Skip to content
Snippets Groups Projects
Commit fb8be050 authored by Andy Green's avatar Andy Green
Browse files

add lws_init_vhost_client_ssl api to allow client ssl use on a vhost


Also add lwsws "enable-client-ssl": "1" vhost option to match.

Client cert iclient ssl is not supported in lwsws, if someone wants it, it can be added.

Signed-off-by: default avatarAndy Green <andy@warmcat.com>
parent b6d229d7
Branches
Tags
No related merge requests found
......@@ -188,6 +188,7 @@ Other vhost options
- "`access-log`": "filepath" sets where apache-compatible access logs will be written
- `"enable-client-ssl"`: `"1"` enables the vhost's client SSL context, you will need this if you plan to create client conections on the vhost that will use SSL. You don't need it if you only want http / ws client connections.
Mounts
------
......
......@@ -29,6 +29,12 @@ Fixes
5) Allow per-vhost setting of which protocol should get used
when the protocol: header is not sent by the client
New APIs
--------
1) lws_init_vhost_client_ssl() lets you also enable client SSL context on a
vhost.
v2.0.0
======
......
......@@ -484,6 +484,43 @@ bail:
return NULL;
}
/**
* lws_init_vhost_client_ssl() - also enable client SSL on an existing vhost
*
* @info: client ssl related info
* @vhost: which vhost to initialize client ssl operations on
*
* You only need to call this if you plan on using SSL client connections on
* the vhost. For non-SSL client connections, it's not necessary to call this.
*
* The following members of @info are used during the call
*
* - @options must have LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT set,
* otherwise the call does nothing
* - @provided_client_ssl_ctx must be NULL to get a generated client
* ssl context, otherwise you can pass a prepared one in by setting it
* - @ssl_cipher_list may be NULL or set to the client valid cipher list
* - @ssl_ca_filepath may be NULL or client cert filepath
* - @ssl_cert_filepath may be NULL or client cert filepath
* - @ssl_private_key_filepath may be NULL or client cert private key
*
* You must create your vhost explicitly if you want to use this, so you have
* a pointer to the vhost. Create the context first with the option flag
* LWS_SERVER_OPTION_EXPLICIT_VHOSTS and then call lws_create_vhost() with
* the same info struct.
*/
LWS_VISIBLE int
lws_init_vhost_client_ssl(const struct lws_context_creation_info *info,
struct lws_vhost *vhost)
{
struct lws_context_creation_info i;
memcpy(&i, info, sizeof(i));
i.port = CONTEXT_PORT_NO_LISTEN;
return lws_context_init_client_ssl(&i, vhost);
}
/**
* lws_create_context() - Create the websocket handler
* @info: pointer to struct with parameters
......
......@@ -1631,6 +1631,10 @@ LWS_VISIBLE struct lws_vhost *
lws_create_vhost(struct lws_context *context,
struct lws_context_creation_info *info);
LWS_VISIBLE int
lws_init_vhost_client_ssl(const struct lws_context_creation_info *info,
struct lws_vhost *vhost);
LWS_VISIBLE struct lws_vhost *
lws_vhost_get(struct lws *wsi);
......
......@@ -291,17 +291,17 @@ lws_ssl_client_connect2(struct lws *wsi)
int lws_context_init_client_ssl(struct lws_context_creation_info *info,
struct lws_vhost *vhost)
struct lws_vhost *vhost)
{
#if defined(LWS_USE_POLARSSL)
return 0;
#else
#if defined(LWS_USE_MBEDTLS)
#else
int error;
int n;
SSL_METHOD *method;
struct lws wsi;
int error;
int n;
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
return 0;
......@@ -311,6 +311,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
vhost->ssl_client_ctx = info->provided_client_ssl_ctx;
/* nothing for lib to delete */
vhost->user_supplied_ssl_ctx = 1;
return 0;
}
......@@ -343,11 +344,10 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
}
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(vhost->ssl_client_ctx,
SSL_OP_NO_COMPRESSION);
SSL_CTX_set_options(vhost->ssl_client_ctx, SSL_OP_NO_COMPRESSION);
#endif
SSL_CTX_set_options(vhost->ssl_client_ctx,
SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_OP_CIPHER_SERVER_PREFERENCE);
if (info->ssl_cipher_list)
SSL_CTX_set_cipher_list(vhost->ssl_client_ctx,
info->ssl_cipher_list);
......
......@@ -64,6 +64,7 @@ static const char * const paths_vhosts[] = {
"vhosts[].ws-protocols[].*",
"vhosts[].ws-protocols[]",
"vhosts[].keepalive_timeout",
"vhosts[].enable-client-ssl",
};
enum lejp_vhost_paths {
......@@ -91,6 +92,7 @@ enum lejp_vhost_paths {
LEJPVP_PROTOCOL_NAME,
LEJPVP_PROTOCOL,
LEJPVP_KEEPALIVE_TIMEOUT,
LEJPVP_ENABLE_CLIENT_SSL,
};
#define MAX_PLUGIN_DIRS 10
......@@ -107,6 +109,8 @@ struct jpargs {
struct lws_http_mount m;
const char **plugin_dirs;
int count_plugin_dirs;
unsigned int enable_client_ssl:1;
};
static void *
......@@ -222,6 +226,7 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
a->info->log_filepath = NULL;
a->info->options &= ~(LWS_SERVER_OPTION_UNIX_SOCK |
LWS_SERVER_OPTION_STS);
a->enable_client_ssl = 0;
}
if (reason == LEJPCB_OBJECT_START &&
......@@ -251,6 +256,8 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
(ctx->path_match == LEJPVP + 1 || !ctx->path[0]) &&
a->valid) {
struct lws_vhost *vhost;
//lwsl_notice("%s\n", ctx->path);
if (!a->info->port) {
lwsl_err("Port required (eg, 443)");
......@@ -259,12 +266,19 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
a->valid = 0;
a->info->mounts = a->head;
if (!lws_create_vhost(a->context, a->info)) {
vhost = lws_create_vhost(a->context, a->info);
if (!vhost) {
lwsl_err("Failed to create vhost %s\n",
a->info->vhost_name);
return 1;
}
if (a->enable_client_ssl) {
memset(a->info, 0, sizeof(*a->info));
a->info->options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
lws_init_vhost_client_ssl(a->info, vhost);
}
return 0;
}
......@@ -413,6 +427,9 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
a->p += snprintf(a->p, a->end - a->p, "%s", ctx->buf);
*(a->p)++ = '\0';
break;
case LEJPVP_ENABLE_CLIENT_SSL:
a->enable_client_ssl = arg_to_bool(ctx->buf);
return 0;
default:
return 0;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment