client: fix X509_V_ERR_CERT_HAS_EXPIRED

author Namowen <namowen@user.github.invalid.com>

Fri, 17 Feb 2017 23:51:27 +0000 (07:51 +0800)

committer Andy Green <andy@warmcat.com>

Sat, 18 Feb 2017 09:27:22 +0000 (17:27 +0800)
author Namowen <namowen@user.github.invalid.com>
Fri, 17 Feb 2017 23:51:27 +0000 (07:51 +0800)
committer Andy Green <andy@warmcat.com>
Sat, 18 Feb 2017 09:27:22 +0000 (17:27 +0800)
diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h

index 0041557..1f365eb 100644 (file)
--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@@ -1490,7 +1490,7 @@ struct lws {
         unsigned int extension_data_pending:1;
  #endif
  #ifdef LWS_OPENSSL_SUPPORT
-       unsigned int use_ssl:3;
+       unsigned int use_ssl:4;
  #endif
  #ifdef _WIN32
         unsigned int sock_send_blocking:1;
diff --git a/lib/ssl-client.c b/lib/ssl-client.c

index b8154aa..9c1a5b9 100644 (file)
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@@ -54,7 +54,16 @@ OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
                         if ((err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
                                         err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) &&
                                         wsi->use_ssl & LCCSCF_ALLOW_SELFSIGNED) {
-                               lwsl_notice("accepting self-signed certificate\n");
+                               lwsl_notice("accepting self-signed certificate (verify_callback)\n");
+                               X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
+                               return 1;       // ok
+                       } else if ((err == X509_V_ERR_CERT_NOT_YET_VALID ||
+                                       err == X509_V_ERR_CERT_HAS_EXPIRED) &&
+                                       wsi->use_ssl & LCCSCF_ALLOW_EXPIRED) {
+                               if (err == X509_V_ERR_CERT_NOT_YET_VALID)
+                                       lwsl_notice("accepting not yet valid certificate (verify_callback)\n");
+                               else if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+                                       lwsl_notice("accepting expired certificate (verify_callback)\n");
                                 X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
                                 return 1;       // ok
                         }
@@ -138,8 +147,13 @@ lws_ssl_client_bio_create(struct lws *wsi)
         }
  
  #endif
+
+#ifndef USE_WOLFSSL
+#ifndef USE_OLD_CYASSL
         /* OpenSSL_client_verify_callback will be called @ SSL_connect() */
         SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
+#endif
+#endif
  
  #ifndef USE_WOLFSSL
         SSL_set_mode(wsi->ssl,  SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
author	Namowen <namowen@user.github.invalid.com>
	Fri, 17 Feb 2017 23:51:27 +0000 (07:51 +0800)
committer	Andy Green <andy@warmcat.com>
	Sat, 18 Feb 2017 09:27:22 +0000 (17:27 +0800)
lib/private-libwebsockets.h		patch \| blob \| history
lib/ssl-client.c		patch \| blob \| history