free(new_wsi);
break;
}
+
debug("accepted new SSL conn "
"port %u on fd=%d SSL ver %s\n",
ntohs(cli_addr.sin_port), accept_fd,
* helping the client to verify server identity
*/
- this->protocols[0].callback(this, wsi,
+ this->protocols[0].callback(this, NULL,
LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
this->ssl_client_ctx, NULL, 0);
+ /* as a server, are we requiring clients to identify themselves? */
+
+ if (options & LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT) {
+
+ /* absolutely require the client cert */
+
+ SSL_CTX_set_verify(this->ssl_ctx,
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+
+ /*
+ * give user code a chance to load certs into the server
+ * allowing it to verify incoming client certs
+ */
+
+ this->protocols[0].callback(this, NULL,
+ LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS,
+ this->ssl_ctx, NULL, 0);
+ }
+
if (this->use_ssl) {
enum libwebsocket_context_options {
LWS_SERVER_OPTION_DEFEAT_CLIENT_MASK = 1,
+ LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT = 2,
};
enum libwebsocket_callback_reasons {
LWS_CALLBACK_FILTER_NETWORK_CONNECTION,
LWS_CALLBACK_FILTER_PROTOCOL_CONNECTION,
LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
+ LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS,
/* external poll() management support */
LWS_CALLBACK_ADD_POLL_FD,
* content before deciding to allow the handshake to proceed or
* to kill the connection.
*
- * LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS: if configure for
+ * LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS: if configured for
* including OpenSSL support, this callback allows your user code
* to perform extra SSL_CTX_load_verify_locations() or similar
* calls to direct OpenSSL where to find certificates the client
* can use to confirm the remote server identity. @user is the
* OpenSSL SSL_CTX*
*
+ * LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS: if configured for
+ * including OpenSSL support, this callback allows your user code
+ * to load extra certifcates into the server which allow it to
+ * verify the validity of certificates returned by clients. @user
+ * is the server's OpenSSL SSL_CTX*
+ *
* The next four reasons are optional and only need taking care of if you
* will be integrating libwebsockets sockets into an external polling
* array.