Skip to content

Commit e8c1b9c

Browse files
ThePassionatelws-team
ThePassionate
authored and
lws-team
committed
[PATCH] lws/mbedtls-client: aligned with openssl-client to load
default ca path The client based on mbedtls backend does not implement the loading certificate from the default path, but the client based on openssl backend does. Signed-off-by: makejian <[email protected]>
1 parent bb360aa commit e8c1b9c

File tree

1 file changed

+32
-23
lines changed

1 file changed

+32
-23
lines changed

lib/tls/mbedtls/mbedtls-client.c

Lines changed: 32 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -416,39 +416,48 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
416416
return 1;
417417
}
418418

419-
if (!ca_filepath && (!ca_mem || !ca_mem_len))
420-
return 0;
421-
422-
if (ca_filepath) {
419+
if (!ca_filepath && (!ca_mem || !ca_mem_len)) {
420+
#if defined(LWS_HAVE_SSL_CTX_load_verify_dir)
421+
if (!SSL_CTX_load_verify_dir(
422+
vh->tls.ssl_client_ctx, LWS_OPENSSL_CLIENT_CERTS))
423+
#else
424+
if (!SSL_CTX_load_verify_locations(
425+
vh->tls.ssl_client_ctx, NULL, LWS_OPENSSL_CLIENT_CERTS))
426+
#endif
427+
lwsl_err("Unable to load SSL Client certs from %s "
428+
"(set by LWS_OPENSSL_CLIENT_CERTS) -- "
429+
"client ssl isn't going to work\n",
430+
LWS_OPENSSL_CLIENT_CERTS);
431+
} else if (ca_filepath) {
423432
#if !defined(LWS_PLAT_OPTEE)
424-
uint8_t *buf;
425-
lws_filepos_t len;
426-
427-
if (alloc_file(vh->context, ca_filepath, &buf, &len)) {
428-
lwsl_err("Load CA cert file %s failed\n", ca_filepath);
429-
return 1;
433+
#if defined(LWS_HAVE_SSL_CTX_load_verify_file)
434+
if (!SSL_CTX_load_verify_file(
435+
vh->tls.ssl_client_ctx, ca_filepath)) {
436+
#else
437+
if (!SSL_CTX_load_verify_locations(
438+
vh->tls.ssl_client_ctx, ca_filepath, NULL)) {
439+
#endif
440+
lwsl_err(
441+
"Unable to load SSL Client certs "
442+
"file from %s -- client ssl isn't "
443+
"going to work\n", ca_filepath);
430444
}
431-
vh->tls.x509_client_CA = d2i_X509(NULL, (const uint8_t **)&buf, (long)len);
432-
free(buf);
433-
434-
lwsl_info("Loading vh %s client CA for verification %s\n", vh->name, ca_filepath);
435445
#endif
436446
} else {
437447
vh->tls.x509_client_CA = d2i_X509(NULL, (const uint8_t **)&ca_mem, (long)ca_mem_len);
438448
lwsl_info("%s: using mem client CA cert %d\n",
439449
__func__, ca_mem_len);
440-
}
450+
if (!vh->tls.x509_client_CA) {
451+
lwsl_err("client CA: x509 parse failed\n");
452+
return 1;
453+
}
441454

442-
if (!vh->tls.x509_client_CA) {
443-
lwsl_err("client CA: x509 parse failed\n");
444-
return 1;
455+
if (!vh->tls.ssl_ctx)
456+
SSL_CTX_add_client_CA(vh->tls.ssl_client_ctx, vh->tls.x509_client_CA);
457+
else
458+
SSL_CTX_add_client_CA(vh->tls.ssl_ctx, vh->tls.x509_client_CA);
445459
}
446460

447-
if (!vh->tls.ssl_ctx)
448-
SSL_CTX_add_client_CA(vh->tls.ssl_client_ctx, vh->tls.x509_client_CA);
449-
else
450-
SSL_CTX_add_client_CA(vh->tls.ssl_ctx, vh->tls.x509_client_CA);
451-
452461
/* support for client-side certificate authentication */
453462
if (cert_filepath) {
454463
#if !defined(LWS_PLAT_OPTEE)

0 commit comments

Comments
 (0)