[Libwebsockets] Two way TLS authentication with mbedTLS

Andy Green andy at warmcat.com
Fri Jul 23 11:52:30 CEST 2021



On 7/23/21 10:38 AM, Iván Valdés wrote:
> Hi,
> 
> I'm using the version v3.1 of libwebsockets compiled with mbedTLS. 

v3.1 is 4 years old, the policy here is support the last stable release 
(v4.2 currently) and main branch.

There are users who use mbedtls mutual auth successfully on v4 stuff, 
afaik this has worked for a long while.

> Currently I have a websocket client that connects to a http/ws server 
> using TLS with server certificate validation. I need to enable the 
> client to send its certificate to the server and also enable the server 
> to verify this certificate with a CA certificate.
> 
> I saw at the examples that, to make a server verify the client 
> certificate, the LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT 
> option must be set on the vhost info and then a call 
> to LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION  wil be 
> performed. I assume that  the verification is not done by the LWS 

No the callback is just an optional, openssl-only thing.

Not handling the callback is fine as it describes in the docs for it.

> implicitly . I am wrong? With mbedtls I didn't manage to make this work. 
> The callback is never called. Is there any example of how to make this 
> work?

The callback getting called is not the sign of a successful mutual auth, 
the tls connection getting established is.

If the server is configured to require mutual auth and doesn't like the 
cert you handed it, it will hang up on you instead.

-Andy


More information about the Libwebsockets mailing list