diff --git a/include/libwebsockets/lws-context-vhost.h b/include/libwebsockets/lws-context-vhost.h old mode 100644 new mode 100755 index b3de140b5802737bb35ae65e786bb41c9885d306..93972b426c6c6f5e8442c22886732237c640f624 --- a/include/libwebsockets/lws-context-vhost.h +++ b/include/libwebsockets/lws-context-vhost.h @@ -502,6 +502,8 @@ struct lws_context_creation_info { * NULL... use this to load client key from memory instead of file */ const char *client_ssl_ca_filepath; /**< VHOST: Client SSL context init: CA certificate filepath or NULL */ + const char *client_ssl_ca_dirs[10]; + /**< VHOST: Client SSL context init: CA certificate path or NULL */ const void *client_ssl_ca_mem; /**< VHOST: Client SSL context init: CA certificate memory buffer or * NULL... use this to load CA cert from memory instead of file */ diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c old mode 100644 new mode 100755 index d8c56c518fe35e2c2fae714e9772d56b85f44df7..ca76727fec4537e1bff348bae3315a36153b5dc8 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -34,6 +34,8 @@ #include "private-lib-core.h" #include "private-lib-tls-openssl.h" +static const int MAX_CLIENT_SSL_CA_NUMBER = 10; + /* * Care: many openssl apis return 1 for success. These are translated to the * lws convention of 0 for success. @@ -953,6 +955,19 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, #endif /* openssl init for cert verification (for client sockets) */ + if (!ca_mem || !ca_mem_len) { + for (size_t i = 0; i < MAX_CLIENT_SSL_CA_NUMBER; i++) { + if ((info->client_ssl_ca_dirs[i] != NULL) && + (!SSL_CTX_load_verify_locations(vh->tls.ssl_client_ctx, NULL, info->client_ssl_ca_dirs[i]))) { + lwsl_err( + "Unable to load SSL Client certs from %s " + "(set by info->client_ssl_ca_dirs[%d]) -- " + "client ssl isn't going to work\n", + info->client_ssl_ca_dirs[i], i); + } + } + } + if (!ca_filepath && (!ca_mem || !ca_mem_len)) { #if defined(LWS_HAVE_SSL_CTX_load_verify_dir) if (!SSL_CTX_load_verify_dir(