[Libwebsockets] Server cert verfication by client

techi eth techieth at gmail.com
Tue Jan 5 11:00:50 CET 2016


Thanks for input.

Is that call verify(SSL_get_verify_result) chain available in server
certificate  ?

I have tried to use -DLWS_OPENSSL_CLIENT_CERTS option due to multiple ca
but i think openssl always taking cert from SSL_CERT_PATH (Path used by
openssl)

On Mon, Jan 4, 2016 at 9:33 AM, Subi S S <andy.green at linaro.org> wrote:

> Hi Techi,
>
>
>
> When use_ssl is set to ‘1’  , server certificate will be verified by
> library itself using openssl ( see client.c)
>
>                                     lws_latency_pre(context, wsi);
>
>                                     n = SSL_get_verify_result(wsi->ssl);
>
>                                     lws_latency(context, wsi,
>
>                                                 "SSL_get_verify_result
> LWS_CONNMODE..HANDSHAKE",
>
>
>       n, n > 0);
>
>                                     if ((n != X509_V_OK) && (
>
>                                                 n !=
> X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
>
>
>    wsi->use_ssl != 2)) {
>
>
>
>                                                 lwsl_err(
>
>                                                       "server's *cert*
> didn't look good %d\n", n);
>
>
> libwebsocket_close_and_free_session(context,
>
>
> wsi, *LWS_CLOSE_STATUS_NOSTATUS*);
>
>                                                 return 0;
>
>
>
> If you want to override the openssl validation or you want to do host name
> validation etc, you can set your own openSSL call backs.
>
> for example SSL_CTX_set_cert_verify_callback under
> LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS
>
>
>
> If you have multiple ca certs , you can set the directory path during
> libwebsocket compilation  for example
> -DLWS_OPENSSL_CLIENT_CERTS=/etc/cacerts/
>
>
>
> There is also option to set a ca file during the  during ctx creation  (
> set the path in ssl_ca_filepath attribute).
>
>
>
> Thanks,
>
> Subi
>
>
>
> *From:* techi eth [mailto:andy.green at linaro.org]
> *Sent:* 31 December 2015 18:32
> *To:* libwebsockets at ml.libwebsockets.org
> *Subject:* [Libwebsockets] Server cert verfication by client
>
>
>
> Hi,
>
>
>
> In the case of encrypted ssl_connection (use_ssl = 1),if client needs to
> verify server certificate then what is the way to do the same.
>
> I was just thinking LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS is
> used for same but I could not able to conclude.
>
>
>
> If this callback needs to be used then do i need to do similar logic done
> in OpenSSL_verify_callback function.
>
>
>
> Techi
>
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20160105/c62808b1/attachment-0001.html>


More information about the Libwebsockets mailing list