kapitan/IXWebSocket
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

(windows) when using OpenSSL, the system store is used to populate the cacert. No need to ship a cacert.pem file with your app.

Browse Source
This commit is contained in:
Benjamin Sergeant 2020-04-04 18:33:01 -07:00
parent d1cd5e62ac
commit f9d75c9374
3 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/CHANGELOG.md
View File

@ -1,6 +1,10 @@
# Changelog # Changelog
All changes to this project will be documented in this file. All changes to this project will be documented in this file.
## [9.2.1] - 2020-04-04
(windows) when using OpenSSL, the system store is used to populate the cacert. No need to ship a cacert.pem file with your app.
## [9.2.0] - 2020-04-04 ## [9.2.0] - 2020-04-04
(windows) ci: windows build with TLS (mbedtls) + verify that we can be build with OpenSSL (windows) ci: windows build with TLS (mbedtls) + verify that we can be build with OpenSSL

58
ixwebsocket/IXSocketOpenSSL.cpp
View File

@ -21,6 +21,57 @@
#endif #endif
#define socketerrno errno #define socketerrno errno
#ifdef _WIN32
namespace
{
bool loadWindowsSystemCertificates(SSL_CTX* ssl, std::string& errorMsg)
{
DWORD flags = CERT_STORE_READONLY_FLAG | CERT_STORE_OPEN_EXISTING_FLAG |
CERT_SYSTEM_STORE_CURRENT_USER;
HCERTSTORE systemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, flags, L"Root");
if (!systemStore)
{
errorMsg = "CertOpenStore failed with ";
errorMsg += std::to_string(GetLastError());
return false;
}
PCCERT_CONTEXT certificateIterator = NULL;
X509_STORE* opensslStore = SSL_CTX_get_cert_store(ssl);
int certificateCount = 0;
while (certificateIterator = CertEnumCertificatesInStore(systemStore, certificateIterator))
{
X509* x509 = d2i_X509(NULL,
(const unsigned char**) &certificateIterator->pbCertEncoded,
certificateIterator->cbCertEncoded);
if (x509)
{
if (X509_STORE_add_cert(opensslStore, x509) == 1)
{
++certificateCount;
}
X509_free(x509);
}
}
CertFreeCertificateContext(certificateIterator);
CertCloseStore(systemStore, 0);
if (certificateCount == 0)
{
errorMsg = "No certificates found";
return false;
}
return true;
}
} // namespace
#endif
namespace ix namespace ix
{ {
const std::string kDefaultCiphers = const std::string kDefaultCiphers =
@ -336,6 +387,12 @@ namespace ix
{ {
if (_tlsOptions.isUsingSystemDefaults()) if (_tlsOptions.isUsingSystemDefaults())
{ {
#ifdef _WIN32
if (!loadWindowsSystemCertificates(_ssl_context, errMsg))
{
return false;
}
#else
if (SSL_CTX_set_default_verify_paths(_ssl_context) == 0) if (SSL_CTX_set_default_verify_paths(_ssl_context) == 0)
{ {
auto sslErr = ERR_get_error(); auto sslErr = ERR_get_error();
@ -343,6 +400,7 @@ namespace ix
errMsg += ERR_error_string(sslErr, nullptr); errMsg += ERR_error_string(sslErr, nullptr);
return false; return false;
} }
#endif
} }
else if (SSL_CTX_load_verify_locations( else if (SSL_CTX_load_verify_locations(
_ssl_context, _tlsOptions.caFile.c_str(), NULL) != 1) _ssl_context, _tlsOptions.caFile.c_str(), NULL) != 1)

2
ixwebsocket/IXWebSocketVersion.h
View File

@ -6,4 +6,4 @@
#pragma once #pragma once
#define IX_WEBSOCKET_VERSION "9.2.0" #define IX_WEBSOCKET_VERSION "9.2.1"