[Libwebsockets] Server cert verfication by client

Andy Green andy at warmcat.com
Wed Jan 6 04:53:50 CET 2016



On 01/05/2016 06:00 PM, techi eth wrote:
> Thanks for input.
>
> Is that call verify(SSL_get_verify_result) chain available in server
> certificate  ?

No if your situation is what I (and Subi it seems) think it is, you got 
a cheapo cert (as you should...) that is like this

expensive CA signed -->
   cheapo CA cert, who signed -->
     Your cert

the problem is that the intermediate cert is not in system CA bundles.

If you just feed it your cert, OpenSSL cannot confirm the intermediate cert.

So you have to use the callback Subi mentioned to feed OpenSSL the other 
necessary certs yourself, so it can use them to validate your cert.

-Andy

> I have tried to use -DLWS_OPENSSL_CLIENT_CERTS option due to multiple ca
> but i think openssl always taking cert from SSL_CERT_PATH (Path used by
> openssl)
>
> On Mon, Jan 4, 2016 at 9:33 AM, Subi S S <andy.green at linaro.org
> <mailto:andy.green at linaro.org>> wrote:
>
>     Hi Techi,____
>
>     __ __
>
>     When use_ssl is set to ‘1’  , server certificate will be verified by
>     library itself using openssl ( see client.c)____
>
>                                          lws_latency_pre(context, wsi);____
>
>                                          n =
>     SSL_get_verify_result(wsi->ssl);____
>
>                                          lws_latency(context, wsi,____
>
>
>     "SSL_get_verify_result LWS_CONNMODE..HANDSHAKE",____
>
>                                                                                                            n, n > 0);____
>
>                                          if ((n != X509_V_OK) && (____
>
>                                                      n !=
>     X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||____
>
>                                                                                             wsi->use_ssl != 2)) {____
>
>     __ __
>
>                                                      lwsl_err(____
>
>                                                            "server's
>     _cert_ didn't look good %d\n", n);____
>
>
>     libwebsocket_close_and_free_session(context,____
>
>                                                                              wsi, /LWS_CLOSE_STATUS_NOSTATUS/);____
>
>                                                      return 0;____
>
>     __ __
>
>     If you want to override the openssl validation or you want to do
>     host name validation etc, you can set your own openSSL call backs.____
>
>     for example SSL_CTX_set_cert_verify_callback under
>     LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS____
>
>     __ __
>
>     If you have multiple ca certs , you can set the directory path
>     during libwebsocket compilation  for example
>     -DLWS_OPENSSL_CLIENT_CERTS=/etc/cacerts/____
>
>     __ __
>
>     There is also option to set a ca file during the  during ctx
>     creation  ( set the path in ssl_ca_filepath attribute).____
>
>     __ __
>
>     Thanks,____
>
>     Subi____
>
>     __ __
>
>     *From:*techi eth [mailto:andy.green at linaro.org
>     <mailto:andy.green at linaro.org>]
>     *Sent:* 31 December 2015 18:32
>     *To:* libwebsockets at ml.libwebsockets.org
>     <mailto:libwebsockets at ml.libwebsockets.org>
>     *Subject:* [Libwebsockets] Server cert verfication by client____
>
>     __ __
>
>     Hi,____
>
>     ____
>
>     In the case of encrypted ssl_connection (use_ssl = 1),if client
>     needs to verify server certificate then what is the way to do the
>     same.____
>
>     I was just thinking
>     LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS is used for same
>     but I could not able to conclude.____
>
>     ____
>
>     If this callback needs to be used then do i need to do similar logic
>     done in OpenSSL_verify_callback function.____
>
>     __ __
>
>     Techi____
>
>
>     _______________________________________________
>     Libwebsockets mailing list
>     Libwebsockets at ml.libwebsockets.org
>     <mailto:Libwebsockets at ml.libwebsockets.org>
>     http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
>
>
>
>
> _______________________________________________
> Libwebsockets mailing list
> Libwebsockets at ml.libwebsockets.org
> http://ml.libwebsockets.org/mailman/listinfo/libwebsockets
>



More information about the Libwebsockets mailing list