Enabling daemon-rpc SSL now requires non-system CA verification

If `--daemon-ssl enabled` is set in the wallet, then a user certificate, fingerprint, or onion/i2p address must be provided.
author: Lee Clagett <code@leeclagett.com> 2019-04-06 21:28:37 -0400
committer: Lee Clagett <code@leeclagett.com> 2019-04-07 13:02:43 -0400
commit: 2e578b8214b8b47d7ddefceb1cbf2d8129e85a5a (patch)
tree: 103d97e9da3ceb4c6b2311dac3b41cb9e7085026 /contrib/epee/src/net_ssl.cpp
parent: Require manual override for user chain certificates. (diff)
download: monero-2e578b8214b8b47d7ddefceb1cbf2d8129e85a5a.tar.xz
1 files changed, 19 insertions, 0 deletions
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp
index 1bc6f91b8..7bedb18ac 100644
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@@ -278,6 +278,25 @@ bool is_ssl(const unsigned char *data, size_t len)
   return false;
 }
 
+bool ssl_options_t::has_strong_verification(boost::string_ref host) const noexcept
+{
+  // onion and i2p addresses contain information about the server cert
+  // which both authenticates and encrypts
+  if (host.ends_with(".onion") || host.ends_with(".i2p"))
+    return true;
+  switch (verification)
+  {
+    default:
+    case ssl_verification_t::none:
+    case ssl_verification_t::system_ca:
+      return false;
+    case ssl_verification_t::user_certificates:
+    case ssl_verification_t::user_ca:
+      break;
+  }
+  return true;
+}
+
 bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
 {
   // can we check the certificate against a list of fingerprints?
author	Lee Clagett <code@leeclagett.com>	2019-04-06 21:28:37 -0400
committer	Lee Clagett <code@leeclagett.com>	2019-04-07 13:02:43 -0400
commit	2e578b8214b8b47d7ddefceb1cbf2d8129e85a5a (patch)
tree	103d97e9da3ceb4c6b2311dac3b41cb9e7085026 /contrib/epee/src/net_ssl.cpp
parent	Require manual override for user chain certificates. (diff)
download	monero-2e578b8214b8b47d7ddefceb1cbf2d8129e85a5a.tar.xz