aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorluigi1111 <luigi1111w@gmail.com>2023-07-06 21:39:47 -0500
committerluigi1111 <luigi1111w@gmail.com>2023-07-06 21:39:47 -0500
commit1eb1162923ea74803ebb88b5f16560fd7466ff45 (patch)
tree9c147d319c85f1daa67589a65dc84ca7c6c57c80
parentMerge pull request #8908 (diff)
parentSet SSL SNI even when server verification is disabled (diff)
downloadmonero-1eb1162923ea74803ebb88b5f16560fd7466ff45.tar.xz
Merge pull request #8909
aed36a2 Set SSL SNI even when server verification is disabled (Lee *!* Clagett)
-rw-r--r--contrib/epee/src/net_ssl.cpp13
1 files changed, 8 insertions, 5 deletions
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp
index 2d0b7d791..9200796a8 100644
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@@ -496,6 +496,13 @@ void ssl_options_t::configure(
const std::string& host) const
{
socket.next_layer().set_option(boost::asio::ip::tcp::no_delay(true));
+ {
+ // in case server is doing "virtual" domains, set hostname
+ SSL* const ssl_ctx = socket.native_handle();
+ if (type == boost::asio::ssl::stream_base::client && !host.empty() && ssl_ctx)
+ SSL_set_tlsext_host_name(ssl_ctx, host.c_str());
+ }
+
/* Using system-wide CA store for client verification is funky - there is
no expected hostname for server to verify against. If server doesn't have
@@ -513,11 +520,7 @@ void ssl_options_t::configure(
{
socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
- // in case server is doing "virtual" domains, set hostname
- SSL* const ssl_ctx = socket.native_handle();
- if (type == boost::asio::ssl::stream_base::client && !host.empty() && ssl_ctx)
- SSL_set_tlsext_host_name(ssl_ctx, host.c_str());
-
+
socket.set_verify_callback([&](const bool preverified, boost::asio::ssl::verify_context &ctx)
{
// preverified means it passed system or user CA check. System CA is never loaded