aboutsummaryrefslogtreecommitdiff
path: root/contrib/epee/include/net/net_ssl.h
diff options
context:
space:
mode:
authorLee Clagett <code@leeclagett.com>2019-03-11 22:01:03 -0400
committerLee Clagett <code@leeclagett.com>2019-04-06 23:47:06 -0400
commita3b0284837c9ea10865e6ddeb7f1244d621ae5c0 (patch)
tree2c9738f2ac773eb44c6579c692c006eb75fb12f2 /contrib/epee/include/net/net_ssl.h
parentMerge pull request #5364 (diff)
downloadmonero-a3b0284837c9ea10865e6ddeb7f1244d621ae5c0.tar.xz
Change SSL certificate file list to OpenSSL builtin load_verify_location
Specifying SSL certificates for peer verification does an exact match, making it a not-so-obvious alias for the fingerprints option. This changes the checks to OpenSSL which loads concatenated certificate(s) from a single file and does a certificate-authority (chain of trust) check instead. There is no drop in security - a compromised exact match fingerprint has the same worse case failure. There is increased security in allowing separate long-term CA key and short-term SSL server keys. This also removes loading of the system-default CA files if a custom CA file or certificate fingerprint is specified.
Diffstat (limited to 'contrib/epee/include/net/net_ssl.h')
-rw-r--r--contrib/epee/include/net/net_ssl.h7
1 files changed, 4 insertions, 3 deletions
diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h
index f7b102164..1b90a948d 100644
--- a/contrib/epee/include/net/net_ssl.h
+++ b/contrib/epee/include/net/net_ssl.h
@@ -31,10 +31,11 @@
#include <stdint.h>
#include <string>
-#include <list>
+#include <vector>
#include <boost/utility/string_ref.hpp>
#include <boost/asio/ip/tcp.hpp>
#include <boost/asio/ssl.hpp>
+#include <boost/system/error_code.hpp>
namespace epee
{
@@ -49,7 +50,7 @@ namespace net_utils
struct ssl_context_t
{
boost::asio::ssl::context context;
- std::list<std::string> allowed_certificates;
+ std::string ca_path;
std::vector<std::vector<uint8_t>> allowed_fingerprints;
bool allow_any_cert;
};
@@ -57,7 +58,7 @@ namespace net_utils
// https://security.stackexchange.com/questions/34780/checking-client-hello-for-https-classification
constexpr size_t get_ssl_magic_size() { return 9; }
bool is_ssl(const unsigned char *data, size_t len);
- ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, std::list<std::string> allowed_certificates, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert);
+ ssl_context_t create_ssl_context(const std::pair<std::string, std::string> &private_key_and_certificate_path, const std::string &ca_path, std::vector<std::vector<uint8_t>> allowed_fingerprints, bool allow_any_cert);
void use_ssl_certificate(ssl_context_t &ssl_context, const std::pair<std::string, std::string> &private_key_and_certificate_path);
bool is_certificate_allowed(boost::asio::ssl::verify_context &ctx, const ssl_context_t &ssl_context);
bool ssl_handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type, const epee::net_utils::ssl_context_t &ssl_context);