aboutsummaryrefslogtreecommitdiff
path: root/contrib/epee/include/net
diff options
context:
space:
mode:
authorLee Clagett <code@leeclagett.com>2019-03-17 22:06:36 -0400
committerLee Clagett <code@leeclagett.com>2019-04-07 00:44:37 -0400
commit0416764caec5b2d504c820e71d74a4934c3e2c3e (patch)
treec9d7344daa3903e200a6968c1b29cb8c35ce027a /contrib/epee/include/net
parentAdd `verify_fail_if_no_cert` option for proper client authentication (diff)
downloadmonero-0416764caec5b2d504c820e71d74a4934c3e2c3e.tar.xz
Require server verification when SSL is enabled.
If SSL is "enabled" via command line without specifying a fingerprint or certificate, the system CA list is checked for server verification and _now_ fails the handshake if that check fails. This change was made to remain consistent with standard SSL/TLS client behavior. This can still be overridden by using the allow any certificate flag. If the SSL behavior is autodetect, the system CA list is still checked but a warning is logged if this fails. The stream is not rejected because a re-connect will be attempted - its better to have an unverified encrypted stream than an unverified + unencrypted stream.
Diffstat (limited to 'contrib/epee/include/net')
-rw-r--r--contrib/epee/include/net/net_ssl.h6
1 files changed, 6 insertions, 0 deletions
diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h
index 5107f4db6..f36755013 100644
--- a/contrib/epee/include/net/net_ssl.h
+++ b/contrib/epee/include/net/net_ssl.h
@@ -104,6 +104,12 @@ namespace net_utils
boost::asio::ssl::context create_context() const;
+ /*! \note If `this->support == autodetect && this->verification != none`,
+ then the handshake will not fail when peer verification fails. The
+ assumption is that a re-connect will be attempted, so a warning is
+ logged instead of failure.
+ \return True if the SSL handshake completes with peer verification
+ settings. */
bool handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type) const;
};