add lws_init_vhost_client_ssl api to allow client ssl use on a vhost
Also add lwsws "enable-client-ssl": "1" vhost option to match.
Client cert iclient ssl is not supported in lwsws, if someone wants it, it can be added.
Signed-off-by: Andy Green <andy@warmcat.com>
diff --git a/README.lwsws.md b/README.lwsws.md
index 219b6be..8600596 100644
--- a/README.lwsws.md
+++ b/README.lwsws.md
@@ -188,6 +188,7 @@
- "`access-log`": "filepath" sets where apache-compatible access logs will be written
+ - `"enable-client-ssl"`: `"1"` enables the vhost's client SSL context, you will need this if you plan to create client conections on the vhost that will use SSL. You don't need it if you only want http / ws client connections.
Mounts
------
diff --git a/changelog b/changelog
index c135cab..d48a7be 100644
--- a/changelog
+++ b/changelog
@@ -29,6 +29,12 @@
5) Allow per-vhost setting of which protocol should get used
when the protocol: header is not sent by the client
+New APIs
+--------
+
+1) lws_init_vhost_client_ssl() lets you also enable client SSL context on a
+vhost.
+
v2.0.0
======
diff --git a/lib/context.c b/lib/context.c
index 02f18cd..c75ad50 100644
--- a/lib/context.c
+++ b/lib/context.c
@@ -485,6 +485,43 @@
}
/**
+ * lws_init_vhost_client_ssl() - also enable client SSL on an existing vhost
+ *
+ * @info: client ssl related info
+ * @vhost: which vhost to initialize client ssl operations on
+ *
+ * You only need to call this if you plan on using SSL client connections on
+ * the vhost. For non-SSL client connections, it's not necessary to call this.
+ *
+ * The following members of @info are used during the call
+ *
+ * - @options must have LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT set,
+ * otherwise the call does nothing
+ * - @provided_client_ssl_ctx must be NULL to get a generated client
+ * ssl context, otherwise you can pass a prepared one in by setting it
+ * - @ssl_cipher_list may be NULL or set to the client valid cipher list
+ * - @ssl_ca_filepath may be NULL or client cert filepath
+ * - @ssl_cert_filepath may be NULL or client cert filepath
+ * - @ssl_private_key_filepath may be NULL or client cert private key
+ *
+ * You must create your vhost explicitly if you want to use this, so you have
+ * a pointer to the vhost. Create the context first with the option flag
+ * LWS_SERVER_OPTION_EXPLICIT_VHOSTS and then call lws_create_vhost() with
+ * the same info struct.
+ */
+LWS_VISIBLE int
+lws_init_vhost_client_ssl(const struct lws_context_creation_info *info,
+ struct lws_vhost *vhost)
+{
+ struct lws_context_creation_info i;
+
+ memcpy(&i, info, sizeof(i));
+ i.port = CONTEXT_PORT_NO_LISTEN;
+
+ return lws_context_init_client_ssl(&i, vhost);
+}
+
+/**
* lws_create_context() - Create the websocket handler
* @info: pointer to struct with parameters
*
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index a130e55..457f685 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -1631,6 +1631,10 @@
lws_create_vhost(struct lws_context *context,
struct lws_context_creation_info *info);
+LWS_VISIBLE int
+lws_init_vhost_client_ssl(const struct lws_context_creation_info *info,
+ struct lws_vhost *vhost);
+
LWS_VISIBLE struct lws_vhost *
lws_vhost_get(struct lws *wsi);
diff --git a/lib/ssl-client.c b/lib/ssl-client.c
index 10fe444..2798f69 100644
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@@ -291,17 +291,17 @@
int lws_context_init_client_ssl(struct lws_context_creation_info *info,
- struct lws_vhost *vhost)
+ struct lws_vhost *vhost)
{
#if defined(LWS_USE_POLARSSL)
return 0;
#else
#if defined(LWS_USE_MBEDTLS)
#else
- int error;
- int n;
SSL_METHOD *method;
struct lws wsi;
+ int error;
+ int n;
if (!lws_check_opt(info->options, LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT))
return 0;
@@ -311,6 +311,7 @@
vhost->ssl_client_ctx = info->provided_client_ssl_ctx;
/* nothing for lib to delete */
vhost->user_supplied_ssl_ctx = 1;
+
return 0;
}
@@ -343,11 +344,10 @@
}
#ifdef SSL_OP_NO_COMPRESSION
- SSL_CTX_set_options(vhost->ssl_client_ctx,
- SSL_OP_NO_COMPRESSION);
+ SSL_CTX_set_options(vhost->ssl_client_ctx, SSL_OP_NO_COMPRESSION);
#endif
SSL_CTX_set_options(vhost->ssl_client_ctx,
- SSL_OP_CIPHER_SERVER_PREFERENCE);
+ SSL_OP_CIPHER_SERVER_PREFERENCE);
if (info->ssl_cipher_list)
SSL_CTX_set_cipher_list(vhost->ssl_client_ctx,
info->ssl_cipher_list);
diff --git a/lwsws/conf.c b/lwsws/conf.c
index f09d9ad..17c2d9d 100644
--- a/lwsws/conf.c
+++ b/lwsws/conf.c
@@ -64,6 +64,7 @@
"vhosts[].ws-protocols[].*",
"vhosts[].ws-protocols[]",
"vhosts[].keepalive_timeout",
+ "vhosts[].enable-client-ssl",
};
enum lejp_vhost_paths {
@@ -91,6 +92,7 @@
LEJPVP_PROTOCOL_NAME,
LEJPVP_PROTOCOL,
LEJPVP_KEEPALIVE_TIMEOUT,
+ LEJPVP_ENABLE_CLIENT_SSL,
};
#define MAX_PLUGIN_DIRS 10
@@ -107,6 +109,8 @@
struct lws_http_mount m;
const char **plugin_dirs;
int count_plugin_dirs;
+
+ unsigned int enable_client_ssl:1;
};
static void *
@@ -222,6 +226,7 @@
a->info->log_filepath = NULL;
a->info->options &= ~(LWS_SERVER_OPTION_UNIX_SOCK |
LWS_SERVER_OPTION_STS);
+ a->enable_client_ssl = 0;
}
if (reason == LEJPCB_OBJECT_START &&
@@ -251,6 +256,8 @@
(ctx->path_match == LEJPVP + 1 || !ctx->path[0]) &&
a->valid) {
+ struct lws_vhost *vhost;
+
//lwsl_notice("%s\n", ctx->path);
if (!a->info->port) {
lwsl_err("Port required (eg, 443)");
@@ -259,12 +266,19 @@
a->valid = 0;
a->info->mounts = a->head;
- if (!lws_create_vhost(a->context, a->info)) {
+ vhost = lws_create_vhost(a->context, a->info);
+ if (!vhost) {
lwsl_err("Failed to create vhost %s\n",
a->info->vhost_name);
return 1;
}
+ if (a->enable_client_ssl) {
+ memset(a->info, 0, sizeof(*a->info));
+ a->info->options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
+ lws_init_vhost_client_ssl(a->info, vhost);
+ }
+
return 0;
}
@@ -413,6 +427,9 @@
a->p += snprintf(a->p, a->end - a->p, "%s", ctx->buf);
*(a->p)++ = '\0';
break;
+ case LEJPVP_ENABLE_CLIENT_SSL:
+ a->enable_client_ssl = arg_to_bool(ctx->buf);
+ return 0;
default:
return 0;
