(windows + tls) mbedtls is the default windows tls backend + add ability to load system certificates with mbdetls on windows

CMakeLists.txt

@@ -123,8 +123,8 @@ if (USE_TLS)
       if (NOT USE_MBED_TLS AND NOT USE_OPEN_SSL) # unless we want something else
         set(USE_SECURE_TRANSPORT ON)
       endif()
-    # default to mbedtls on uwp (universal windows platform) if nothing is configured
-    elseif (${CMAKE_SYSTEM_NAME} MATCHES "WindowsStore")
+    # default to mbedtls on windows if nothing is configured
+    elseif (WIN32)
       if (NOT USE_OPEN_SSL) # unless we want something else
         set(USE_MBED_TLS ON)
       endif()

docs/CHANGELOG.md

@@ -1,6 +1,10 @@
 # Changelog
 All changes to this project will be documented in this file.
 
+## [9.6.1] - 2020-05-17
+
+(windows + tls) mbedtls is the default windows tls backend + add ability to load system certificates with mbdetls on windows
+
 ## [9.6.0] - 2020-05-12
 
 (ixbots) add options to limit how many messages per minute should be processed

ixwebsocket/IXSocketMbedTLS.cpp

@@ -43,6 +43,55 @@ namespace ix
         mbedtls_pk_init(&_pkey);
     }
 
+    bool SocketMbedTLS::loadSystemCertificates(std::string& errorMsg)
+    {
+#ifdef _WIN32
+        DWORD flags = CERT_STORE_READONLY_FLAG | CERT_STORE_OPEN_EXISTING_FLAG |
+                      CERT_SYSTEM_STORE_CURRENT_USER;
+        HCERTSTORE systemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, flags, L"Root");
+
+        if (!systemStore)
+        {
+            errorMsg = "CertOpenStore failed with ";
+            errorMsg += std::to_string(GetLastError());
+            return false;
+        }
+
+        PCCERT_CONTEXT certificateIterator = NULL;
+
+        int certificateCount = 0;
+        while (certificateIterator = CertEnumCertificatesInStore(systemStore, certificateIterator))
+        {
+            if (certificateIterator->dwCertEncodingType & X509_ASN_ENCODING)
+            {
+                int ret = mbedtls_x509_crt_parse(&_cacert,
+                                                 certificateIterator->pbCertEncoded,
+                                                 certificateIterator->cbCertEncoded);
+                if (ret == 0)
+                {
+                    ++certificateCount;
+                }
+            }
+        }
+
+        CertFreeCertificateContext(certificateIterator);
+        CertCloseStore(systemStore, 0);
+
+        if (certificateCount == 0)
+        {
+            errorMsg = "No certificates found";
+            return false;
+        }
+
+        return true;
+#else
+        // On macOS we can query the system cert location from the keychain
+        // On Linux we could try to fetch some local files based on the distribution
+        // On Android we could use JNI to get to the system certs
+        return false;
+#endif
+    }
+
     bool SocketMbedTLS::init(const std::string& host, bool isClient, std::string& errMsg)
     {
         initMBedTLS();
@@ -96,13 +145,15 @@ namespace ix
         }
         else
         {
-            mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
-
             // FIXME: should we call mbedtls_ssl_conf_verify ?
+            mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 
             if (_tlsOptions.isUsingSystemDefaults())
             {
-                ; // FIXME
+                if (!loadSystemCertificates(errMsg))
+                {
+                    return false;
+                }
             }
             else
             {

ixwebsocket/IXSocketMbedTLS.h

@@ -52,6 +52,7 @@ namespace ix
 
         bool init(const std::string& host, bool isClient, std::string& errMsg);
         void initMBedTLS();
+        bool loadSystemCertificates(std::string& errMsg);
     };
 
 } // namespace ix

ixwebsocket/IXWebSocketVersion.h

@@ -6,4 +6,4 @@
 
 #pragma once
 
-#define IX_WEBSOCKET_VERSION "9.6.0"
+#define IX_WEBSOCKET_VERSION "9.6.1"