Home Explore Help
Sign In
cpp
/
cpp-httplib
mirror of https://github.com/tazdij/cpp-httplib.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

server-side support for client certificates

PixlRainbow 6 years ago
parent
48af26e332
commit
d630c116df
1 changed files with 21 additions and 4 deletions
Split View Show Diff Stats
  1. 21 4
      httplib.h

+ 21 - 4
httplib.h
View File 

@@ -374,7 +374,7 @@ private:
 
 
 class SSLServer : public Server {
 
 public:
 
-  SSLServer(const char *cert_path, const char *private_key_path);
 
+  SSLServer(const char *cert_path, const char *private_key_path, const char *client_cert_path);
 
 
   virtual ~SSLServer();
 
 
@@ -385,6 +385,7 @@ private:
 
 
   SSL_CTX *ctx_;
 
   std::mutex ctx_mutex_;
 
+  const char *client_cert_path_;
 
 };
 
 
 class SSLClient : public Client {
 
@@ -2228,7 +2229,8 @@ read_and_close_socket_ssl(socket_t sock, size_t keep_alive_max_count,
 
                           // TODO: OpenSSL 1.0.2 occasionally crashes...
 
                           // The upcoming 1.1.0 is going to be thread safe.
 
                           SSL_CTX *ctx, std::mutex &ctx_mutex,
 
-                          U SSL_connect_or_accept, V setup, T callback) {
 
+                          U SSL_connect_or_accept, V setup, T callback,
 
+                          const char* client_cert_path = nullptr) {
 
   SSL *ssl = nullptr;
 
   {
 
     std::lock_guard<std::mutex> guard(ctx_mutex);
 
@@ -2254,6 +2256,13 @@ read_and_close_socket_ssl(socket_t sock, size_t keep_alive_max_count,
 
     return false;
 
   }
 
 
+  if(client_cert_path){
 
+    STACK_OF(X509_NAME)* list;
 
+    list = SSL_load_client_CA_file(client_cert_path);
 
+    SSL_set_client_CA_list(ssl, list);
 
+    SSL_CTX_load_verify_locations(ctx,client_cert_path,nullptr);
 
+  }
 
+
 
   bool ret = false;
 
 
   if (SSL_connect_or_accept(ssl) == 1) {
 
@@ -2327,7 +2336,9 @@ inline std::string SSLSocketStream::get_remote_addr() const {
 
 
 // SSL HTTP server implementation
 
 inline SSLServer::SSLServer(const char *cert_path,
 
-                            const char *private_key_path) {
 
+                            const char *private_key_path,
 
+                            const char *client_cert_path = nullptr)
 
+  : client_cert_path_(client_cert_path){
 
   ctx_ = SSL_CTX_new(SSLv23_server_method());
 
 
   if (ctx_) {
 
@@ -2345,6 +2356,11 @@ inline SSLServer::SSLServer(const char *cert_path,
 
             1) {
 
       SSL_CTX_free(ctx_);
 
       ctx_ = nullptr;
 
+    } else if(client_cert_path_) {
 
+      SSL_CTX_set_verify(ctx_,
 
+        SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, //SSL_VERIFY_CLIENT_ONCE,
 
+        nullptr
 
+      );
 
     }
 
   }
 
 }
 
@@ -2361,7 +2377,8 @@ inline bool SSLServer::read_and_close_socket(socket_t sock) {
 
       [](SSL * /*ssl*/) { return true; },
 
       [this](Stream &strm, bool last_connection, bool &connection_close) {
 
         return process_request(strm, last_connection, connection_close);
 
-      });
 
+      },
 
+      client_cert_path_);
 
 }
 
 
 // SSL HTTP client implementation