[Libwebsockets] How to enable two way authentication with mbedTLS

Iván Valdés ivaldesi97 at gmail.com
Wed Jul 28 11:58:21 CEST 2021


Hello,

Currently I have a websocket client (implemented with lws)  which connects
to a http/ws server (also implemented with lws) using TLS with server
certificate validation. I need to enable the client to send its certificate
to the server and also enable the server to request the certificate and
verify this certificate with a CA certificate.

I am using the latest version of lws. With this version I can't establish a
TLS connection, I get a timeout waiting for SSL.


I am using a lws ws client and server with this configuration:

Client vhost  config:
      s_info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
      s_info.client_ssl_ca_filepath = m_t_config.pch_ca_cert;
      s_info.client_ssl_cert_filepath = m_t_config.pch_client_cert;
      s_info.client_ssl_private_key_filepath = m_t_config.pch_client_key;

Client connection config:

   lws_client_connect_info s_client_info;
   memset(&s_client_info, 0, sizeof(lws_client_connect_info));
   s_client_info.address = m_t_config.pch_address;
   s_client_info.host = m_t_config.pch_host_header;

   s_client_info.path = m_t_config.pch_path;
   s_client_info.port = m_t_config.i32_port;
   s_client_info.context = m_ps_lws_context;
   s_client_info.ssl_connection = LCCSCF_USE_SSL |
LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK;


Server vhost config:
   s_info.port = u16_https_port;
   s_info.vhost_name = "localhost";
   s_info.ssl_cert_filepath = pch_cert;
   s_info.ssl_private_key_filepath = pch_key;
   s_info.ssl_ca_filepath = pch_ca;
   s_info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
LWS_SERVER_OPTION_EXPLICIT_VHOSTS |

LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE |
                    LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT;

If I access the http/ws server using a web browser, the server does not ask
for a client certificate.

Am I missing any configuration of the lws client or server?

Best regards,

Iván.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://libwebsockets.org/pipermail/libwebsockets/attachments/20210728/df73eed9/attachment.htm>


More information about the Libwebsockets mailing list