<div dir="ltr"><div><div>Thanks for input.<br><br></div>Is that call verify(SSL_get_verify_result) chain available in server certificate  ?<br><br></div>I have tried to use <span style="font-family:"Calibri",sans-serif;color:black">-DLWS_OPENSSL_CLIENT_CERTS option due to multiple ca but i think openssl always taking cert from SSL_CERT_PATH (Path used by openssl)<br></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 4, 2016 at 9:33 AM, Subi S S <span dir="ltr"><<a href="mailto:andy.green@linaro.org" target="_blank">andy.green@linaro.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div link="#0563C1" vlink="#954F72" lang="EN-IN">
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Hi Techi,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">When use_ssl is set to ‘1’  , server certificate will be verified by library itself using openssl ( see client.c)<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                    lws_latency_pre(context, wsi);<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                    n =
<span style="background:silver">SSL_get_verify_result</span>(wsi->ssl);<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                    lws_latency(context, wsi,<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                                "SSL_get_verify_result LWS_CONNMODE..HANDSHAKE",<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                                                                                      n, n > 0);<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                    if ((n != X509_V_OK) && (<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                                n != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                                                                       wsi-><span style="background:blue">use_ssl</span>
 != 2)) {<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                                lwsl_err(<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                                      "server's
<u>cert</u> didn't look good %d\n", n);<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                                libwebsocket_close_and_free_session(context,<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Calibri",sans-serif;color:black">                                                                        wsi,
<i>LWS_CLOSE_STATUS_NOSTATUS</i>);<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">                                                return 0;<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">If you want to override the openssl validation or you want to do host name validation etc, you can set your own openSSL call backs.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">for example
<span style="background:silver">SSL_CTX_set_cert_verify_callback</span> under
</span><span style="font-family:"Calibri",sans-serif;color:black">LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS</span><span style="font-family:"Calibri",sans-serif;color:black"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">If you have multiple ca certs , you can set the directory path during libwebsocket compilation  for example -DLWS_OPENSSL_CLIENT_CERTS=/etc/cacerts/<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">There is also option to set a ca file during the  during ctx creation  ( set the path in ssl_ca_filepath attribute).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Subi<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" lang="EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" lang="EN-US"> techi eth [mailto:<a href="mailto:andy.green@linaro.org" target="_blank">andy.green@linaro.org</a>]
<br>
<b>Sent:</b> 31 December 2015 18:32<br>
<b>To:</b> <a href="mailto:libwebsockets@ml.libwebsockets.org" target="_blank">libwebsockets@ml.libwebsockets.org</a><br>
<b>Subject:</b> [Libwebsockets] Server cert verfication by client<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">In the case of encrypted ssl_connection (use_ssl = 1),if client needs to verify server certificate then what is the way to do the same.<u></u><u></u></p>
<p class="MsoNormal">I was just thinking LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS is used for same but I could not able to conclude.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">If this callback needs to be used then do i need to do similar logic done in OpenSSL_verify_callback function.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Techi<u></u><u></u></p>
</div>
</div></div></div>
</div>

<br>_______________________________________________<br>
Libwebsockets mailing list<br>
<a href="mailto:Libwebsockets@ml.libwebsockets.org">Libwebsockets@ml.libwebsockets.org</a><br>
<a href="http://ml.libwebsockets.org/mailman/listinfo/libwebsockets" rel="noreferrer" target="_blank">http://ml.libwebsockets.org/mailman/listinfo/libwebsockets</a><br>
<br></blockquote></div><br></div>