Skip to content

lws/mbedtls-client: Support loading default ca #3432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ThePassionate wants to merge 2 commits into from
Closed

lws/mbedtls-client: Support loading default ca #3432

ThePassionate wants to merge 2 commits into from
+170 −24

Conversation

@ThePassionate
Copy link
Contributor

@ThePassionate ThePassionate commented Jul 31, 2025

We used libwebsockets and found that mbedtls-client did not support loading the default certificate path. After careful observation, we found that openssl-client had a related implementation, so we made the following efforts to align the implementation between openssl-client and mbedtls-client.

  1. export openssl interfaces SSL_CTX_load_verify_file/SSL_CTX_load_verify_dir/SSL_CTX_load_verify_locations with mbedtls implementation
  2. aligned with openssl-client operations to support load default cert path

@ThePassionate
lws/mbedtls-client: aligned with openssl-client to load default ca path
b56623d 
The client based on mbedtls backend does not implement the loading certificate from the default path, but the client based on openssl backend does.
Signed-off-by: makejian <makejian@xiaomi.com>
@ThePassionate
lws/mbedtls: export Export SSL_CTX_load_verify series interfaces
fbb3e0c 
Support interfaces SSL_CTX_load_verify_file/SSL_CTX_load_verify_dir/SSL_CTX_load_verify_locations to align with openssl-client behavior
Signed-off-by: makejian <makejian@xiaomi.com>
@lws-team
Copy link
Member

lws-team commented Jul 31, 2025

Thanks, it's pushed on main and v4.4-stable.

@lws-team lws-team closed this Jul 31, 2025
@lws-team
Copy link
Member

lws-team commented Jul 31, 2025

This blew chunks in CI starting with

In file included from /home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c:17:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c: In function ‘X509_method’:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c:82:27: error: initialization of ‘int (*)(X509 *)’ {aka ‘int (*)(struct x509_st *)’} from incompatible pointer type ‘int (*)(X509 *, const char *)’ {aka ‘int (*)(struct x509_st *, const char *)’} [-Wincompatible-pointer-types]
   82 |             x509_pm_load, x509_pm_load_file,

This is against mbedtls-3.6.4

@ThePassionate
Copy link
Contributor Author

ThePassionate commented Jul 31, 2025

This blew chunks in CI starting with

In file included from /home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c:17:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c: In function ‘X509_method’:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/library/ssl_methods.c:82:27: error: initialization of ‘int (*)(X509 *)’ {aka ‘int (*)(struct x509_st *)’} from incompatible pointer type ‘int (*)(X509 *, const char *)’ {aka ‘int (*)(struct x509_st *, const char *)’} [-Wincompatible-pointer-types]
   82 |             x509_pm_load, x509_pm_load_file,

This is against mbedtls-3.6.4

how can i run CI?

@lws-team
Copy link
Member

lws-team commented Jul 31, 2025

You can see the results here

https://libwebsockets.org/sai/index.html?task=3a323ad55c8187ef599f4c2b89cd48e4ae50e412233b543ac8fd9905e226a0d3

The first part of that has more info on what it's building and how

@ThePassionate
Copy link
Contributor Author

ThePassionate commented Jul 31, 2025

You can see the results here

https://libwebsockets.org/sai/index.html?task=3a323ad55c8187ef599f4c2b89cd48e4ae50e412233b543ac8fd9905e226a0d3

The first part of that has more info on what it's building and how

ok, let me check

@ThePassionate ThePassionate mentioned this pull request Jul 31, 2025
Open
@ThePassionate
Copy link
Contributor Author

ThePassionate commented Jul 31, 2025
edited
Loading

@lws-team sorry i couldn‘t know how to run ci in local, but i find i miss a change in x509_method_st, which could invoke chunks in CI. I am so sorry about that, could you add this patch and run ci again?
#3434?

@ThePassionate
Copy link
Contributor Author

ThePassionate commented Jul 31, 2025

@lws-team or any other mistake in ci ?

@lws-team
Copy link
Member

lws-team commented Jul 31, 2025

I can't event build it locally on rocky 10 with rocky's mbedtls 3.6.4

It seems wrong level of indirection (this is with your extra patch)

/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c: In function ‘x509_pm_load_file’:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c:730:27: error: passing argument 1 of ‘mbedtls_x509_crt_free’ from incompatible pointer type [-Wincompatible-pointer-types]
  730 |     mbedtls_x509_crt_free(&x509_pm->x509_crt);
      |                           ^~~~~~~~~~~~~~~~~~
      |                           |
      |                           mbedtls_x509_crt **
In file included from /usr/include/mbedtls/ssl.h:35,
                 from /home/agreen/projects/libwebsockets/include/libwebsockets.h:310,
                 from /home/agreen/projects/libwebsockets/lib/core/./private-lib-core.h:150,
                 from /home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c:15:
/usr/include/mbedtls/x509_crt.h:899:46: note: expected ‘mbedtls_x509_crt *’ but argument is of type ‘mbedtls_x509_crt **’
  899 | void mbedtls_x509_crt_free(mbedtls_x509_crt *crt);

@ThePassionate
Copy link
Contributor Author

ThePassionate commented Jul 31, 2025
edited
Loading

I can't event build it locally on rocky 10 with rocky's mbedtls 3.6.4

It seems wrong level of indirection (this is with your extra patch)

/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c: In function ‘x509_pm_load_file’:
/home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c:730:27: error: passing argument 1 of ‘mbedtls_x509_crt_free’ from incompatible pointer type [-Wincompatible-pointer-types]
  730 |     mbedtls_x509_crt_free(&x509_pm->x509_crt);
      |                           ^~~~~~~~~~~~~~~~~~
      |                           |
      |                           mbedtls_x509_crt **
In file included from /usr/include/mbedtls/ssl.h:35,
                 from /home/agreen/projects/libwebsockets/include/libwebsockets.h:310,
                 from /home/agreen/projects/libwebsockets/lib/core/./private-lib-core.h:150,
                 from /home/agreen/projects/libwebsockets/lib/tls/mbedtls/wrapper/platform/ssl_pm.c:15:
/usr/include/mbedtls/x509_crt.h:899:46: note: expected ‘mbedtls_x509_crt *’ but argument is of type ‘mbedtls_x509_crt **’
  899 | void mbedtls_x509_crt_free(mbedtls_x509_crt *crt);

I get it. I optimized the x509 structure before, did not use pointer types because I thought that too much dynamic memory was not in line with the advantages of mbedtls. I will fix my patch to rebase community's implementation.

@ThePassionate
Copy link
Contributor Author

ThePassionate commented Jul 31, 2025

@lws-team I have pushed #3434 again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ThePassionate @lws-team