[Libwebsockets] Two way TLS authentication with mbedTLS
andy at warmcat.com
Fri Jul 23 11:52:30 CEST 2021
On 7/23/21 10:38 AM, Iván Valdés wrote:
> I'm using the version v3.1 of libwebsockets compiled with mbedTLS.
v3.1 is 4 years old, the policy here is support the last stable release
(v4.2 currently) and main branch.
There are users who use mbedtls mutual auth successfully on v4 stuff,
afaik this has worked for a long while.
> Currently I have a websocket client that connects to a http/ws server
> using TLS with server certificate validation. I need to enable the
> client to send its certificate to the server and also enable the server
> to verify this certificate with a CA certificate.
> I saw at the examples that, to make a server verify the client
> certificate, the LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT
> option must be set on the vhost info and then a call
> to LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION wil be
> performed. I assume that the verification is not done by the LWS
No the callback is just an optional, openssl-only thing.
Not handling the callback is fine as it describes in the docs for it.
> implicitly . I am wrong? With mbedtls I didn't manage to make this work.
> The callback is never called. Is there any example of how to make this
The callback getting called is not the sign of a successful mutual auth,
the tls connection getting established is.
If the server is configured to require mutual auth and doesn't like the
cert you handed it, it will hang up on you instead.
More information about the Libwebsockets