Skip to content

Commit

Permalink
Merge pull request #1062 from ilsalvopss/master
Browse files Browse the repository at this point in the history
WebSocket: allow clients to provide a TLS certificate
  • Loading branch information
paullouisageneau authored Dec 1, 2023
2 parents fa3aa01 + 9167c31 commit a721f3a
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 6 deletions.
3 changes: 3 additions & 0 deletions include/rtc/websocket.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ class RTC_CPP_EXPORT WebSocket final : private CheshireCat<impl::WebSocket>, pub
optional<std::chrono::milliseconds> pingInterval; // zero to disable
optional<int> maxOutstandingPings;
optional<string> caCertificatePemFile;
optional<string> certificatePemFile;
optional<string> keyPemFile;
optional<string> keyPemPass;
};

WebSocket();
Expand Down
10 changes: 6 additions & 4 deletions src/impl/tlstransport.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -592,14 +592,16 @@ TlsTransport::TlsTransport(variant<shared_ptr<TcpTransport>, shared_ptr<HttpProx
SSL_CTX_set_options(mCtx, SSL_OP_SINGLE_ECDH_USE);
#endif

if(mIsClient) {
if (!SSL_CTX_set_default_verify_paths(mCtx)) {
PLOG_WARNING << "SSL root CA certificates unavailable";
}
}

if (certificate) {
auto [x509, pkey] = certificate->credentials();
SSL_CTX_use_certificate(mCtx, x509);
SSL_CTX_use_PrivateKey(mCtx, pkey);
} else {
if (!SSL_CTX_set_default_verify_paths(mCtx)) {
PLOG_WARNING << "SSL root CA certificates unavailable";
}
}

SSL_CTX_set_options(mCtx, SSL_OP_NO_SSLv3 | SSL_OP_NO_RENEGOTIATION);
Expand Down
17 changes: 15 additions & 2 deletions src/impl/websocket.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ using std::chrono::milliseconds;

WebSocket::WebSocket(optional<Configuration> optConfig, certificate_ptr certificate)
: config(optConfig ? std::move(*optConfig) : Configuration()),
mCertificate(std::move(certificate)), mIsSecure(mCertificate != nullptr),
mRecvQueue(RECV_QUEUE_LIMIT, message_size_func) {
mCertificate(certificate ? std::move(certificate) : std::move(loadCertificate(config))),
mIsSecure(mCertificate != nullptr), mRecvQueue(RECV_QUEUE_LIMIT, message_size_func) {
PLOG_VERBOSE << "Creating WebSocket";
if (config.proxyServer) {
if (config.proxyServer->type == ProxyServer::Type::Socks5)
Expand All @@ -49,6 +49,19 @@ WebSocket::WebSocket(optional<Configuration> optConfig, certificate_ptr certific
}
}

certificate_ptr WebSocket::loadCertificate(const Configuration& config) {
if (!config.certificatePemFile)
return nullptr;

if (config.keyPemFile)
return std::make_shared<Certificate>(
Certificate::FromFile(*config.certificatePemFile, *config.keyPemFile,
config.keyPemPass.value_or("")));

throw std::invalid_argument(
"Either none or both certificate and key PEM files must be specified");
}

WebSocket::~WebSocket() { PLOG_VERBOSE << "Destroying WebSocket"; }

void WebSocket::open(const string &url) {
Expand Down
2 changes: 2 additions & 0 deletions src/impl/websocket.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,8 @@ struct WebSocket final : public Channel, public std::enable_shared_from_this<Web
std::atomic<State> state = State::Closed;

private:
static certificate_ptr loadCertificate(const Configuration& config);

void scheduleConnectionTimeout();

const init_token mInitToken = Init::Instance().token();
Expand Down

0 comments on commit a721f3a

Please sign in to comment.