Fix websockets listeners not verifying client certs.

When using a TLS enabled websockets listener with "require_certificate" enabled, the mosquitto broker does not correctly verify client certificates. This is now fixed. All other security measures operate as expected, and in particular non-websockets listeners are not affected by this. Closes #996. Thanks to creising.
7 years ago · b54e379fba
parent 71b8c4d892
commit b54e379fba
2 changed files with 15 additions and 1 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -1,6 +1,12 @@
-1.5.4 - 201810xx
+1.5.4 - 20181108
 ================

+Security:
+- When using a TLS enabled websockets listener with "require_certificate"
+  enabled, the mosquitto broker does not correctly verify client certificates.
+  This is now fixed. All other security measures operate as expected, and in
+  particular non-websockets listeners are not affected by this. Closes #996.
+
 Broker:
 - Process all pending messages even when a client has disconnected. This means
  a client that send a PUBLISH then DISCONNECT quickly, then disconnects will
--- a/src/websockets.c
+++ b/src/websockets.c
@ -665,6 +665,14 @@ static int callback_http(struct libwebsocket_context *context,
 			}
 			break;

+#ifdef WITH_TLS
+		case LWS_CALLBACK_OPENSSL_PERFORM_CLIENT_CERT_VERIFICATION:
+			if(!len || (SSL_get_verify_result((SSL*)in) != X509_V_OK)){
+				return 1;
+			}
+			break;
+#endif
+
 		default:
 			return 0;
 	}