[Libwebsockets] How to fix the "SSL_CTX_get_extra_chain_certs_only" error

Chropin Hu chropinhu at gmail.com
Tue Jan 23 03:39:30 CET 2018


Dear Andy,
        It is seems work well now. I do not know why the browser always
prompt " Oops! Unable to display this website."  yesterday.
        I use the Epiphany Web Browser.
        Anyway, I will check the flow further and update the status.

Thank your very very much!

Best Regards

Yours Chropin

On Mon, Jan 22, 2018 at 9:27 PM, Andy Green <andy at warmcat.com> wrote:

>
>
> On 22/01/18 21:02, Chropin Hu wrote:
>
>> Dear Andy,
>>         Thank you very much,
>>         I have instead of the host-ssl-key and host-ssl-cert, like this:
>> (I can find the cacert, so, just mark it)
>>              "host-ssl-key":   "/home/mtk40387/develop/libwe
>> bsockets-master/build/libwebsockets-test-server.key.pem",
>>              "host-ssl-cert": "/home/mtk40387/develop/libweb
>> sockets-master/build/libwebsockets-test-server.pem",
>>               #     "host-ssl-ca":   "/home/mtk40387/develop/ecdh/
>> ca/cacert.pem",
>>
>>         But the result is the same:
>> lwsws[19746]: accepted new conn port 51922 on fd=15
>> lwsws[19746]: _realloc: size 88: peer
>> lwsws[19746]: _realloc: size 832: new server wsi
>> lwsws[19746]: new wsi 0x642e40 joining vhost localhost, tsi 0
>> lwsws[19746]: lws_adopt_descriptor_vhost: new wsi 0x642e40, sockfd 15
>> lwsws[19746]: insert_wsi_socket_into_fds: 0x642e40: tsi=0, sock=15,
>> pos-in-fds=1
>> lwsws[19746]: inserted SSL accept into fds, trying SSL_accept
>> lwsws[19746]: lws_ssl_get_error: 0x643450 -1 -> 2
>>
>
> This is a log from SSL_accept... it just seems to be saying
> SSL_ERROR_WANT_READ, ie, nonfatal status.
>
> So I don't see anything going wrong.  Why do we think something went wrong?
>
> The title of your email says "How to fix the "SSL_CTX_get_extra_chain_certs_only"
> error"... why do we think that is related to the problem?
>
> You don't mention what the client you are connecting to lws says about
> what happened to the connection.  If you connect with, eg, Firefox, it
> should complain about unknown CA and offer for you to make an exception.
> What does the client say?
>
> -Andy
>
> *The openssl version is: OpenSSL 1.0.2g  1 Mar 2016.*
>> *
>> *
>> **Is it possible to disable the option *LWS_HAVE_OPENSSL_ECDH_H. *
>> ** It is very hard to generate to ECDH key, I just want to enable https
>> and wss, maybe is easier to use other keys.
>>
>> Best Regards
>>
>> Yours Chropin.
>>
>> On Mon, Jan 22, 2018 at 8:11 PM, Andy Green <andy at warmcat.com <mailto:
>> andy at warmcat.com>> wrote:
>>
>>
>>
>>     On January 22, 2018 8:01:02 PM GMT+08:00, Chropin Hu
>>     <chropinhu at gmail.com <mailto:chropinhu at gmail.com>> wrote:
>>     >Dear All,
>>     >       I am trying to setup a https server  on ubuntu.
>>     >       Currently, I just use the lwsws,
>>     >       The config file like this:
>>     >        {
>>     > "vhosts": [ {
>>     >     "name": "localhost",
>>     >     "port": "7681",
>>     >     "interface": "lo",
>>     >     "host-ssl-key":  "/home/develop/ecdh/ca/ecdhkey.pem",
>>     >     "host-ssl-cert": "/home/develop/ecdh/ca/ecdhcert.pem",
>>     >     "host-ssl-ca":   "/home/develop/ecdh/ca/cacert.pem",
>>
>>     What happens if instead of these, you use the test selfsigned certs
>>     lws creates in the build dir when you run cmake?
>>
>>     -Andy
>>
>>      >#     "sts": "on",
>>      >     "mounts": [{
>>      >       "mountpoint": "/",
>>      >       "origin": "file://_lws_ddir_/libwebsockets-test-server",
>>      >       "default": "test.html",
>>      >       "cache-max-age": "60",
>>      >       "cache-reuse": "1",
>>      >       "cache-revalidate": "1",
>>      >       "cache-intermediaries": "0"
>>      >       }, {
>>      >        "mountpoint": "/server-status",
>>      >        "origin":
>>      >"file://_lws_ddir_/libwebsockets-test-server/server-status",
>>      >        "default": "server-status.html"
>>      >        }, {
>>      >        "mountpoint": "/testcgi",
>>      >        "origin":
>>      >"cgi://_lws_ddir_/libwebsockets-test-server/lws-cgi-test.sh"
>>      >
>>      >       }, {
>>      >        "mountpoint": "/formtest",
>>      >        "origin": "callback://protocol-post-demo"
>>      >       }],
>>      >     # which protocols are enabled for this vhost, and optional
>>      >     # vhost-specific config options for the protocol
>>      >     #
>>      >     "ws-protocols": [{
>>      >       "lws-meta": {
>>      >         "status": "ok"
>>      >       },
>>      >       "dumb-increment-protocol": {
>>      >         "status": "ok"
>>      >       },
>>      >       "lws-mirror-protocol": {
>>      >         "status": "ok"
>>      >       },
>>      >       "lws-status": {
>>      >         "status": "ok"
>>      >       },
>>      >       "protocol-post-demo": {
>>      >         "status": "ok"
>>      >       },
>>      >       "lws-server-status": {
>>      >         "status": "ok",
>>      >         "update-ms": "5000"
>>      >       }
>>      >     }]
>>      >    }
>>      >  ]
>>      >}
>>      >
>>      >The server always failed at the line marked as red.
>>      >
>>      >/* Get X509 certificate from ssl context */
>>      >#if !defined(LWS_HAVE_SSL_EXTRA_CHAIN_CERTS)
>>      >x = sk_X509_value(vhost->ssl_ctx->extra_certs, 0);
>>      >#else
>>      >SSL_CTX_get_extra_chain_certs_only(vhost->ssl_ctx, &extra_certs);
>>      >if (extra_certs)
>>      >x = sk_X509_value(extra_certs, 0);
>>      >else
>>      >lwsl_err("%s: no extra certs\n", __func__);
>>      >#endif
>>      >
>>      >and further, The ssl accept always fail.
>>      >
>>      >lwsws[18957]: insert_wsi_socket_into_fds: 0x1114890: tsi=0, sock=15,
>>      >pos-in-fds=1
>>      >lwsws[18957]: inserted SSL accept into fds, trying SSL_accept
>>      >lwsws[18957]: lws_ssl_get_error: 0x1114ea0 -1 -> 2
>>      >lwsws[18957]: _realloc: size 2960: ah struct
>>      >lwsws[18957]: _realloc: size 4096: ah data
>>      >
>>      >Someone can help me out?
>>      >Thanks, I appreciate the answer.
>>      >
>>      >Best Regards
>>      >
>>      >Yours Chropin.
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20180123/17b80dcd/attachment-0002.html>


More information about the Libwebsockets mailing list