629783f3aa
Behavior is defined by SSL flags passed via the context. Simplified port of the patch submitted and accepted in lws master branch (PR 1215)
75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
diff --git a/thirdparty/lws/client/ssl-client.c b/thirdparty/lws/client/ssl-client.c
|
|
index 6626e0844..962c6e3cb 100644
|
|
--- a/thirdparty/lws/client/ssl-client.c
|
|
+++ b/thirdparty/lws/client/ssl-client.c
|
|
@@ -176,11 +176,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
|
|
#endif
|
|
#else
|
|
#if defined(LWS_WITH_MBEDTLS)
|
|
- if (wsi->vhost->x509_client_CA)
|
|
- SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
|
|
- else
|
|
- SSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, OpenSSL_client_verify_callback);
|
|
-
|
|
+ SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
|
|
#else
|
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
|
SSL_set_tlsext_host_name(wsi->ssl, hostname);
|
|
diff --git a/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c b/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
|
|
index 63504919c..4e3d61109 100644
|
|
--- a/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
|
|
+++ b/thirdparty/lws/mbedtls_wrapper/platform/ssl_pm.c
|
|
@@ -218,7 +218,7 @@ static int ssl_pm_reload_crt(SSL *ssl)
|
|
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
|
|
|
|
if (ssl->verify_mode == SSL_VERIFY_PEER)
|
|
- mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
|
+ mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
|
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
|
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
|
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
|
|
@@ -712,11 +712,39 @@ long ssl_pm_get_verify_result(const SSL *ssl)
|
|
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
|
|
|
|
ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl);
|
|
- if (ret) {
|
|
- SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_get_verify_result() return 0x%x", ret);
|
|
+
|
|
+ if (!ret)
|
|
+ return X509_V_OK;
|
|
+
|
|
+ if (ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ||
|
|
+ (ret & MBEDTLS_X509_BADCRL_NOT_TRUSTED))
|
|
+ // Allows us to use LCCSCF_ALLOW_SELFSIGNED to skip verification
|
|
+ verify_result = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
|
|
+
|
|
+ else if (ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
|
|
+ verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
|
|
+
|
|
+ else if ((ret & MBEDTLS_X509_BADCERT_BAD_KEY) ||
|
|
+ (ret & MBEDTLS_X509_BADCRL_BAD_KEY))
|
|
+ verify_result = X509_V_ERR_CA_KEY_TOO_SMALL;
|
|
+
|
|
+ else if ((ret & MBEDTLS_X509_BADCERT_BAD_MD) ||
|
|
+ (ret & MBEDTLS_X509_BADCRL_BAD_MD))
|
|
+ verify_result = X509_V_ERR_CA_MD_TOO_WEAK;
|
|
+
|
|
+ else if ((ret & MBEDTLS_X509_BADCERT_FUTURE) ||
|
|
+ (ret & MBEDTLS_X509_BADCRL_FUTURE))
|
|
+ verify_result = X509_V_ERR_CERT_NOT_YET_VALID;
|
|
+
|
|
+ else if ((ret & MBEDTLS_X509_BADCERT_EXPIRED) ||
|
|
+ (ret & MBEDTLS_X509_BADCRL_EXPIRED))
|
|
+ verify_result = X509_V_ERR_CERT_HAS_EXPIRED;
|
|
+
|
|
+ else
|
|
verify_result = X509_V_ERR_UNSPECIFIED;
|
|
- } else
|
|
- verify_result = X509_V_OK;
|
|
+
|
|
+ SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,
|
|
+ "mbedtls_ssl_get_verify_result() return 0x%x", ret);
|
|
|
|
return verify_result;
|
|
}
|