b64_pton and b64_ntop functions are not portable and cannot be found in
all C library implementations (e.g. uClibc, musl).
Since c-websockify already has explicit dependency to openssl it can be
used to replace b64_pton/ntop with versions that are portable without
introducing too much additional code or dependencies.
Instead of single certificate in one file it is sometimes customary to
chain multiple certificates into the same file. This is common practice
for CAs like letsencrypt that are providing intermediate certificates.
This patch switches loading of only one certificate to loading whole chain
of certificates.
The effects can be seen with e.g. the following command:
openssl s_client -showcerts -connect websockify-hostname:8080
Before the change the verify fails:
Certificate chain
0 s:/CN=websockify-hostname
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
After the change the verify passes:
Certificate chain
0 s:/CN=websockify-hostname
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
It's probably broken and it's definitely still messy in several ways,
but basic tests work with Chrome.
Several other C websockify cleanups:
- Remove most of the non-thread safe global variable usage (still
a little bit that could be fixed so that threading would be easier).
- Remove wswrapper. It is unmaintained, out of date, and never worked
well anyways (since it really needed a way to do asynchronous queued
work but it was running in another process context making that
hard).
- Use md5 routines from openssl.
- Remove md5.c and md5.h since no longer needed.
Thanks to https://github.com/dew111 for spurring me on to get this
done by writing code. I didn't end up using much his forked code, but
having something there goaded me enough to just get it working.