add runtime context flag to enforce defeat of OS CA CERTS even if build option selected

Signed-off-by: Andy Green <andy.green@linaro.org>

diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index 147297b..0bb67f5 100644 (file)
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -152,6 +152,7 @@ enum libwebsocket_context_options {
        LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT = 8,
        LWS_SERVER_OPTION_LIBEV = 16,
        LWS_SERVER_OPTION_DISABLE_IPV6 = 32,
+       LWS_SERVER_OPTION_DISABLE_OS_CA_CERTS = 64,
 };
 
 enum libwebsocket_callback_reasons {

diff --git a/lib/ssl.c b/lib/ssl.c
index 7ccff55..940e00d 100644 (file)
--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -262,8 +262,9 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
                                                info->ssl_cipher_list);
 
 #ifdef LWS_SSL_CLIENT_USE_OS_CA_CERTS
-       /* loads OS default CA certs */
-       SSL_CTX_set_default_verify_paths(context->ssl_client_ctx);
+       if (!(info->options & LWS_SERVER_OPTION_DISABLE_OS_CA_CERTS))
+               /* loads OS default CA certs */
+               SSL_CTX_set_default_verify_paths(context->ssl_client_ctx);
 #endif
 
        /* openssl init for cert verification (for client sockets) */