diff options
| author | Lee *!* Clagett <code@leeclagett.com> | 2023-06-09 11:09:39 -0400 |
|---|---|---|
| committer | Lee *!* Clagett <code@leeclagett.com> | 2023-06-16 19:16:30 -0400 |
| commit | aed36a25d651ebf1fea3c63e6a85e064e9273b0c (patch) | |
| tree | c112562977ee42c3c929d70c60811cca48331797 | |
| parent | Merge pull request #8846 (diff) | |
| download | monero-aed36a25d651ebf1fea3c63e6a85e064e9273b0c.tar.xz | |
Set SSL SNI even when server verification is disabled
| -rw-r--r-- | contrib/epee/src/net_ssl.cpp | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp index 2d0b7d791..9200796a8 100644 --- a/contrib/epee/src/net_ssl.cpp +++ b/contrib/epee/src/net_ssl.cpp @@ -496,6 +496,13 @@ void ssl_options_t::configure( const std::string& host) const { socket.next_layer().set_option(boost::asio::ip::tcp::no_delay(true)); + { + // in case server is doing "virtual" domains, set hostname + SSL* const ssl_ctx = socket.native_handle(); + if (type == boost::asio::ssl::stream_base::client && !host.empty() && ssl_ctx) + SSL_set_tlsext_host_name(ssl_ctx, host.c_str()); + } + /* Using system-wide CA store for client verification is funky - there is no expected hostname for server to verify against. If server doesn't have @@ -513,11 +520,7 @@ void ssl_options_t::configure( { socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert); - // in case server is doing "virtual" domains, set hostname - SSL* const ssl_ctx = socket.native_handle(); - if (type == boost::asio::ssl::stream_base::client && !host.empty() && ssl_ctx) - SSL_set_tlsext_host_name(ssl_ctx, host.c_str()); - + socket.set_verify_callback([&](const bool preverified, boost::asio::ssl::verify_context &ctx) { // preverified means it passed system or user CA check. System CA is never loaded |