diff options
| author | Lee Clagett <code@leeclagett.com> | 2019-03-11 22:01:03 -0400 |
|---|---|---|
| committer | Lee Clagett <code@leeclagett.com> | 2019-04-06 23:47:06 -0400 |
| commit | a3b0284837c9ea10865e6ddeb7f1244d621ae5c0 (patch) | |
| tree | 2c9738f2ac773eb44c6579c692c006eb75fb12f2 /contrib/epee/include/net/net_ssl.h | |
| parent | Merge pull request #5364 (diff) | |
| download | monero-a3b0284837c9ea10865e6ddeb7f1244d621ae5c0.tar.xz | |
Change SSL certificate file list to OpenSSL builtin load_verify_location
Specifying SSL certificates for peer verification does an exact match,
making it a not-so-obvious alias for the fingerprints option. This
changes the checks to OpenSSL which loads concatenated certificate(s)
from a single file and does a certificate-authority (chain of trust)
check instead. There is no drop in security - a compromised exact match
fingerprint has the same worse case failure. There is increased security
in allowing separate long-term CA key and short-term SSL server keys.
This also removes loading of the system-default CA files if a custom
CA file or certificate fingerprint is specified.
Diffstat (limited to '')
| -rw-r--r-- | contrib/epee/include/net/net_ssl.h | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h index f7b102164..1b90a948d 100644 --- a/contrib/epee/include/net/net_ssl.h +++ b/contrib/epee/include/net/net_ssl.h @@ -31,10 +31,11 @@ #include <stdint.h> #include <string> -#include <list> +#include <vector> #include <boost/utility/string_ref.hpp> #include <boost/asio/ip/tcp.hpp> #include <boost/asio/ssl.hpp> +#include <boost/system/error_code.hpp> namespace epee { @@ -49,7 +50,7 @@ namespace net_utils struct ssl_context_t { boost::asio::ssl::context context; - std::list<std::string> allowed_certificates; + std::string ca_path; std::vector<std::vector<uint8_t>> allowed_fingerprints; bool allow_any_cert; }; @@ -57,7 +58,7 @@ namespace net_utils // https://security.stackexchange.com/questions/34780/checking-client-hello-for-https-classification constexpr size_t get_ssl_magic_size() { return 9; } bool is_ssl(const unsigned char *data, size_t len); - ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, std::list<std::string> allowed_certificates, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert); + ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, const std::string &ca_path, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert); void use_ssl_certificate(ssl_context_t &ssl_context, const std::pair<std::string, std::string> &private_key_and_certificate_path); bool is_certificate_allowed(boost::asio::ssl::verify_context &ctx, const ssl_context_t &ssl_context); bool ssl_handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type, const epee::net_utils::ssl_context_t &ssl_context); |