ssl client use OS CA root certs by default

Signed-off-by: Andy Green <andy.green@linaro.org>

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 64b3883..103b3e0 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,6 +34,7 @@ if(GIT_EXECUTABLE)
 endif()
 
 option(LWS_WITH_SSL "Include SSL support (default OpenSSL, CyaSSL if LWS_USE_CYASSL is set)" ON)
+option(LWS_SSL_CLIENT_USE_OS_CA_CERTS "SSL support should make use of OS installed CA root certs" ON)
 option(LWS_USE_EXTERNAL_ZLIB "Search the system for ZLib instead of using the included one (on Windows)" OFF)
 option(LWS_USE_CYASSL "Use CyaSSL replacement for OpenSSL. When settings this, you also need to specify LWS_CYASSL_LIB and LWS_CYASSL_INCLUDE_DIRS" OFF)
 option(LWS_WITHOUT_BUILTIN_GETIFADDRS "Don't use BSD getifaddrs implementation from libwebsockets if it is missing (this will result in a compilation error) ... Default is your libc provides it. On some systems such as uclibc it doesn't exist." OFF)
@@ -88,6 +89,10 @@ if (LWS_WITH_SSL)
        set(LWS_OPENSSL_SUPPORT 1)
 endif()
 
+if (LWS_SSL_CLIENT_USE_OS_CA_CERTS)
+       set(LWS_SSL_CLIENT_USE_OS_CA_CERTS 1)
+endif()
+
 if (LWS_WITH_LATENCY)
        set(LWS_LATENCY 1)
 endif()
@@ -841,6 +846,7 @@ message("---------------------------------------------------------------------")
 message("  Settings:  (For more help do cmake -LH <srcpath>")
 message("---------------------------------------------------------------------")
 message(" LWS_WITH_SSL = ${LWS_WITH_SSL}  (SSL Support)")
+message(" LWS_SSL_CLIENT_USE_OS_CA_CERTS = ${LWS_SSL_CLIENT_USE_OS_CA_CERTS}")
 message(" LWS_USE_CYASSL = ${LWS_USE_CYASSL} (CyaSSL replacement for OpenSSL)")
 if (LWS_USE_CYASSL)
        message("   LWS_CYASSL_LIB = ${LWS_CYASSL_LIB}")

diff --git a/changelog b/changelog
index e2f56f0..f9ceaa2 100644 (file)
--- a/changelog
+++ b/changelog
@@ -51,6 +51,12 @@ that without getting involved in having to send the header by hand.
 A new info member http_proxy_address may be used at context creation time to
 set the http proxy.  If non-NULL, it overrides http_proxy environment var.
 
+Cmake supports LWS_SSL_CLIENT_USE_OS_CA_CERTS defaulting to on, which gets
+the client to use the OS CA Roots.  If you're worried somebody with the
+ability to forge for force creation of a client cert from the root CA in
+your OS, you should disable this since your selfsigned $0 cert is a lot safer
+then...
+
 
 v1.23-chrome32-firefox24
 ========================

diff --git a/config.h.cmake b/config.h.cmake
index e1dd8c0..87bd949 100644 (file)
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -17,6 +17,9 @@
 /* Build with OpenSSL support */
 #cmakedefine LWS_OPENSSL_SUPPORT
 
+/* The client should load and trust CA root certs it finds in the OS */
+#cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
+
 /* Sets the path where the client certs should be installed. */
 #cmakedefine LWS_OPENSSL_CLIENT_CERTS "${LWS_OPENSSL_CLIENT_CERTS}"
 

diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index 3cc5635..4fd8f4d 100644 (file)
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2268,6 +2268,11 @@ libwebsocket_create_context(struct lws_context_creation_info *info)
                        SSL_CTX_set_cipher_list(context->ssl_client_ctx,
                                                        info->ssl_cipher_list);
 
+#ifdef LWS_SSL_CLIENT_USE_OS_CA_CERTS
+               /* loads OS default CA certs */
+               SSL_CTX_set_default_verify_paths(context->ssl_client_ctx);
+#endif
+
                /* openssl init for cert verification (for client sockets) */
                if (!info->ssl_ca_filepath) {
                        if (!SSL_CTX_load_verify_locations(