support for client authentication based on certs
diff --git a/lib/libwebsockets.c b/lib/libwebsockets.c
index 2cb3ab0..42deebd 100644
--- a/lib/libwebsockets.c
+++ b/lib/libwebsockets.c
@@ -2060,6 +2060,40 @@
* helping the client to verify server identity
*/
+ /* support for client-side certificate authentication */
+ if (info->ssl_cert_filepath) {
+ n = SSL_CTX_use_certificate_chain_file(
+ context->ssl_client_ctx,
+ info->ssl_cert_filepath);
+ if (n != 1) {
+ lwsl_err("problem getting cert '%s' %lu: %s\n",
+ info->ssl_cert_filepath,
+ ERR_get_error(),
+ ERR_error_string(ERR_get_error(),
+ (char *)context->service_buffer));
+ goto bail;
+ }
+ }
+ if (info->ssl_private_key_filepath) {
+ /* set the private key from KeyFile */
+ if (SSL_CTX_use_PrivateKey_file(context->ssl_client_ctx,
+ info->ssl_private_key_filepath,
+ SSL_FILETYPE_PEM) != 1) {
+ lwsl_err("use_PrivateKey_file '%s' %lu: %s\n",
+ info->ssl_private_key_filepath,
+ ERR_get_error(),
+ ERR_error_string(ERR_get_error(),
+ (char *)context->service_buffer));
+ goto bail;
+ }
+
+ /* verify private key */
+ if (!SSL_CTX_check_private_key(context->ssl_client_ctx)) {
+ lwsl_err("Private SSL key doesn't match cert\n");
+ goto bail;
+ }
+ }
+
context->protocols[0].callback(context, NULL,
LWS_CALLBACK_OPENSSL_LOAD_EXTRA_CLIENT_VERIFY_CERTS,
context->ssl_client_ctx, NULL, 0);