aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLee Clagett <code@leeclagett.com>2019-04-04 01:48:55 -0400
committerLee Clagett <code@leeclagett.com>2019-04-07 00:44:37 -0400
commit97cd1fa98d58fa354ebbade47e894f169ee0c1e2 (patch)
tree1dda8c430a2b3dd28f70bea4f4d47ca57730c7d2
parentCall `use_certificate_chain_file` instead of `use_certificate_file` (diff)
downloadmonero-97cd1fa98d58fa354ebbade47e894f169ee0c1e2.tar.xz
Only check top-level certificate against fingerprint list.
This allows "chain" certificates to be used with the fingerprint whitelist option. A user can get a system-ca signature as backup while clients explicitly whitelist the server certificate. The user specified CA can also be combined with fingerprint whitelisting.
-rw-r--r--contrib/epee/src/net_ssl.cpp6
1 files changed, 4 insertions, 2 deletions
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp
index 0ac452343..77eaa43e2 100644
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@@ -285,8 +285,10 @@ bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
MERROR("Error getting verify_context handle");
return false;
}
- X509 *cert =X509_STORE_CTX_get_current_cert(sctx);
- if (!cert)
+
+ X509* cert = nullptr;
+ const STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(sctx);
+ if (!chain || sk_X509_num(chain) < 1 || !(cert = sk_X509_value(chain, 0)))
{
MERROR("No certificate found in verify_context");
return false;