yaml error

.github/workflows/ccpp.yml

@@ -5,74 +5,23 @@ on:
     - 'docs/**'
 
 jobs:
-  linux:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v1
-    - name: make test
-      run: make test
-
-  mac_tsan_sectransport:
-    runs-on: macOS-latest
-    steps:
-    - uses: actions/checkout@v1
-    - name: make test_tsan
-      run: make test_tsan
-
-  mac_tsan_openssl:
-    runs-on: macOS-latest
-    steps:
-    - uses: actions/checkout@v1
-    - name: install openssl
-      run: brew install openssl
-    - name: make test
-      run: make test_tsan_openssl
-
-  mac_tsan_mbedtls:
-    runs-on: macOS-latest
-    steps:
-    - uses: actions/checkout@v1
-    - name: install mbedtls
-      run: brew install mbedtls
-    - name: make test
-      run: make test_tsan_mbedtls
-
-  windows_mbedtls:
+  #
+  #   Windows with OpenSSL is working but disabled as it takes 13 minutes (10 for openssl) to build with vcpkg
+  #
+  windows_openssl:
     runs-on: windows-latest
     steps:
     - uses: actions/checkout@v1
     - uses: seanmiddleditch/gha-setup-vsdevenv@master
     - run: |
         vcpkg install zlib:x64-windows
-        vcpkg install mbedtls:x64-windows
+        vcpkg install openssl:x64-windows
     - run: |
         mkdir build
         cd build
-        cmake -DCMAKE_TOOLCHAIN_FILE=c:/vcpkg/scripts/buildsystems/vcpkg.cmake -DCMAKE_CXX_COMPILER=cl.exe -DUSE_MBED_TLS=1 -DUSE_TLS=1 -DUSE_WS=1 -DUSE_TEST=1 ..
+        cmake -DCMAKE_TOOLCHAIN_FILE=c:/vcpkg/scripts/buildsystems/vcpkg.cmake -DCMAKE_CXX_COMPILER=cl.exe -DUSE_OPEN_SSL=1 -DUSE_TLS=1 -DUSE_WS=1 -DUSE_TEST=1 ..
     - run: cmake --build build
 
     # Running the unittest does not work, the binary cannot be found
     #- run: ../build/test/ixwebsocket_unittest.exe
     # working-directory: test
-
-#
-#   Windows with OpenSSL is working but disabled as it takes 13 minutes (10 for openssl) to build with vcpkg
-#
-#   windows_openssl:
-#     runs-on: windows-latest
-#     steps:
-#     - uses: actions/checkout@v1
-#     - uses: seanmiddleditch/gha-setup-vsdevenv@master
-#     - run: |
-#         vcpkg install zlib:x64-windows
-#         vcpkg install openssl:x64-windows
-#     - run: |
-#         mkdir build
-#         cd build
-#         cmake -DCMAKE_TOOLCHAIN_FILE=c:/vcpkg/scripts/buildsystems/vcpkg.cmake -DCMAKE_CXX_COMPILER=cl.exe -DUSE_OPEN_SSL=1 -DUSE_TLS=1 -DUSE_WS=1 -DUSE_TEST=1 ..
-#     - run: cmake --build build
-# 
-#     # Running the unittest does not work, the binary cannot be found
-#     #- run: ../build/test/ixwebsocket_unittest.exe
-#     # working-directory: test
-

docs/design.md

@@ -38,7 +38,7 @@ The regression test is running after each commit on github actions for multiple
 
 ## Limitations
 
-* On Windows and Android certificate validation needs to be setup so that SocketTLSOptions.caFile point to a pem file, such as the one distributed by Firefox. Unless that setup is done connecting to a wss endpoint will display an error. On Windows with mbedtls the message will contain `error in handshake : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed`.
+* On Android, or when using MbedTLS certificate validation needs to be setup so that SocketTLSOptions.caFile point to a pem file, such as the one distributed by [Firefox](https://curl.haxx.se/docs/caextract.html). Unless that setup is done connecting to a wss endpoint will display an error. On Windows with mbedtls the message will contain `error in handshake : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed`.
 * There is no convenient way to embed a ca cert.
 * Automatic reconnection works at the TCP socket level, and will detect remote end disconnects. However, if the device/computer network become unreachable (by turning off wifi), it is quite hard to reliably and timely detect it at the socket level using `recv` and `send` error codes. [Here](https://stackoverflow.com/questions/14782143/linux-socket-how-to-detect-disconnected-network-in-a-client-program) is a good discussion on the subject. This behavior is consistent with other runtimes such as node.js. One way to detect a disconnected device with low level C code is to do a name resolution with DNS but this can be expensive. Mobile devices have good and reliable API to do that.
 * The server code is using select to detect incoming data, and creates one OS thread per connection. This is not as scalable as strategies using epoll or kqueue.

ixwebsocket/IXSocketOpenSSL.cpp

@@ -21,6 +21,56 @@
 #endif
 #define socketerrno errno
 
+#ifdef _WIN32
+namespace
+{
+    bool loadWindowsSystemCertificates(SSL_CTX* ssl, std::string& errorMsg)
+    {
+        DWORD flags = CERT_STORE_READONLY_FLAG | CERT_STORE_OPEN_EXISTING_FLAG |
+                      CERT_SYSTEM_STORE_CURRENT_USER;
+        HCERTSTORE systemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, flags, L"Root");
+
+        if (!systemStore)
+        {
+            errorMsg = "CertOpenStore failed with " errorMsg += std::to_string(GetLastError());
+            return false;
+        }
+
+        PCCERT_CONTEXT certificateIterator = NULL;
+        X509_STORE* opensslStore = SSL_CTX_get_cert_store(ssl);
+
+        int certificateCount = 0;
+        while (certificateIterator = CertEnumCertificatesInStore(systemStore, certificateIterator))
+        {
+            X509* x509 = d2i_X509(NULL,
+                                  (const unsigned char**) &certificateIterator->pbCertEncoded,
+                                  certificateIterator->cbCertEncoded);
+
+            if (x509)
+            {
+                if (X509_STORE_add_cert(opensslStore, x509) == 1)
+                {
+                    ++certificateCount;
+                }
+
+                X509_free(x509);
+            }
+        }
+
+        CertFreeCertificateContext(certificateIterator);
+        CertCloseStore(systemStore, 0);
+
+        if (certificateCount == 0)
+        {
+            errorMsg = "No certificates found";
+            return false;
+        }
+
+        return true;
+    }
+} // namespace
+#endif
+
 namespace ix
 {
     const std::string kDefaultCiphers =
@@ -336,6 +386,12 @@ namespace ix
         {
             if (_tlsOptions.isUsingSystemDefaults())
             {
+#ifdef _WIN32
+                if (!loadWindowsSystemCertificates(_ssl_context))
+                {
+                    return false;
+                }
+#else
                 if (SSL_CTX_set_default_verify_paths(_ssl_context) == 0)
                 {
                     auto sslErr = ERR_get_error();
@@ -343,6 +399,7 @@ namespace ix
                     errMsg += ERR_error_string(sslErr, nullptr);
                     return false;
                 }
+#endif
             }
             else if (SSL_CTX_load_verify_locations(
                          _ssl_context, _tlsOptions.caFile.c_str(), NULL) != 1)