(mbedtls) correct support for using own certificate and private key

2019-12-20 15:13:26 -08:00 · 2019-12-20 15:13:26 -08:00 · d1a4cab134
commit d1a4cab134
parent 8e7d310439
4 changed files with 20 additions and 4 deletions
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@ -1,6 +1,10 @@
 # Changelog
 All notable changes to this project will be documented in this file.

+## [7.6.2] - 2019-12-20
+
+(mbedtls) correct support for using own certificate and private key
+
 ## [7.6.1] - 2019-12-20

 (ws commands) in websocket proxy, disable automatic reconnections + in Dockerfile, use alpine 3.11
--- a/ixwebsocket/IXSocketMbedTLS.cpp
+++ b/ixwebsocket/IXSocketMbedTLS.cpp
@ -71,11 +71,16 @@ namespace ix

        if (_tlsOptions.hasCertAndKey())
        {
-            if (mbedtls_x509_crt_parse_file(&_cacert, _tlsOptions.certFile.c_str()) < 0)
+            if (mbedtls_x509_crt_parse_file(&_cert, _tlsOptions.certFile.c_str()) < 0)
            {
                errMsg = "Cannot parse cert file '" + _tlsOptions.certFile + "'";
                return false;
            }
+            if (mbedtls_pk_parse_keyfile(&_pkey, _tlsOptions.keyFile.c_str(), "") < 0)
+            {
+                errMsg = "Cannot parse key file '" + _tlsOptions.keyFile + "'";
+                return false;
+            }
        }

        if (_tlsOptions.isPeerVerifyDisabled())
@ -84,7 +89,7 @@ namespace ix
        }
        else
        {
-            mbedtls_ssl_conf_ca_chain(&_conf, &_cacert, NULL);
+            mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED);

            // FIXME: should we call mbedtls_ssl_conf_verify ?

@ -97,7 +102,13 @@ namespace ix
                errMsg = "Cannot parse CA file '" + _tlsOptions.caFile + "'";
                return false;
            }
-            mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+
+            mbedtls_ssl_conf_ca_chain(&_conf, &_cacert, NULL);
+
+            if (_tlsOptions.hasCertAndKey())
+            {
+                mbedtls_ssl_conf_own_cert(&_conf, &_cert, &_pkey);
+            }
        }

        if (mbedtls_ssl_setup(&_ssl, &_conf) != 0)
--- a/ixwebsocket/IXSocketMbedTLS.h
+++ b/ixwebsocket/IXSocketMbedTLS.h
@ -45,6 +45,7 @@ namespace ix
        mbedtls_ctr_drbg_context _ctr_drbg;
        mbedtls_x509_crt _cacert;
        mbedtls_x509_crt _cert;
+        mbedtls_pk_context _pkey;

        std::mutex _mutex;
        SocketTLSOptions _tlsOptions;
--- a/ixwebsocket/IXWebSocketVersion.h
+++ b/ixwebsocket/IXWebSocketVersion.h
@ -6,4 +6,4 @@

 #pragma once

-#define IX_WEBSOCKET_VERSION "7.6.1"
+#define IX_WEBSOCKET_VERSION "7.6.2"