c++ - GNU libmicrohttpd with client TLS allows empty certificate

问题描述

I am using GNU libmicrohttpd to establish HTTPS server. My requirement is that the server and the client both authenticate during the TLS handshake however what I observe is that even if the client sends empty certificate the connection is accepted.

in wireshark I see that the server requests certificate and the client sends certificate with len 0. How to make the microhttpd to not accept that case - the certificate must always be verified with the provided CA pem?

if(!(server_handle = MHD_start_daemon(flags, port, NULL, NULL, 
    &mhttpd_layer::access_handler_callback, callback_data,
                    // now, continue with the options
                    MHD_OPTION_NOTIFY_COMPLETED, &mhttpd_layer::request_completed_callback, l_callback_data,
                    MHD_OPTION_SOCK_ADDR, (sockaddr*) &(it->addr),
                    MHD_OPTION_CONNECTION_TIMEOUT, it->conn_timeout,
                    MHD_OPTION_CONNECTION_LIMIT, it->conn_limit,
                    MHD_OPTION_PER_IP_CONNECTION_LIMIT, it->per_ip_conn_limit,
                    // HTTPS certificate options
                    MHD_OPTION_HTTPS_MEM_KEY, it->https_key_buff.data(),
                    MHD_OPTION_HTTPS_MEM_CERT, it->https_cert_buff.data(),
                    MHD_OPTION_HTTPS_MEM_TRUST, it->https_turst_ca_buff.data(),
                    MHD_OPTION_END)))

Maybe I should manually on the access callback retrieve the certificate as described by their tutorial (https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security) ? In this case why do I provide the CA - this doesn't seem the proper way to me?

标签： c++csslhttpserverclient-certificates