add callback to allow additional client verification certs
Signed-off-by: Andy Green <andy@warmcat.com>
diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index f94b11c..aaf991a 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -1596,6 +1596,16 @@
LWS_OPENSSL_CLIENT_CERTS);
}
+ /*
+ * callback allowing user code to load extra verification certs
+ * helping the client to verify server identity
+ */
+
+ this->protocols[0].callback(this, wsi,
+ LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
+ this->ssl_client_ctx, NULL, 0);
+
+
if (this->use_ssl) {
/* openssl init for server sockets */
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index acb27b1..0890c9b 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -43,6 +43,7 @@
LWS_CALLBACK_BROADCAST,
LWS_CALLBACK_FILTER_NETWORK_CONNECTION,
LWS_CALLBACK_FILTER_PROTOCOL_CONNECTION,
+ LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
/* external poll() management support */
LWS_CALLBACK_ADD_POLL_FD,
@@ -201,6 +202,12 @@
* content before deciding to allow the handshake to proceed or
* to kill the connection.
*
+ * LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS: if configure for
+ * including OpenSSL support, this callback allows your user code
+ * to perform extra SSL_CTX_load_verify_locations() or similar
+ * calls to direct OpenSSL where to find certificates the client
+ * can use to confirm the remote server identity. @user is the
+ * OpenSSL SSL_CTX*
*
* The next four reasons are optional and only need taking care of if you
* will be integrating libwebsockets sockets into an external polling
diff --git a/libwebsockets-api-doc.html b/libwebsockets-api-doc.html
index cd3e70d..ecb17ca 100644
--- a/libwebsockets-api-doc.html
+++ b/libwebsockets-api-doc.html
@@ -580,7 +580,15 @@
to check for and read the supported header presence and
content before deciding to allow the handshake to proceed or
to kill the connection.
-<p>
+</blockquote>
+<h3>LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS</h3>
+<blockquote>
+if configure for
+including OpenSSL support, this callback allows your user code
+to perform extra <b>SSL_CTX_load_verify_locations</b> or similar
+calls to direct OpenSSL where to find certificates the client
+can use to confirm the remote server identity. <tt><b>user</b></tt> is the
+OpenSSL SSL_CTX*
<p>
The next four reasons are optional and only need taking care of if you
will be integrating libwebsockets sockets into an external polling