Enable client certificate verification if ssl CA is given

2026-01-08 03:44:22 +01:00 · 2016-11-23 23:19:32 +08:00
parent 06b8074b1e
commit 15e2dd96a4
4 changed files with 46 additions and 9 deletions
--- a/src/http.c
+++ b/src/http.c
@@ -127,6 +127,15 @@ callback_http(struct lws *wsi, enum lws_callback_reasons reason, void *user, voi
            if (lws_write_http(wsi, index_html, index_html_len) < 0)
                return 1;
            goto try_to_reuse;
+        case LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION:
+            if (!len || (SSL_get_verify_result((SSL*)in) != X509_V_OK)) {
+                int err = X509_STORE_CTX_get_error((X509_STORE_CTX*)user);
+                int depth = X509_STORE_CTX_get_error_depth((X509_STORE_CTX*)user);
+                const char* msg = X509_verify_cert_error_string(err);
+                lwsl_err("client certificate verification error: %s (%d), depth: %d\n", msg, err, depth);
+                return 1;
+            }
+            break;
        default:
            break;
    }
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -133,7 +133,7 @@ thread_run_command(void *args) {
    pid_t pid = forkpty(&pty, NULL, NULL, NULL);

    switch (pid) {
-        case -1: /* */
+        case -1: /* error */
            lwsl_err("forkpty\n");
            break;
        case 0: /* child */
--- a/src/server.c
+++ b/src/server.c
@@ -61,10 +61,10 @@ void print_help() {
                    "    --client-option, -t     Send option to client (format: key=value), repeat to add more options\n"
                    "    --check-origin, -O      Do not allow websocket connection from different origin\n"
                    "    --once, -o              Accept only one client and exit on disconnection\n"
-                    "    --ssl, -S               Enable ssl\n"
-                    "    --ssl-cert, -C          Ssl certificate file path\n"
-                    "    --ssl-key, -K           Ssl key file path\n"
-                    "    --ssl-ca, -A            Ssl ca file path\n"
+                    "    --ssl, -S               Enable SSL\n"
+                    "    --ssl-cert, -C          SSL certificate file path\n"
+                    "    --ssl-key, -K           SSL key file path\n"
+                    "    --ssl-ca, -A            SSL CA file path for client certificate verification\n"
                    "    --debug, -d             Set log level (0-9, default: 7)\n"
                    "    --version, -v           Print the version and exit\n"
                    "    --help, -h              Print this text and exit\n",
@@ -332,6 +332,8 @@ main(int argc, char **argv) {
                "!DHE-RSA-AES256-SHA256:"
                "!AES256-GCM-SHA384:"
                "!AES256-SHA256";
+        if (strlen(info.ssl_ca_filepath) > 0)
+            info.options |= LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT;
 #if LWS_LIBRARY_VERSION_MAJOR == 2
        info.options |= LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS;
 #endif