diff options
| author | Lee Clagett <code@leeclagett.com> | 2019-03-17 16:11:42 -0400 |
|---|---|---|
| committer | Lee Clagett <code@leeclagett.com> | 2019-04-07 00:44:37 -0400 |
| commit | 96d602ac84d856c26a9065bfccbe2b98237db271 (patch) | |
| tree | dc14b5287d364f6e2b1bfd223e800400333f72ba /contrib/epee/src | |
| parent | Pass SSL arguments via one class and use shared_ptr instead of reference (diff) | |
| download | monero-96d602ac84d856c26a9065bfccbe2b98237db271.tar.xz | |
Add `verify_fail_if_no_cert` option for proper client authentication
Using `verify_peer` on server side requests a certificate from the
client. If no certificate is provided, the server silently accepts the
connection and rejects if the client sends an unexpected certificate.
Adding `verify_fail_if_no_cert` has no affect on client and for server
requires that the peer sends a certificate or fails the handshake. This
is the desired behavior when the user specifies a fingerprint or CA file.
Diffstat (limited to 'contrib/epee/src')
| -rw-r--r-- | contrib/epee/src/net_ssl.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp index 1d137219a..a87792fb8 100644 --- a/contrib/epee/src/net_ssl.cpp +++ b/contrib/epee/src/net_ssl.cpp @@ -330,7 +330,7 @@ bool ssl_options_t::handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::soc socket.set_verify_mode(boost::asio::ssl::verify_none); else { - socket.set_verify_mode(boost::asio::ssl::verify_peer); + socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert); socket.set_verify_callback([&](bool preverified, boost::asio::ssl::verify_context &ctx) { // preverified means it passed system or user CA check. System CA is never loaded |