GitHub user mike-jumper opened a pull request:
https://github.com/apache/guacamole-server/pull/192
GUACAMOLE-623: Fix build against older libwebsockets.
The build is currently broken on CentOS 7 with EPEL, where libwebsockets is
available but at version 1.7.5. Several differences are in play which needed to
be addressed here:
* SSL client initialization flags do not exist. Instead, a set of
documented integer values is used for no SSL (0), SSL with verification of
certificate (1), and SSL which allows self-signed certificates (2). The latter
is unfortunately very specific to self-signed certificates, leading to
verification failures in other cases - more on that below.
* The `lws_callback_http_dummy()` function which must be invoked within the
event callback to perform some sort of housekeeping tasks internal to
libwebsockets is not defined. The event callback is instead expected to simply
return 0.
* The `pwsi` member of the `lws_client_connect_info` structure does not
exist. This can safely be removed - our original purpose for using it, exposing
the `guac_client` to the event callback, no longer exists as the `guac_client`
is exposed through a static variable instead.
* The SSL verification of server certificates is explicitly bypassed if
requested, but the error result is still checked in all cases and still fails
the connection for all but extremely specific verification errors related to
self-signed certificates. This is addressed through neutering the certificate
verification entirely when `ignore_cert` is set, rather than just asking nicely.
* Older libwebsockets will not fire `LWS_CALLBACK_CLOSED` events under some
circumstances, instead only firing `LWS_CALLBACK_WSI_DESTROY` for the
destruction of the WebSocket structure. Both need to be handled for the
connection to close cleanly in all cases.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mike-jumper/guacamole-server
fix-old-libwebsockets
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/guacamole-server/pull/192.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #192
----
commit d8618b0682e69ca5c99f0608368f21188d16fce3
Author: Michael Jumper <mjumper@...>
Date: 2018-09-27T04:50:19Z
GUACAMOLE-623: Support older libwebsockets SSL initialization.
commit b48a1b3a5d15e6c95fa64222342033eb584dc0a3
Author: Michael Jumper <mjumper@...>
Date: 2018-09-27T04:51:07Z
GUACAMOLE-623: Use libwebsockets' dummy callback only if defined.
commit 7ee624844a2ef577bfd5af6c9559919e1ba77846
Author: Michael Jumper <mjumper@...>
Date: 2018-09-27T04:51:46Z
GUACAMOLE-623: Remove unnecessary initialization of pwsi.
The pwsi member was previously used to ensure the lws structure was made
available to invocations of the event callback early in the connection
lifecycle such that the underlyin guac_client could always be retrieved.
Since the migration to guac_kubernetes_lws_current_client, this is not
necessary, and isn't supported in older versions of libwebsockets
anyway.
commit 44d3433ea92de6de7d127f93335c0a5be47c735c
Author: Michael Jumper <mjumper@...>
Date: 2018-09-27T05:01:43Z
GUACAMOLE-623: Explicitly bypass certificate checks if requested.
For older versions of libwebsockets, simply requesting that OpenSSL
ignore the verification result is insufficient, as libwebsockets
manually checks and confirms the verification result, producing an error
in all but specific cases.
commit 9c593bde89891522324fe84034e4a9bd415aae2c
Author: Michael Jumper <mjumper@...>
Date: 2018-09-27T05:30:08Z
GUACAMOLE-623: Kill connection if libwebsockets is destroying the
underlying WebSocket.
Older versions of libwebsockets will not necessarily invoke close events
under all circumstances, and will instead sometimes summarily destroy
the WebSocket. Thankfully there is another event for that, and newer
versions of libwebsockets continue to define that event. We can hook
into both to handle disconnect.
----
---
