Added context creation parameter for CA certificates file.
diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index 0263c80..fd4196a 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2484,6 +2484,7 @@
* server cert from, otherwise NULL for unencrypted
* @ssl_private_key_filepath: filepath to private key if wanting SSL mode,
* else ignored
+ * @ssl_ca_filepath: CA certificate filepath or NULL
* @gid: group id to change to after setting listen socket, or -1.
* @uid: user id to change to after setting listen socket, or -1.
* @options: 0, or LWS_SERVER_OPTION_DEFEAT_CLIENT_MASK
@@ -2522,8 +2523,9 @@
struct libwebsocket_extension *extensions,
const char *ssl_cert_filepath,
const char *ssl_private_key_filepath,
+ const char *ssl_ca_filepath,
int gid, int uid, unsigned int options,
- void *user)
+ void *user)
{
int n;
int m;
@@ -2743,15 +2745,23 @@
}
/* openssl init for cert verification (for client sockets) */
-
- if (!SSL_CTX_load_verify_locations(
- context->ssl_client_ctx, NULL,
- LWS_OPENSSL_CLIENT_CERTS))
- fprintf(stderr,
- "Unable to load SSL Client certs from %s "
- "(set by --with-client-cert-dir= in configure) -- "
- " client ssl isn't going to work",
- LWS_OPENSSL_CLIENT_CERTS);
+ if (!ssl_ca_filepath) {
+ if (!SSL_CTX_load_verify_locations(
+ context->ssl_client_ctx, NULL,
+ LWS_OPENSSL_CLIENT_CERTS))
+ fprintf(stderr,
+ "Unable to load SSL Client certs from %s "
+ "(set by --with-client-cert-dir= in configure) -- "
+ " client ssl isn't going to work",
+ LWS_OPENSSL_CLIENT_CERTS);
+ } else
+ if (!SSL_CTX_load_verify_locations(
+ context->ssl_client_ctx, ssl_ca_filepath,
+ NULL))
+ fprintf(stderr,
+ "Unable to load SSL Client certs "
+ "file from %s -- client ssl isn't "
+ "going to work", ssl_ca_filepath);
/*
* callback allowing user code to load extra verification certs
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index 6416611..6a612e6 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -646,7 +646,9 @@
struct libwebsocket_protocols *protocols,
struct libwebsocket_extension *extensions,
const char *ssl_cert_filepath,
- const char *ssl_private_key_filepath, int gid, int uid,
+ const char *ssl_private_key_filepath,
+ const char *ssl_ca_filepath,
+ int gid, int uid,
unsigned int options, void *user);
LWS_EXTERN void
diff --git a/libwebsockets-api-doc.html b/libwebsockets-api-doc.html
index e908d14..6ed0b1c 100644
--- a/libwebsockets-api-doc.html
+++ b/libwebsockets-api-doc.html
@@ -224,6 +224,7 @@
<i>struct libwebsocket_extension *</i> <b>extensions</b>,
<i>const char *</i> <b>ssl_cert_filepath</b>,
<i>const char *</i> <b>ssl_private_key_filepath</b>,
+<i>const char *</i> <b>ssl_ca_filepath</b>,
<i>int</i> <b>gid</b>,
<i>int</i> <b>uid</b>,
<i>unsigned int</i> <b>options</b>,
@@ -252,6 +253,9 @@
<dt><b>ssl_private_key_filepath</b>
<dd>filepath to private key if wanting SSL mode,
else ignored
+<dt><b>ssl_ca_filepath</b>
+<dd>filepath to CA certificates file if wanting SSL mode,
+else ignored
<dt><b>gid</b>
<dd>group id to change to after setting listen socket, or -1.
<dt><b>uid</b>
diff --git a/test-server/test-client.c b/test-server/test-client.c
index 6db609c..babdea8 100644
--- a/test-server/test-client.c
+++ b/test-server/test-client.c
@@ -258,7 +258,7 @@
context = libwebsocket_create_context(CONTEXT_PORT_NO_LISTEN, NULL,
protocols, libwebsocket_internal_extensions,
- NULL, NULL, -1, -1, 0, NULL);
+ NULL, NULL, NULL, -1, -1, 0, NULL);
if (context == NULL) {
fprintf(stderr, "Creating libwebsocket context failed\n");
return 1;
diff --git a/test-server/test-fraggle.c b/test-server/test-fraggle.c
index de544fe..9c2a166 100644
--- a/test-server/test-fraggle.c
+++ b/test-server/test-fraggle.c
@@ -301,7 +301,7 @@
context = libwebsocket_create_context(server_port, interface, protocols,
libwebsocket_internal_extensions,
- cert_path, key_path, -1, -1, opts, NULL);
+ cert_path, key_path, NULL, -1, -1, opts, NULL);
if (context == NULL) {
fprintf(stderr, "libwebsocket init failed\n");
return -1;
diff --git a/test-server/test-ping.c b/test-server/test-ping.c
index 476ef0b..864a028 100644
--- a/test-server/test-ping.c
+++ b/test-server/test-ping.c
@@ -403,7 +403,7 @@
context = libwebsocket_create_context(CONTEXT_PORT_NO_LISTEN, NULL,
protocols,
libwebsocket_internal_extensions,
- NULL, NULL, -1, -1, 0, NULL);
+ NULL, NULL, NULL, -1, -1, 0, NULL);
if (context == NULL) {
fprintf(stderr, "Creating libwebsocket context failed\n");
return 1;
diff --git a/test-server/test-server-extpoll.c b/test-server/test-server-extpoll.c
index f2f68b4..1eb2d10 100644
--- a/test-server/test-server-extpoll.c
+++ b/test-server/test-server-extpoll.c
@@ -484,7 +484,8 @@
context = libwebsocket_create_context(port, interface_ptr, protocols,
libwebsocket_internal_extensions,
- cert_path, key_path, -1, -1, opts, NULL);
+ cert_path, key_path, NULL, -1, -1,
+ opts, NULL);
if (context == NULL) {
fprintf(stderr, "libwebsocket init failed\n");
return -1;
diff --git a/test-server/test-server.c b/test-server/test-server.c
index 9617194..d202c1d 100644
--- a/test-server/test-server.c
+++ b/test-server/test-server.c
@@ -447,7 +447,7 @@
context = libwebsocket_create_context(port, interface, protocols,
libwebsocket_internal_extensions,
- cert_path, key_path, -1, -1, opts, NULL);
+ cert_path, key_path, NULL, -1, -1, opts, NULL);
if (context == NULL) {
fprintf(stderr, "libwebsocket init failed\n");
return -1;