[Libwebsockets] Server cert verfication by client

Subi S S subi.s at cambiumnetworks.com
Fri Jan 8 04:24:47 CET 2016


Hi Techi,

Option -DLWS_OPENSSL_CLIENT_CERTS should work  Please find the following,

       /* openssl init for cert verification (for client sockets) */
       if (!info->ssl_ca_filepath) {
              if (!SSL_CTX_load_verify_locations(
                     context->ssl_client_ctx, NULL,
                                       LWS_OPENSSL_CLIENT_CERTS))
                     lwsl_err(
                         "Unable to load SSL Client certs from %s "
                         "(set by --with-client-cert-dir= "
                         "in configure) --  client ssl isn't "
                         "going to work", LWS_OPENSSL_CLIENT_CERTS);

So make sure that if you have multiple CA’s don’t set info->ssl_ca_filepath, instead during compile time set MACRO LWS_OPENSSL_CLIENT_CERTS to a directory
which contain all the required CA’s (including intermediate, if server Sends intermediate CA as chain during SSL handshake intermediate CA may not be required but Root CA should be there).

Thanks,
Subi

From: techi eth [mailto:andy.green at linaro.org]
Sent: 05 January 2016 15:31
To: Subi S S <andy.green at linaro.org>
Cc: libwebsockets at ml.libwebsockets.org
Subject: Re: [Libwebsockets] Server cert verfication by client

Thanks for input.
Is that call verify(SSL_get_verify_result) chain available in server certificate  ?
I have tried to use -DLWS_OPENSSL_CLIENT_CERTS option due to multiple ca but i think openssl always taking cert from SSL_CERT_PATH (Path used by openssl)

On Mon, Jan 4, 2016 at 9:33 AM, Subi S S <andy.green at linaro.org<mailto:andy.green at linaro.org>> wrote:
Hi Techi,

When use_ssl is set to ‘1’  , server certificate will be verified by library itself using openssl ( see client.c)
                                    lws_latency_pre(context, wsi);
                                    n = SSL_get_verify_result(wsi->ssl);
                                    lws_latency(context, wsi,
                                                "SSL_get_verify_result LWS_CONNMODE..HANDSHAKE",
                                                                                                      n, n > 0);
                                    if ((n != X509_V_OK) && (
                                                n != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
                                                                                       wsi->use_ssl != 2)) {

                                                lwsl_err(
                                                      "server's cert didn't look good %d\n", n);
                                                libwebsocket_close_and_free_session(context,
                                                                        wsi, LWS_CLOSE_STATUS_NOSTATUS);
                                                return 0;

If you want to override the openssl validation or you want to do host name validation etc, you can set your own openSSL call backs.
for example SSL_CTX_set_cert_verify_callback under LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS

If you have multiple ca certs , you can set the directory path during libwebsocket compilation  for example -DLWS_OPENSSL_CLIENT_CERTS=/etc/cacerts/

There is also option to set a ca file during the  during ctx creation  ( set the path in ssl_ca_filepath attribute).

Thanks,
Subi

From: techi eth [mailto:andy.green at linaro.org<mailto:andy.green at linaro.org>]
Sent: 31 December 2015 18:32
To: libwebsockets at ml.libwebsockets.org<mailto:libwebsockets at ml.libwebsockets.org>
Subject: [Libwebsockets] Server cert verfication by client

Hi,

In the case of encrypted ssl_connection (use_ssl = 1),if client needs to verify server certificate then what is the way to do the same.
I was just thinking LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS is used for same but I could not able to conclude.

If this callback needs to be used then do i need to do similar logic done in OpenSSL_verify_callback function.

Techi

_______________________________________________
Libwebsockets mailing list
Libwebsockets at ml.libwebsockets.org<mailto:Libwebsockets at ml.libwebsockets.org>
http://ml.libwebsockets.org/mailman/listinfo/libwebsockets

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20160108/c875130b/attachment-0001.html>


More information about the Libwebsockets mailing list