(openssl security fix) in the client to server connection, peer verification is not done in all cases. See https://github.com/machinezone/IXWebSocket/pull/250

docs/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All changes to this project will be documented in this file.
 
+## [11.0.0] - 2020-11-11
+
+(openssl security fix) in the client to server connection, peer verification is not done in all cases. See https://github.com/machinezone/IXWebSocket/pull/250
+
+## [10.5.7] - 2020-11-07
+
+(docker) build docker container with zlib disabled
+
 ## [10.5.6] - 2020-11-07
 
 (cmake) DEFLATE -> Deflate in CMake to stop warnings about casing

ixwebsocket/IXGzipCodec.cpp

@@ -20,9 +20,11 @@
 
 namespace ix
 {
-#ifdef IXWEBSOCKET_USE_ZLIB
     std::string gzipCompress(const std::string& str)
     {
+#ifndef IXWEBSOCKET_USE_ZLIB
+        return std::string();
+#else
 #ifdef IXWEBSOCKET_USE_DEFLATE
         int compressionLevel = 6;
         struct libdeflate_compressor* compressor;
@@ -99,7 +101,8 @@ namespace ix
         deflateEnd(&zs);
 
         return outstring;
-#endif
+#endif // IXWEBSOCKET_USE_DEFLATE
+#endif // IXWEBSOCKET_USE_ZLIB
     }
 
 #ifdef IXWEBSOCKET_USE_DEFLATE
@@ -112,6 +115,9 @@ namespace ix
 
     bool gzipDecompress(const std::string& in, std::string& out)
     {
+#ifndef IXWEBSOCKET_USE_ZLIB
+        return false;
+#else
 #ifdef IXWEBSOCKET_USE_DEFLATE
         struct libdeflate_decompressor* decompressor;
         decompressor = libdeflate_alloc_decompressor();
@@ -171,7 +177,7 @@ namespace ix
 
         inflateEnd(&inflateState);
         return true;
-#endif
+#endif // IXWEBSOCKET_USE_DEFLATE
+#endif // IXWEBSOCKET_USE_ZLIB
     }
-#endif
 } // namespace ix

ixwebsocket/IXSocketOpenSSL.cpp

@@ -503,14 +503,13 @@ namespace ix
                         errMsg += ERR_error_string(sslErr, nullptr);
                         return false;
                     }
-
-                    SSL_CTX_set_verify(
-                        _ssl_context, SSL_VERIFY_PEER, [](int preverify, X509_STORE_CTX*) -> int {
-                            return preverify;
-                        });
-                    SSL_CTX_set_verify_depth(_ssl_context, 4);
                 }
             }
+
+            SSL_CTX_set_verify(_ssl_context,
+                               SSL_VERIFY_PEER,
+                               [](int preverify, X509_STORE_CTX*) -> int { return preverify; });
+            SSL_CTX_set_verify_depth(_ssl_context, 4);
         }
         else
         {

ixwebsocket/IXWebSocketVersion.h

@@ -6,4 +6,4 @@
 
 #pragma once
 
-#define IX_WEBSOCKET_VERSION "10.5.6"
+#define IX_WEBSOCKET_VERSION "10.6.0"

makefile

@@ -28,7 +28,7 @@ brew:
 # server side ?) and I can't work-around it easily, so we're using mbedtls on
 # Linux for the SSL backend, which works great.
 ws_mbedtls_install:
-	mkdir -p build && (cd build ; cmake -GNinja -DCMAKE_BUILD_TYPE=MinSizeRel -DUSE_PYTHON=1 -DUSE_TLS=1 -DUSE_WS=1 -DUSE_MBED_TLS=1 .. ; ninja install)
+	mkdir -p build && (cd build ; cmake -GNinja -DCMAKE_BUILD_TYPE=MinSizeRel -DUSE_ZLIB=OFF -DUSE_PYTHON=1 -DUSE_TLS=1 -DUSE_WS=1 -DUSE_MBED_TLS=1 .. ; ninja install)
 
 ws:
 	mkdir -p build && (cd build ; cmake -GNinja -DCMAKE_BUILD_TYPE=Debug -DUSE_PYTHON=1 -DUSE_TLS=1 -DUSE_WS=1 .. && ninja install)