ssl client use OS CA root certs by default

Signed-off-by: Andy Green <andy.green@linaro.org>

ssl client use OS CA root certs by default
d2ec7adb · Andy Green · 5ac7e7ad · d2ec7adb · d2ec7adb · d2ec7adb
Commit d2ec7adb authored 11 years ago by Andy Green
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,6 +34,7 @@ if(GIT_EXECUTABLE)
 endif()
 option(LWS_WITH_SSL "Include SSL support (default OpenSSL, CyaSSL if LWS_USE_CYASSL is set)" ON)
+option(LWS_SSL_CLIENT_USE_OS_CA_CERTS "SSL support should make use of OS installed CA root certs" ON)
 option(LWS_USE_EXTERNAL_ZLIB "Search the system for ZLib instead of using the included one (on Windows)" OFF)
 option(LWS_USE_CYASSL "Use CyaSSL replacement for OpenSSL. When settings this, you also need to specify LWS_CYASSL_LIB and LWS_CYASSL_INCLUDE_DIRS" OFF)
 option(LWS_WITHOUT_BUILTIN_GETIFADDRS "Don't use BSD getifaddrs implementation from libwebsockets if it is missing (this will result in a compilation error) ... Default is your libc provides it. On some systems such as uclibc it doesn't exist." OFF)
@@ -88,6 +89,10 @@ if (LWS_WITH_SSL)
 	set(LWS_OPENSSL_SUPPORT 1)
 endif()
+if (LWS_SSL_CLIENT_USE_OS_CA_CERTS)
+	set(LWS_SSL_CLIENT_USE_OS_CA_CERTS 1)
+endif()
 if (LWS_WITH_LATENCY)
 	set(LWS_LATENCY 1)
 endif()
@@ -841,6 +846,7 @@ message("---------------------------------------------------------------------")
 message("  Settings:  (For more help do cmake -LH <srcpath>")
 message("---------------------------------------------------------------------")
 message(" LWS_WITH_SSL = ${LWS_WITH_SSL}  (SSL Support)")
+message(" LWS_SSL_CLIENT_USE_OS_CA_CERTS = ${LWS_SSL_CLIENT_USE_OS_CA_CERTS}")
 message(" LWS_USE_CYASSL = ${LWS_USE_CYASSL} (CyaSSL replacement for OpenSSL)")
 if (LWS_USE_CYASSL)
 	message("   LWS_CYASSL_LIB = ${LWS_CYASSL_LIB}")

--- a/changelog
+++ b/changelog
@@ -51,6 +51,12 @@ that without getting involved in having to send the header by hand.
 A new info member http_proxy_address may be used at context creation time to
 set the http proxy.  If non-NULL, it overrides http_proxy environment var.
+Cmake supports LWS_SSL_CLIENT_USE_OS_CA_CERTS defaulting to on, which gets
+the client to use the OS CA Roots.  If you're worried somebody with the
+ability to forge for force creation of a client cert from the root CA in
+your OS, you should disable this since your selfsigned $0 cert is a lot safer
+then...
 v1.23-chrome32-firefox24
 ========================

--- a/config.h.cmake
+++ b/config.h.cmake
@@ -17,6 +17,9 @@
 /* Build with OpenSSL support */
 #cmakedefine LWS_OPENSSL_SUPPORT
+/* The client should load and trust CA root certs it finds in the OS */
+#cmakedefine LWS_SSL_CLIENT_USE_OS_CA_CERTS
 /* Sets the path where the client certs should be installed. */
 #cmakedefine LWS_OPENSSL_CLIENT_CERTS "${LWS_OPENSSL_CLIENT_CERTS}"

--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2268,6 +2268,11 @@ libwebsocket_create_context(struct lws_context_creation_info *info)
 			SSL_CTX_set_cipher_list(context->ssl_client_ctx,
 							info->ssl_cipher_list);
+#ifdef LWS_SSL_CLIENT_USE_OS_CA_CERTS
+		/* loads OS default CA certs */
+		SSL_CTX_set_default_verify_paths(context->ssl_client_ctx);
+#endif
 		/* openssl init for cert verification (for client sockets) */
 		if (!info->ssl_ca_filepath) {
 			if (!SSL_CTX_load_verify_locations(