update gitignore file

.gitignore

@@ -1,3 +1,7 @@
 build
 *.pyc
 venv
+ixsnake/ixsnake/.certs/
+site/
+ws/.certs/
+ws/.srl

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:edge as build
+FROM alpine:3.11 as build
 
 RUN apk add --no-cache gcc g++ musl-dev linux-headers cmake openssl-dev 
 RUN apk add --no-cache make
@@ -16,7 +16,7 @@ WORKDIR /opt
 USER app
 RUN [ "make", "ws_install" ]
 
-FROM alpine:edge as runtime
+FROM alpine:3.11 as runtime
 
 RUN apk add --no-cache libstdc++
 RUN apk add --no-cache strace

docs/CHANGELOG.md

@@ -1,6 +1,18 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [7.6.3] - 2019-12-20
+
+(tls) add a simple description of the TLS configuration routine for debugging
+
+## [7.6.2] - 2019-12-20
+
+(mbedtls) correct support for using own certificate and private key
+
+## [7.6.1] - 2019-12-20
+
+(ws commands) in websocket proxy, disable automatic reconnections + in Dockerfile, use alpine 3.11
+
 ## [7.6.0] - 2019-12-19
 
 (cobra) Add TLS options to all cobra commands and classes. Add example to the doc.

ixcobra/ixcobra/IXCobraMetricsThreadedPublisher.cpp

@@ -98,6 +98,8 @@ namespace ix
     {
         _channel = channel;
 
+        ix::IXCoreLogger::Log(socketTLSOptions.getDescription().c_str());
+
         ix::WebSocketPerMessageDeflateOptions webSocketPerMessageDeflateOptions(enablePerMessageDeflate);
         _cobra_connection.configure(appkey, endpoint,
                                     rolename, rolesecret,

ixwebsocket/IXSocketMbedTLS.cpp

@@ -71,11 +71,16 @@ namespace ix
 
         if (_tlsOptions.hasCertAndKey())
         {
-            if (mbedtls_x509_crt_parse_file(&_cacert, _tlsOptions.certFile.c_str()) < 0)
+            if (mbedtls_x509_crt_parse_file(&_cert, _tlsOptions.certFile.c_str()) < 0)
             {
                 errMsg = "Cannot parse cert file '" + _tlsOptions.certFile + "'";
                 return false;
             }
+            if (mbedtls_pk_parse_keyfile(&_pkey, _tlsOptions.keyFile.c_str(), "") < 0)
+            {
+                errMsg = "Cannot parse key file '" + _tlsOptions.keyFile + "'";
+                return false;
+            }
         }
 
         if (_tlsOptions.isPeerVerifyDisabled())
@@ -84,7 +89,7 @@ namespace ix
         }
         else
         {
-            mbedtls_ssl_conf_ca_chain(&_conf, &_cacert, NULL);
+            mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 
             // FIXME: should we call mbedtls_ssl_conf_verify ?
 
@@ -97,7 +102,13 @@ namespace ix
                 errMsg = "Cannot parse CA file '" + _tlsOptions.caFile + "'";
                 return false;
             }
-            mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+
+            mbedtls_ssl_conf_ca_chain(&_conf, &_cacert, NULL);
+
+            if (_tlsOptions.hasCertAndKey())
+            {
+                mbedtls_ssl_conf_own_cert(&_conf, &_cert, &_pkey);
+            }
         }
 
         if (mbedtls_ssl_setup(&_ssl, &_conf) != 0)

ixwebsocket/IXSocketMbedTLS.h

@@ -45,6 +45,7 @@ namespace ix
         mbedtls_ctr_drbg_context _ctr_drbg;
         mbedtls_x509_crt _cacert;
         mbedtls_x509_crt _cert;
+        mbedtls_pk_context _pkey;
 
         std::mutex _mutex;
         SocketTLSOptions _tlsOptions;

ixwebsocket/IXSocketTLSOptions.cpp

@@ -8,6 +8,7 @@
 
 #include <assert.h>
 #include <fstream>
+#include <sstream>
 
 namespace ix
 {
@@ -71,4 +72,15 @@ namespace ix
     {
         return _errMsg;
     }
+
+    std::string SocketTLSOptions::getDescription() const
+    {
+        std::stringstream ss;
+        ss << "TLS Options:" << std::endl;
+        ss << "  certFile = " << certFile << std::endl;
+        ss << "  keyFile  = " << keyFile << std::endl;
+        ss << "  caFile   = " << caFile << std::endl;
+        ss << "  ciphers  = " << ciphers << std::endl;
+        return ss.str();
+    }
 } // namespace ix

ixwebsocket/IXSocketTLSOptions.h

@@ -43,6 +43,8 @@ namespace ix
 
         const std::string& getErrorMsg() const;
 
+        std::string getDescription() const;
+
     private:
         mutable std::string _errMsg;
         mutable bool _validated = false;

ixwebsocket/IXWebSocketVersion.h

@@ -6,4 +6,4 @@
 
 #pragma once
 
-#define IX_WEBSOCKET_VERSION "7.5.8"
+#define IX_WEBSOCKET_VERSION "7.6.3"

ws/ws_proxy_server.cpp

@@ -61,7 +61,7 @@ namespace ix
 
             // Server connection
             state->webSocket().setOnMessageCallback([webSocket, state, verbose](
-                                                        const WebSocketMessagePtr& msg) {
+                                                     const WebSocketMessagePtr& msg) {
                 if (msg->type == ix::WebSocketMessageType::Open)
                 {
                     std::cerr << "New connection" << std::endl;
@@ -120,6 +120,7 @@ namespace ix
                     std::string url(remoteUrl);
                     url += msg->openInfo.uri;
                     state->webSocket().setUrl(url);
+                    state->webSocket().disableAutomaticReconnection();
                     state->webSocket().start();
 
                     // we should sleep here for a bit until we've established the