mTLS support for websockets

[CoRfr]

Tested on Linux (Ubuntu 24.04)

When configured for client certificates with required_certificate true, capath and protocol websockets, mosquitto sends a TLSV1_ALERT_UNKNOWN_CA / SSL alert number 48 when a client initiates the connection with a certificate issued by a trusted CA (ie, a certificate issued by a CA whose certificate is present in the capath mosquitto option).

If the client doesn't provide a certificate, I encounter a TLSV13_ALERT_CERTIFICATE_REQUIRED as expected.

If I use protocol mqtt instead of protocol websockets, the connection works as expected.
I've also tried with an without an intermediate cert on the client side and that doesn't seem to change the outcome.

[CoRfr]

Sample configuration:

per_listener_settings true
connection_messages true
persistence false
max_queued_bytes 50000000
max_queued_messages 100000
listener 28842 127.0.0.1
protocol websockets
allow_anonymous true
allow_zero_length_clientid false
log_type all
tls_version tlsv1.3
certfile /tmp/mosquitto/server/chain.pem
keyfile /tmp/mosquitto/server/private.key
require_certificate true
use_subject_as_username true
capath /tmp/mosquitto/client/ca

Can be tested using openssl:

openssl s_client -host localhost \
                 -port 28842 \
                 -verifyCAfile /tmp/mosquitto/server/ca/cert.pem \
                 -cert /tmp/mosquitto/client/cert.pem \
                 -cert_chain /tmp/mosquitto/client/chain.pem \
                 -key /tmp/mosquitto/client/private.key

[CoRfr]

Turns out it works if cafile is provided instead of capath because of this in websockets.c:

src/websockets.c:	info.ssl_ca_filepath = listener->cafile;

[CoRfr]

This appears to be a limitation in libwebsockets. I created issue warmcat/libwebsockets#3276 on this topic.
At the moment, it doesn't appear that there is any other way to load trusted client CAs than through ssl_ca_filepath, which only accepts a file.