[Libwebsockets] LCCSCF_ALLOW_SELFSIGNED not applied after redirect

Roman Nikiforov rnikiforov at gmx.net
Wed Dec 22 21:18:32 CET 2021 

On 12/22/21 12:08 PM, Andy Green wrote:
>
> Does this help?
>
> diff --git a/lib/roles/http/client/client-http.c 
> b/lib/roles/http/client/client-http.c
> index 465b4f0fd7..4eebbe7211 100644
> --- a/lib/roles/http/client/client-http.c
> +++ b/lib/roles/http/client/client-http.c
> @@ -1650,6 +1650,8 @@ lws_client_reset(struct lws **pwsi, int ssl, 
> const char *address, int port,
>
>         wsi->flags = (wsi->flags & (~LCCSCF_USE_SSL)) |
>                                         (ssl ? LCCSCF_USE_SSL : 0);
> +       if (ssl)
> +               wsi->tls.use_ssl = wsi->flags;
>
>         if (!cisin[CIS_ALPN] || !cisin[CIS_ALPN][0])
>  #if defined(LWS_ROLE_H2)

unfortunately no. I also put additional log outputs in lws where 
tls.use_ssl gets changed, but didn't find where this occurs. It has 
always the value 65539 except lws_tls_client_confirm_peer_cert where it 
is 1.

[2021/12/22 20:19:56:3272] I: : lws_client_connect_via_info: RTST: 
connect.c wsi->tls.use_ssl changed from 0 to 65539

[2021/12/22 20:19:56:5584] N: lws_client_reset: RTST wsi->flags = 65539, 
wsi->tls.use_ssl=65539

[2021/12/22 20:19:56:5598] I: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
__lws_close_free_wsi_final:  RTST: change use_ssl=0 to flags=65539

But finally

[2021/12/22 20:19:56:6278] I: server's cert didn't look good, invalidca 
(use_ssl 0x1) X509_V_ERR = 24: CA is not trusted

So it must be changed in between. Here is the log:

[2021/12/22 20:19:56:5598] I: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
__lws_close_free_wsi_final:  RTST: change use_ssl=0 to flags=65539

[2021/12/22 20:19:56:5956] D: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
_lws_change_pollfd: fd 35 events 29 -> 25
[2021/12/22 20:19:56:5956] D: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
lws_client_connect_check: getsockopt: conn OK errno 36
[2021/12/22 20:19:56:5956] I: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
lws_client_connect_3_connect: source ads 192.168.178.91
[2021/12/22 20:19:56:5957] D: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
lws_client_connect_3_connect: going into connect_4
[2021/12/22 20:19:56:5957] I: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
lws_client_connect_4_established: h1 jasca-ping client created own conn 
(raw 0) vh default st 0x202
[2021/12/22 20:19:56:5957] D: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
lwsi_set_state: lwsi_set_state 0x10000202 -> 0x10000012
[2021/12/22 20:19:56:5957] D: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
__lws_set_timeout: 15 secs, reason 8
[2021/12/22 20:19:56:5957] D: lws_http_client_socket_service: 
LRS_H1C_ISSUE_HANDSHAKE
[2021/12/22 20:19:56:5957] D: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
_lws_change_pollfd: fd 35 events 25 -> 25
[2021/12/22 20:19:56:5957] I: lws_tls_restrict_borrow: 0 -> 1
[2021/12/22 20:19:56:5957] N: lws_gate_accepts: on = 0
[2021/12/22 20:19:56:5959] I: lws_tls_reuse_session: 
default_dev.medrepo.de_443
[2021/12/22 20:19:56:5959] I: lws_ssl_client_bio_create: setting 
hostname dev.medrepo.de
[2021/12/22 20:19:56:5959] I: lws_ssl_client_bio_create: 
[wsicli|0|WS/h1/default/dev.medrepo.de]: client conn sending ALPN list 
'h2;http/1.1'
[2021/12/22 20:19:56:5959] N: lws_ssl_client_bio_create: allowing selfsigned
[2021/12/22 20:19:56:5959] I: mbedtls_handshake: ssl ret -0 state 1
[2021/12/22 20:19:56:5961] I: mbedtls_handshake: ssl ret -0 state 2
[2021/12/22 20:19:56:5961] I: mbedtls_handshake: ssl ret -6900 state 2
[2021/12/22 20:19:56:5961] D: [wsicli|0|WS/h1/default/dev.medrepo.de]: 
lwsi_set_state: lwsi_set_state 0x10000012 -> 0x10000204
[2021/12/22 20:19:56:5961] D: lws_client_create_tls: 
lws_ssl_client_connect1: 0
[2021/12/22 20:19:56:6275] I: mbedtls_handshake: ssl ret -0 state 12
[2021/12/22 20:19:56:6276] I: mbedtls_handshake: ssl ret -0 state 13
[2021/12/22 20:19:56:6276] I: mbedtls_handshake: ssl ret -0 state 10
[2021/12/22 20:19:56:6276] I: mbedtls_handshake: ssl ret -0 state 11
[2021/12/22 20:19:56:6277] I: mbedtls_handshake: ssl ret -0 state 15
[2021/12/22 20:19:56:6277] I: mbedtls_handshake: ssl ret -0 state 16
[2021/12/22 20:19:56:6277] I: lws_tls_server_conn_alpn
[2021/12/22 20:19:56:6277] I: no ALPN upgrade
[2021/12/22 20:19:56:6277] I: lws_tls_session_new_mbedtls: 
[wsicli|0|WS/h1/default/dev.medrepo.de]: reuse 
default_dev.medrepo.de_443, (default:1)
[2021/12/22 20:19:56:6277] I: lws_tls_client_connect: client connect OK
[2021/12/22 20:19:56:6277] D: lws_ssl_client_connect2: SSL_connect says 0
[2021/12/22 20:19:56:6277] I: lws_tls_restrict_return_handshake: 1 -> 0
[2021/12/22 20:19:56:6277] N: lws_gate_accepts: on = 0
[2021/12/22 20:19:56:6278] D: get_verify says 24
[2021/12/22 20:19:56:6278] I: lws_tls_client_confirm_peer_cert: cert 
problem: invalidca avoid = 2, use_ssl=1

More information about the Libwebsockets mailing list