libhv icon indicating copy to clipboard operation
libhv copied to clipboard
verified publisher icon ithewei

Option to pass in-memory CA certificate for server verification with websocket client

Open ungive opened this issue 1 year ago • 1 comments

Verifying the websocket server's certificate requires a filename:

    // m_conn is a hv::WebSocketClient
    hssl_ctx_opt_t param{};
    param.endpoint = HSSL_CLIENT;
    param.verify_peer = 1;
    param.ca_file = "W:\\path\\to\\cert.pem";
    int tls_result = m_conn.withTLS(&param);

There does not seem to be an option to pass an in-memory certificate: https://github.com/ithewei/libhv/blob/8c67e056f63c6cb4f9476d5904bef5ef9f350f12/ssl/hssl.h#L39C1-L46C41

typedef struct {
    const char* crt_file;
    const char* key_file;
    const char* ca_file;
    const char* ca_path;
    short       verify_peer;
    short       endpoint; // HSSL_SERVER / HSSL_CLIENT
} hssl_ctx_opt_t, hssl_ctx_init_param_t;

The problem with passing a file name is that a client application that ships with a certificate (e.g. as an embedded QT resource file) would have to save the certificate on disk before it can be used with libhv/openssl. This allows a user of the application to tamper with the certificate which would render server verification useless.

My suggestion is to add more fields to hssl_ctx_opt_t to allow using an in-memory certificate (byte buffer).

Similar issue: https://stackoverflow.com/questions/5052563

ungive avatar Jul 11 '24 11:07 ungive 


#ifndef HSSL_H
#define HSSL_H

#include <stddef.h>

#ifdef __cplusplus
extern "C" {
#endif

#define HSSL_SERVER 0
#define HSSL_CLIENT 1

typedef struct {
    const char* crt_file;       // Path to certificate file
    const char* key_file;       // Path to private key file
    const char* ca_file;        // Path to CA certificate file
    const char* ca_path;        // Path to CA certificate directory
    const unsigned char* crt_buf; // In-memory certificate buffer
    size_t crt_buf_len;         // Length of in-memory certificate buffer
    const unsigned char* key_buf; // In-memory private key buffer
    size_t key_buf_len;         // Length of in-memory private key buffer
    const unsigned char* ca_buf;  // In-memory CA certificate buffer
    size_t ca_buf_len;          // Length of in-memory CA certificate buffer
    short       verify_peer;    // Verify peer certificate
    short       endpoint;       // HSSL_SERVER / HSSL_CLIENT
} hssl_ctx_opt_t, hssl_ctx_init_param_t;

#ifdef __cplusplus
}
#endif

#endif // HSSL_H

ljluestc avatar Jan 26 '25 21:01 ljluestc