tls: mbedtls: append PEM chain certs to leaf so full chain is sent on the wire by precla · Pull Request #3588 · warmcat/libwebsockets

precla · 2026-05-13T12:51:16Z

issue

Certificate chain within one PEM file is not handled properly when using mbedtls as backend

steps to reproduce:

Link example main.c against static library 'build/lib/libwebsockets.a.':

main.c

#include <libwebsockets.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>

static int interrupted;
static int callback_count;

static int
callback_http(struct lws *wsi, enum lws_callback_reasons reason,
	      void *user, void *in, size_t len)
{
	switch (reason) {
	case LWS_CALLBACK_FILTER_PROTOCOL_CONNECTION:
		lwsl_notice("Connection filter\n");
		break;
	case LWS_CALLBACK_ESTABLISHED:
		lwsl_notice("Client connected\n");
		callback_count++;
		break;
	case LWS_CALLBACK_CLOSED:
		lwsl_notice("Client disconnected\n");
		break;
	case LWS_CALLBACK_HTTP:
		lwsl_notice("HTTP request: %s\n", in ? (char *)in : "(null)");
		lws_return_http_status(wsi, 200, NULL);
		return -1;
	default:
		break;
	}

	return 0;
}

static const struct lws_protocols protocols[] = {
	{ "http-only", callback_http, 0, 0, 0, NULL, 0 },
	LWS_PROTOCOL_LIST_TERM
};

#if !defined(WIN32)
static void
sigint_handler(int sig)
{
	(void)sig;
	interrupted = 1;
}
#endif

int main(int argc, const char **argv)
{
	struct lws_context_creation_info info;
	struct lws_context *context;
	const char *p;
	int n = 0;

#if !defined(WIN32)
	signal(SIGINT, sigint_handler);
#endif

	memset(&info, 0, sizeof info);

	info.port = 7681;
	if ((p = lws_cmdline_option(argc, argv, "--port")))
		info.port = atoi(p);

	info.protocols = protocols;
	info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;

	info.ssl_cert_filepath = lws_cmdline_option(argc, argv, "--cert");
	info.ssl_private_key_filepath = lws_cmdline_option(argc, argv, "--key");

	if (!info.ssl_cert_filepath)
		info.ssl_cert_filepath = "full_chain.pem";
	if (!info.ssl_private_key_filepath)
		info.ssl_private_key_filepath = "full_chain.key";

	lwsl_user("TLS chain cert test server | https://localhost:%d\n", info.port);
	lwsl_user("Run: openssl s_client -connect localhost:%d -showcerts\n", info.port);
	lws_set_log_level(LLL_NOTICE | LLL_INFO | LLL_ERR, NULL);

	context = lws_create_context(&info);
	if (!context) {
		lwsl_err("lws_create_context failed\n");
		return 1;
	}

	while (n >= 0 && !interrupted)
		n = lws_service(context, 100);

	lws_context_destroy(context);

	return 0;
}

gcc -o test-chain main.c -I../include -I../build/include -L../build/lib -lwebsockets -lpthread -Wl,-rpath,../build/lib

save the following certificates:

full_chain.key

full_chain.pem

run the binary and test certificate:

test-chain can be run with following arguments:
"--cert" for the .pem file, default file is full_chain.pem
"--key" for the .key file, default file is full_chain.key
"--port" for a custom port, default port is 7681

libwebsocket with mbedtls <= 4.3.10:

openssl s_client -connect localhost:7681 -servername localhost:7681 -showcerts </dev/null 2>/dev/null | grep -E "^( [0-9]|s:|i:)"
 0 s:CN=myapp.local

^ certificate chain is not loaded.

libwebsocket with mbedtls == 4.3.10 + this patch:

openssl s_client -connect localhost:7681 -servername localhost:7681 -showcerts </dev/null 2>/dev/null | grep -E "^( [0-9]|s:|i:)"
 0 s:CN=myapp.local
 1 s:CN=My Custom Intermediate CA
 2 s:CN=My Custom Root CA

^ certificate chain is loaded.

NOTE

i couldn't get the libwebsocket from main branch to load the certificate when mbedtls is used as the backend. so i tested only with v4.3.10 + patch.

I get the following errors when using main branch and the provided .pem + .key file with mbedtls as backend. (same if i use this patch or if i don't use the patch):

E: lws_b64_decode_stateful: non = after =
E: lws_tls_alloc_pem_to_der_file: base64 pem decode failed
E: couldn't load cert file full_chain.pem
E: [vh|2|default||7681]: lws_create_vhost: lws_context_init_server_ssl failed
I: [vh|2|default||7681]: lws_vhost_destroy1: 
I: [vh|2|default||7681]: lws_vhost_destroy: count_bound_wsi 0
I: __lws_lc_untag:  -- [vh|2|default||7681] (2) 2.204ms
E: lws_create_context: Failed to create default vhost

with main + openssl it works fine, same for 4.3.10 + openssl.

Co-developed-by: Opus 4.7

My infrastructure switched to using 6-day LE certs, these in turn switched from the ISRG X1 root CA to their YR CA. After testing I realized this had updated warmcat.com to use 4096-bit RSA, which the ESP32 is too slow to cope with. So I switched again to EC-256 which uses their X2 CA; this patch now switches all the related lws examples to also trust that.

precla · 2026-05-14T07:10:44Z

@lws-team i see that this has been merged in main. shall we close this PR now?

bdd3b9f

lws-team added 30 commits May 6, 2026 12:41

Refresh of certs-update-to-trusting-isrg

e54a2ee

cancel-fixes

8ce0999

smd: fix build if disabled

d6a58c8

h2-let-encapsulated-ws-do-pings

2c26171

dnessc-monitor: distribution

f7ec832

debug daemon start

479bf00

dht: reduce log spew

c6ba23d

dht:sweep

5828d20

Refresh of h2-let-encapsulated-ws-do

8d04c81

dht: increase limits

9f21aea

openssl: remove fixes teardown

96a3f83

logging-cleanup

bf3d6fd

lws-proxy: ws proxy can handle duplex

c5ade8f

ssstress-warmcat: improve valgrind

4e75d52

meddles

5b40241

tls: ca pki apis

b57dc0d

r4

9616690

spawn: isolate plugins

3a46bc9

dnssec-monitor: improvements

943d5a4

authentication digest: allow keepalive reuse

fd59f10

gc9a01a

e3bb025

rebound

322b685

plugins: READMEs

86e1158

CID 909762: NEGATIVE_RETURNS

e7acd59

CID 909761: REVERSE_INULL

b5f45e3

CID 909760: CHECKED_RETURN

3c6e7e2

CID 909759: FORWARD_NULL

41eaaa9

CID 909756: DEADCODE

12a660b

CID 909755: CHECKED_RETURN

d368ebb

lws-team force-pushed the main branch 2 times, most recently from 36b13c7 to a54bc50 Compare May 14, 2026 06:25

lws-team force-pushed the main branch 18 times, most recently from 8e57b3d to a686094 Compare May 20, 2026 15:08

lws-team force-pushed the main branch 9 times, most recently from a2e93a1 to eb5ee93 Compare May 30, 2026 08:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tls: mbedtls: append PEM chain certs to leaf so full chain is sent on the wire#3588

tls: mbedtls: append PEM chain certs to leaf so full chain is sent on the wire#3588
precla wants to merge 32 commits into
warmcat:mainfrom
precla:cert_chain_fix

precla commented May 13, 2026 •

edited

Loading

Uh oh!

precla commented May 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

precla commented May 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

issue

steps to reproduce:

Link example main.c against static library 'build/lib/libwebsockets.a.':

run the binary and test certificate:

NOTE

Uh oh!

precla commented May 14, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

precla commented May 13, 2026 •

edited

Loading