[Libwebsockets] How to fix the "SSL_CTX_get_extra_chain_certs_only" error

Andy Green andy at warmcat.com
Mon Jan 22 14:27:51 CET 2018



On 22/01/18 21:02, Chropin Hu wrote:
> Dear Andy,
>         Thank you very much,
>         I have instead of the host-ssl-key and host-ssl-cert, like this: 
> (I can find the cacert, so, just mark it)
>              "host-ssl-key": 
>   "/home/mtk40387/develop/libwebsockets-master/build/libwebsockets-test-server.key.pem",
>              "host-ssl-cert": 
> "/home/mtk40387/develop/libwebsockets-master/build/libwebsockets-test-server.pem",
>               #     "host-ssl-ca":   
> "/home/mtk40387/develop/ecdh/ca/cacert.pem",
> 
>         But the result is the same:
> lwsws[19746]: accepted new conn port 51922 on fd=15
> lwsws[19746]: _realloc: size 88: peer
> lwsws[19746]: _realloc: size 832: new server wsi
> lwsws[19746]: new wsi 0x642e40 joining vhost localhost, tsi 0
> lwsws[19746]: lws_adopt_descriptor_vhost: new wsi 0x642e40, sockfd 15
> lwsws[19746]: insert_wsi_socket_into_fds: 0x642e40: tsi=0, sock=15, 
> pos-in-fds=1
> lwsws[19746]: inserted SSL accept into fds, trying SSL_accept
> lwsws[19746]: lws_ssl_get_error: 0x643450 -1 -> 2

This is a log from SSL_accept... it just seems to be saying 
SSL_ERROR_WANT_READ, ie, nonfatal status.

So I don't see anything going wrong.  Why do we think something went wrong?

The title of your email says "How to fix the 
"SSL_CTX_get_extra_chain_certs_only" error"... why do we think that is 
related to the problem?

You don't mention what the client you are connecting to lws says about 
what happened to the connection.  If you connect with, eg, Firefox, it 
should complain about unknown CA and offer for you to make an exception. 
  What does the client say?

-Andy

> *The openssl version is: OpenSSL 1.0.2g  1 Mar 2016.*
> *
> *
> **Is it possible to disable the option *LWS_HAVE_OPENSSL_ECDH_H. *
> ** It is very hard to generate to ECDH key, I just want to enable https 
> and wss, maybe is easier to use other keys.
> 
> Best Regards
> 
> Yours Chropin.
> 
> On Mon, Jan 22, 2018 at 8:11 PM, Andy Green <andy at warmcat.com 
> <mailto:andy at warmcat.com>> wrote:
> 
> 
> 
>     On January 22, 2018 8:01:02 PM GMT+08:00, Chropin Hu
>     <chropinhu at gmail.com <mailto:chropinhu at gmail.com>> wrote:
>     >Dear All,
>     >       I am trying to setup a https server  on ubuntu.
>     >       Currently, I just use the lwsws,
>     >       The config file like this:
>     >        {
>     > "vhosts": [ {
>     >     "name": "localhost",
>     >     "port": "7681",
>     >     "interface": "lo",
>     >     "host-ssl-key":  "/home/develop/ecdh/ca/ecdhkey.pem",
>     >     "host-ssl-cert": "/home/develop/ecdh/ca/ecdhcert.pem",
>     >     "host-ssl-ca":   "/home/develop/ecdh/ca/cacert.pem",
> 
>     What happens if instead of these, you use the test selfsigned certs
>     lws creates in the build dir when you run cmake?
> 
>     -Andy
> 
>      >#     "sts": "on",
>      >     "mounts": [{
>      >       "mountpoint": "/",
>      >       "origin": "file://_lws_ddir_/libwebsockets-test-server",
>      >       "default": "test.html",
>      >       "cache-max-age": "60",
>      >       "cache-reuse": "1",
>      >       "cache-revalidate": "1",
>      >       "cache-intermediaries": "0"
>      >       }, {
>      >        "mountpoint": "/server-status",
>      >        "origin":
>      >"file://_lws_ddir_/libwebsockets-test-server/server-status",
>      >        "default": "server-status.html"
>      >        }, {
>      >        "mountpoint": "/testcgi",
>      >        "origin":
>      >"cgi://_lws_ddir_/libwebsockets-test-server/lws-cgi-test.sh"
>      >
>      >       }, {
>      >        "mountpoint": "/formtest",
>      >        "origin": "callback://protocol-post-demo"
>      >       }],
>      >     # which protocols are enabled for this vhost, and optional
>      >     # vhost-specific config options for the protocol
>      >     #
>      >     "ws-protocols": [{
>      >       "lws-meta": {
>      >         "status": "ok"
>      >       },
>      >       "dumb-increment-protocol": {
>      >         "status": "ok"
>      >       },
>      >       "lws-mirror-protocol": {
>      >         "status": "ok"
>      >       },
>      >       "lws-status": {
>      >         "status": "ok"
>      >       },
>      >       "protocol-post-demo": {
>      >         "status": "ok"
>      >       },
>      >       "lws-server-status": {
>      >         "status": "ok",
>      >         "update-ms": "5000"
>      >       }
>      >     }]
>      >    }
>      >  ]
>      >}
>      >
>      >The server always failed at the line marked as red.
>      >
>      >/* Get X509 certificate from ssl context */
>      >#if !defined(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
>      >x = sk_X509_value(vhost->ssl_ctx->extra_certs, 0);
>      >#else
>      >SSL_CTX_get_extra_chain_certs_only(vhost->ssl_ctx, &extra_certs);
>      >if (extra_certs)
>      >x = sk_X509_value(extra_certs, 0);
>      >else
>      >lwsl_err("%s: no extra certs\n", __func__);
>      >#endif
>      >
>      >and further, The ssl accept always fail.
>      >
>      >lwsws[18957]: insert_wsi_socket_into_fds: 0x1114890: tsi=0, sock=15,
>      >pos-in-fds=1
>      >lwsws[18957]: inserted SSL accept into fds, trying SSL_accept
>      >lwsws[18957]: lws_ssl_get_error: 0x1114ea0 -1 -> 2
>      >lwsws[18957]: _realloc: size 2960: ah struct
>      >lwsws[18957]: _realloc: size 4096: ah data
>      >
>      >Someone can help me out?
>      >Thanks, I appreciate the answer.
>      >
>      >Best Regards
>      >
>      >Yours Chropin.
> 
> 



More information about the Libwebsockets mailing list