Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Load multiple CA certificates from a path instead of a file #3276

Open
CoRfr opened this issue Nov 13, 2024 · 2 comments
Open

Load multiple CA certificates from a path instead of a file #3276

CoRfr opened this issue Nov 13, 2024 · 2 comments

Comments

@CoRfr
Copy link

CoRfr commented Nov 13, 2024

ssl_ca_filepath needs to be set to a file, which results in a call to SSL_CTX_load_verify_file.
This appears to be the case both on client & server side.

There is no code path that makes it possible to use SSL_CTX_load_verify_dir to load multiple certificates from a directory.

Multiple certificates can still be loaded through ssl_ca_filepath as SSL_CTX_load_verify_file accepts a file that contains multiple certificates.
@CoRfr CoRfr mentioned this issue Nov 13, 2024
Open
CoRfr added a commit to CoRfr/mosquitto that referenced this issue Nov 13, 2024
@CoRfr
Warn capath is not supported for websockets
f0189e6 
libwebsockets doesn't provide an option to provide a `capath`, ie
a directory that contains multiple certificates.
( warmcat/libwebsockets#3276 )

To avoid confusion, explicitly state that it's not supported for
websockets in the doc for mosquitto.conf, and add a warning if option is
provided while `capath` is not provided.
@lws-team
Copy link
Member

Hm... it's not true 'there is no code path...'.

When openssl is built, it has a default, platform-specific path decided at build-time, it will check for its trust store (appended PEMs). You can look with strace while openssl is starting on your process to see the path it tries on your platform.

The other way is lws will call your protocol with

LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS	= 22,
	/**< if configured for
	 * including OpenSSL support, this callback allows your user code
	 * to load extra certificates into the server which allow it to
	 * verify the validity of certificates returned by clients.  user
	 * is the server's OpenSSL SSL_CTX* and in is the lws_vhost */

There's also a client version, ckeck lws-callbacks.h.

@CoRfr
Copy link
Author

CoRfr commented Nov 13, 2024

Thanks @lws-team , that's a great point, I had missed these code paths.
It's a bit more cumbersome to use than having a run-time, user-provided value that results in a call to SSL_CTX_load_verify_dir, but technically it is possible.

I'll try to use LWS_CALLBACK_OPENSSL_LOAD_EXTRA_SERVER_VERIFY_CERTS for the app I'm working with ( eclipse-mosquitto/mosquitto#3164 )

CoRfr added a commit to CoRfr/mosquitto that referenced this issue Nov 13, 2024
@CoRfr
Warn capath is not supported for websockets
66cc2b2 
libwebsockets doesn't provide an option to provide a `capath`, ie
a directory that contains multiple certificates.
( warmcat/libwebsockets#3276 )

To avoid confusion, explicitly state that it's not supported for
websockets in the doc for mosquitto.conf, and add a warning if option is
provided while `capath` is not provided.
@CoRfr CoRfr mentioned this issue Nov 13, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CoRfr @lws-team