Skip to content

Commit 2a429d7

Browse files
committed
Allow setting CA certificate during TLS connection (Fixed #1007)
1 parent 67e081f commit 2a429d7

File tree

4 files changed

+37
-4
lines changed

4 files changed

+37
-4
lines changed

include/rtc/websocket.hpp

+1
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ class RTC_CPP_EXPORT WebSocket final : private CheshireCat<impl::WebSocket>, pub
3939
optional<std::chrono::milliseconds> connectionTimeout; // zero to disable
4040
optional<std::chrono::milliseconds> pingInterval; // zero to disable
4141
optional<int> maxOutstandingPings;
42+
optional<string> caCertificatePemFile;
4243
};
4344

4445
WebSocket();

src/impl/verifiedtlstransport.cpp

+27-2
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,11 @@
1313

1414
namespace rtc::impl {
1515

16+
static const string PemBeginCertificateTag = "-----BEGIN CERTIFICATE-----";
17+
1618
VerifiedTlsTransport::VerifiedTlsTransport(
1719
variant<shared_ptr<TcpTransport>, shared_ptr<HttpProxyTransport>> lower, string host,
18-
certificate_ptr certificate, state_callback callback)
20+
certificate_ptr certificate, state_callback callback, [[maybe_unused]] optional<string> cacert)
1921
: TlsTransport(std::move(lower), std::move(host), std::move(certificate), std::move(callback)) {
2022

2123
PLOG_DEBUG << "Setting up TLS certificate verification";
@@ -24,13 +26,36 @@ VerifiedTlsTransport::VerifiedTlsTransport(
2426
gnutls_session_set_verify_cert(mSession, mHost->c_str(), 0);
2527
#elif USE_MBEDTLS
2628
mbedtls_ssl_conf_authmode(&mConf, MBEDTLS_SSL_VERIFY_REQUIRED);
29+
mbedtls_x509_crt_init(&mCaCert);
30+
try {
31+
if (cacert) {
32+
if (cacert->find(PemBeginCertificateTag) == string::npos) {
33+
// *cacert is a file path
34+
mbedtls::check(mbedtls_x509_crt_parse_file(&mCaCert, cacert->c_str()));
35+
} else {
36+
// *cacert is a PEM content
37+
mbedtls::check(mbedtls_x509_crt_parse(
38+
&mCaCert, reinterpret_cast<const unsigned char *>(cacert->c_str()),
39+
cacert->size()));
40+
}
41+
mbedtls_ssl_conf_ca_chain(&mConf, &mCaCert, NULL);
42+
}
43+
} catch (...) {
44+
mbedtls_x509_crt_free(&mCaCert);
45+
throw;
46+
}
2747
#else
2848
SSL_set_verify(mSsl, SSL_VERIFY_PEER, NULL);
2949
SSL_set_verify_depth(mSsl, 4);
3050
#endif
3151
}
3252

33-
VerifiedTlsTransport::~VerifiedTlsTransport() { stop(); }
53+
VerifiedTlsTransport::~VerifiedTlsTransport() {
54+
stop();
55+
#if USE_MBEDTLS
56+
mbedtls_x509_crt_free(&mCaCert);
57+
#endif
58+
}
3459

3560
} // namespace rtc::impl
3661

src/impl/verifiedtlstransport.hpp

+7-1
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,14 @@ namespace rtc::impl {
1818
class VerifiedTlsTransport final : public TlsTransport {
1919
public:
2020
VerifiedTlsTransport(variant<shared_ptr<TcpTransport>, shared_ptr<HttpProxyTransport>> lower,
21-
string host, certificate_ptr certificate, state_callback callback);
21+
string host, certificate_ptr certificate, state_callback callback,
22+
optional<string> cacert);
2223
~VerifiedTlsTransport();
24+
25+
private:
26+
#if USE_MBEDTLS
27+
mbedtls_x509_crt mCaCert;
28+
#endif
2329
};
2430

2531
} // namespace rtc::impl

src/impl/websocket.cpp

+2-1
Original file line numberDiff line numberDiff line change
@@ -358,7 +358,8 @@ shared_ptr<TlsTransport> WebSocket::initTlsTransport() {
358358
shared_ptr<TlsTransport> transport;
359359
if (verify)
360360
transport = std::make_shared<VerifiedTlsTransport>(lower, mHostname.value(),
361-
mCertificate, stateChangeCallback);
361+
mCertificate, stateChangeCallback,
362+
config.caCertificatePemFile);
362363
else
363364
transport =
364365
std::make_shared<TlsTransport>(lower, mHostname, mCertificate, stateChangeCallback);

0 commit comments

Comments
 (0)