[Libwebsockets] LCCSCF_ALLOW_SELFSIGNED not applied after redirect

Roman Nikiforov rnikiforov at gmx.net
Wed Dec 22 11:28:03 CET 2021 

Hi Andy,

I'm trying to get lws working on iPhone (iOS). With wolfSLL I had no 
luck, only "E: lws_client_connect_via_info: no vhost", but now I tied it 
with mbedtls, that works perfectly together with lws on Android and it 
look better, but lws closes connection because of self signed SSL 
certificate. LCCSCF_ALLOW_SELFSIGNED is set and it seems to work one time:

[2021/12/21 20:18:13:0727] I: lws_tls_session_new_mbedtls: 
[wsicli|0|WS/h1/default/dev.medrepo.de]: new default_dev.medrepo.de_443, 
(default:1)
[2021/12/21 20:18:13:0727] I: lws_tls_client_connect: client connect OK
[2021/12/21 20:18:13:0727] D: lws_ssl_client_connect2: SSL_connect says 0
[2021/12/21 20:18:13:0727] I: lws_tls_restrict_return_handshake:  1 -> 0
[2021/12/21 20:18:13:0727] N: lws_gate_accepts: on = 0
[2021/12/21 20:18:13:0727] D: get_verify says 24
[2021/12/21 20:18:13:0727] I: lws_tls_client_confirm_peer_cert: cert 
problem: invalidca
[2021/12/21 20:18:13:0727] I: lws_tls_client_confirm_peer_cert: allowing 
anyway

Then connection is redirected to LWSWS

[2021/12/21 20:18:13:1070] N: lws_client_reset: REDIRECT 
dev.medrepo.de:443, path='jasca/', ssl = 1, alpn='h2;http/1.1'

and here LCCSCF_ALLOW_SELFSIGNED seems to be ignored

[2021/12/21 20:18:13:1714] I: lws_tls_session_new_mbedtls: 
[wsicli|0|WS/h1/default/dev.medrepo.de]: reuse 
default_dev.medrepo.de_443, (default:1)
[2021/12/21 20:18:13:1714] I: lws_tls_client_connect: client connect OK
[2021/12/21 20:18:13:1714] D: lws_ssl_client_connect2: SSL_connect says 0
[2021/12/21 20:18:13:1714] I: lws_tls_restrict_return_handshake:  1 -> 0
[2021/12/21 20:18:13:1714] N: lws_gate_accepts: on = 0
[2021/12/21 20:18:13:1714] D: get_verify says 24
[2021/12/21 20:18:13:1714] I: lws_tls_client_confirm_peer_cert: cert 
problem: invalidca
[2021/12/21 20:18:13:1714] I: server's cert didn't look good, invalidca 
(use_ssl 0x1) X509_V_ERR = 24: CA is not trusted
[2021/12/21 20:18:13:1714] I: lws_http_client_socket_service: closing 
conn at LWS_CONNMODE...SERVER_REPLY, 
[wsicli|0|WS/h1/default/dev.medrepo.de], state 0x204
[2021/12/21 20:18:13:1714] I: reason: server's cert didn't look good, 
invalidca (use_ssl 0x1) X509_V_ERR = 24: CA is not trusted

Version: LWS: 4.3.0-v4.3.0-79-g141ebf37, NET CLI SRV H1 H2 WS MbedTLS 
ConMon IPv6-absent

The same client code works on Android with the same server ...

-

Roman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20211222/3223c463/attachment.htm>

More information about the Libwebsockets mailing list