[Libwebsockets] LCCSCF_ALLOW_SELFSIGNED not applied after redirect

Andy Green andy at warmcat.com
Wed Dec 22 12:08:30 CET 2021 


On 12/22/21 10:28, Roman Nikiforov wrote:
> Hi Andy,
> 
> I'm trying to get lws working on iPhone (iOS). With wolfSLL I had no 
> luck, only "E: lws_client_connect_via_info: no vhost", but now I tied it 

Dunno... that sounds like something wrong with init before that error.

> with mbedtls, that works perfectly together with lws on Android and it 
> look better, but lws closes connection because of self signed SSL 
> certificate. LCCSCF_ALLOW_SELFSIGNED is set and it seems to work one time:
> 
> [2021/12/21 20:18:13:0727] I: lws_tls_session_new_mbedtls: 
> [wsicli|0|WS/h1/default/dev.medrepo.de]: new default_dev.medrepo.de_443, 
> (default:1)
> [2021/12/21 20:18:13:0727] I: lws_tls_client_connect: client connect OK
> [2021/12/21 20:18:13:0727] D: lws_ssl_client_connect2: SSL_connect says 0
> [2021/12/21 20:18:13:0727] I: lws_tls_restrict_return_handshake:  1 -> 0
> [2021/12/21 20:18:13:0727] N: lws_gate_accepts: on = 0
> [2021/12/21 20:18:13:0727] D: get_verify says 24
> [2021/12/21 20:18:13:0727] I: lws_tls_client_confirm_peer_cert: cert 
> problem: invalidca
> [2021/12/21 20:18:13:0727] I: lws_tls_client_confirm_peer_cert: allowing 
> anyway

Hm.

> Then connection is redirected to LWSWS
> 
> [2021/12/21 20:18:13:1070] N: lws_client_reset: REDIRECT 
> dev.medrepo.de:443, path='jasca/', ssl = 1, alpn='h2;http/1.1'
> 
> and here LCCSCF_ALLOW_SELFSIGNED seems to be ignored
> 
> [2021/12/21 20:18:13:1714] I: lws_tls_session_new_mbedtls: 
> [wsicli|0|WS/h1/default/dev.medrepo.de]: reuse 
> default_dev.medrepo.de_443, (default:1)
> [2021/12/21 20:18:13:1714] I: lws_tls_client_connect: client connect OK
> [2021/12/21 20:18:13:1714] D: lws_ssl_client_connect2: SSL_connect says 0
> [2021/12/21 20:18:13:1714] I: lws_tls_restrict_return_handshake:  1 -> 0
> [2021/12/21 20:18:13:1714] N: lws_gate_accepts: on = 0
> [2021/12/21 20:18:13:1714] D: get_verify says 24
> [2021/12/21 20:18:13:1714] I: lws_tls_client_confirm_peer_cert: cert 
> problem: invalidca
> [2021/12/21 20:18:13:1714] I: server's cert didn't look good, invalidca 
> (use_ssl 0x1) X509_V_ERR = 24: CA is not trusted

Does this help?

diff --git a/lib/roles/http/client/client-http.c 
b/lib/roles/http/client/client-http.c
index 465b4f0fd7..4eebbe7211 100644
--- a/lib/roles/http/client/client-http.c
+++ b/lib/roles/http/client/client-http.c
@@ -1650,6 +1650,8 @@ lws_client_reset(struct lws **pwsi, int ssl, const 
char *address, int port,

         wsi->flags = (wsi->flags & (~LCCSCF_USE_SSL)) |
                                         (ssl ? LCCSCF_USE_SSL : 0);
+       if (ssl)
+               wsi->tls.use_ssl = wsi->flags;

         if (!cisin[CIS_ALPN] || !cisin[CIS_ALPN][0])
  #if defined(LWS_ROLE_H2)


-Andy

More information about the Libwebsockets mailing list