diff options
author | Lee Clagett <code@leeclagett.com> | 2019-04-04 13:35:33 -0400 |
---|---|---|
committer | Lee Clagett <code@leeclagett.com> | 2019-04-07 00:44:37 -0400 |
commit | d58f368289709e0869c9b7927778339670cb85a7 (patch) | |
tree | e100a961a0d4f533957a2c4a2926008e1fcc9dfd /contrib/epee/src/net_ssl.cpp | |
parent | Only check top-level certificate against fingerprint list. (diff) | |
download | monero-d58f368289709e0869c9b7927778339670cb85a7.tar.xz |
Require manual override for user chain certificates.
An override for the wallet to daemon connection is provided, but not for
other SSL contexts. The intent is to prevent users from supplying a
system CA as the "user" whitelisted certificate, which is less secure
since the key is controlled by a third party.
Diffstat (limited to '')
-rw-r--r-- | contrib/epee/src/net_ssl.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp index 77eaa43e2..1bc6f91b8 100644 --- a/contrib/epee/src/net_ssl.cpp +++ b/contrib/epee/src/net_ssl.cpp @@ -221,6 +221,9 @@ boost::asio::ssl::context ssl_options_t::create_context() const ssl_context.set_default_verify_paths(); break; case ssl_verification_t::user_certificates: + ssl_context.set_verify_depth(0); + /* fallthrough */ + case ssl_verification_t::user_ca: if (!ca_path.empty()) { const boost::system::error_code err = load_ca_file(ssl_context, ca_path); |