3/attachment.html>

More information about the Libwebsockets mailing list