-
Fabio Alessandrelli authored
AG: unlike openssl, mbedtls does not load the system trust store. So this change will make client tls operations that work OK on openssl fail on mbedtls unless you provide the correct CA cert. This allows lws to distinguish between untrusted CAs, hostname mismatches, expired certificates. NOTE: LCCSCF_ALLOW_SELFSIGNED actually allows for untrusted CAs, and will also skip hostname verification. This is somewhat a limitiation of the current lws verification process. AG: improve error reporting up to the CLIENT_CONNECTION_ERROR argument and add a note specific to mbedtls in the test client. Adapt the test client to note the CA requirement if built with mbedTLS. Adapt the minimal test clients to have the CAs available and use them if mbedTLS.
Fabio Alessandrelli authoredAG: unlike openssl, mbedtls does not load the system trust store. So this change will make client tls operations that work OK on openssl fail on mbedtls unless you provide the correct CA cert. This allows lws to distinguish between untrusted CAs, hostname mismatches, expired certificates. NOTE: LCCSCF_ALLOW_SELFSIGNED actually allows for untrusted CAs, and will also skip hostname verification. This is somewhat a limitiation of the current lws verification process. AG: improve error reporting up to the CLIENT_CONNECTION_ERROR argument and add a note specific to mbedtls in the test client. Adapt the test client to note the CA requirement if built with mbedTLS. Adapt the minimal test clients to have the CAs available and use them if mbedTLS.
