From d2ec7adbab4bfb162ea3df516bd8e9bbf6957647 Mon Sep 17 00:00:00 2001
From: Andy Green <andy.green@linaro.org>
Date: Sat, 15 Mar 2014 10:39:29 +0800
Subject: [PATCH] ssl client use OS CA root certs by default

Signed-off-by: Andy Green <andy.green@linaro.org>
---
 CMakeLists.txt      | 6 ++++++
 changelog           | 6 ++++++
 config.h.cmake      | 3 +++
 lib/libwebsockets.c | 5 +++++
 4 files changed, 20 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 64b38834..103b3e00 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,6 +34,7 @@ if(GIT_EXECUTABLE)
 endif()
 
 option(LWS_WITH_SSL "Include SSL support (default OpenSSL, CyaSSL if LWS_USE_CYASSL is set)" ON)
+option(LWS_SSL_CLIENT_USE_OS_CA_CERTS "SSL support should make use of OS installed CA root certs" ON)
 option(LWS_USE_EXTERNAL_ZLIB "Search the system for ZLib instead of using the included one (on Windows)" OFF)
 option(LWS_USE_CYASSL "Use CyaSSL replacement for OpenSSL. When settings this, you also need to specify LWS_CYASSL_LIB and LWS_CYASSL_INCLUDE_DIRS" OFF)
 option(LWS_WITHOUT_BUILTIN_GETIFADDRS "Don't use BSD getifaddrs implementation from libwebsockets if it is missing (this will result in a compilation error) ... Default is your libc provides it. On some systems such as uclibc it doesn't exist." OFF)
@@ -88,6 +89,10 @@ if (LWS_WITH_SSL)
 	set(LWS_OPENSSL_SUPPORT 1)
 endif()
 
+if (LWS_SSL_CLIENT_USE_OS_CA_CERTS)
+	set(LWS_SSL_CLIENT_USE_OS_CA_CERTS 1)
+endif()
+
 if (LWS_WITH_LATENCY)
 	set(LWS_LATENCY 1)
 endif()
@@ -841,6 +846,7 @@ message("---------------------------------------------------------------------")
 message("  Settings:  (For more help do cmake -LH <srcpath>")
 message("---------------------------------------------------------------------")
 message(" LWS_WITH_SSL = ${LWS_WITH_SSL}  (SSL Support)")
+message(" LWS_SSL_CLIENT_USE_OS_CA_CERTS = ${LWS_SSL_CLIENT_USE_OS_CA_CERTS}")
 message(" LWS_USE_CYASSL = ${LWS_USE_CYASSL} (CyaSSL replacement for OpenSSL)")
 if (LWS_USE_CYASSL)
 	message("   LWS_CYASSL_LIB = ${LWS_CYASSL_LIB}")
diff --git a/changelog b/changelog
index e2f56f0d..f9ceaa23 100644
--- a/changelog
+++ b/changelog
@@ -51,6 +51,12 @@ that without getting involved in having to send the header by hand.
 A new info member http_proxy_address may be used at context creation time to
 set the http proxy.  If non-NULL, it overrides http_proxy environment var.
 
+Cmake supports LWS_SSL_CLIENT_USE_OS_CA_CERTS defaulting to on, which gets
+the client to use the OS CA Roots.  If you're worried somebody with the
+ability to forge for force creation of a client cert from the root CA in
+your OS, you should disable this since your selfsigned $0 cert is a lot safer
+then...
+
 
 v1.23-chrome32-firefox24
 ========================
diff --git a/config.h.cmake b/config.h.cmake
index e1dd8c09..87bd9498 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -17,6 +17,9 @@
 /* Build with OpenSSL support */
 #cmakedefine LWS_OPENSSL_SUPPORT
 
+/* The client should load and trust CA root certs it finds in the OS */
+#cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
+
 /* Sets the path where the client certs should be installed. */
 #cmakedefine LWS_OPENSSL_CLIENT_CERTS "${LWS_OPENSSL_CLIENT_CERTS}"
 
diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index 3cc5635f..4fd8f4d3 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2268,6 +2268,11 @@ libwebsocket_create_context(struct lws_context_creation_info *info)
 			SSL_CTX_set_cipher_list(context->ssl_client_ctx,
 							info->ssl_cipher_list);
 
+#ifdef LWS_SSL_CLIENT_USE_OS_CA_CERTS
+		/* loads OS default CA certs */
+		SSL_CTX_set_default_verify_paths(context->ssl_client_ctx);
+#endif
+
 		/* openssl init for cert verification (for client sockets) */
 		if (!info->ssl_ca_filepath) {
 			if (!SSL_CTX_load_verify_locations(
-- 
GitLab