Require manual override for user chain certificates.

An override for the wallet to daemon connection is provided, but not for other SSL contexts. The intent is to prevent users from supplying a system CA as the "user" whitelisted certificate, which is less secure since the key is controlled by a third party.
author: Lee Clagett <code@leeclagett.com> 2019-04-04 13:35:33 -0400
committer: Lee Clagett <code@leeclagett.com> 2019-04-07 00:44:37 -0400
commit: d58f368289709e0869c9b7927778339670cb85a7 (patch)
tree: e100a961a0d4f533957a2c4a2926008e1fcc9dfd /contrib/epee/src
parent: Only check top-level certificate against fingerprint list. (diff)
download: monero-d58f368289709e0869c9b7927778339670cb85a7.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp
index 77eaa43e2..1bc6f91b8 100644
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@@ -221,6 +221,9 @@ boost::asio::ssl::context ssl_options_t::create_context() const
       ssl_context.set_default_verify_paths();
       break;
     case ssl_verification_t::user_certificates:
+      ssl_context.set_verify_depth(0);
+      /* fallthrough */
+    case ssl_verification_t::user_ca:
       if (!ca_path.empty())
       {
         const boost::system::error_code err = load_ca_file(ssl_context, ca_path);
author	Lee Clagett <code@leeclagett.com>	2019-04-04 13:35:33 -0400
committer	Lee Clagett <code@leeclagett.com>	2019-04-07 00:44:37 -0400
commit	d58f368289709e0869c9b7927778339670cb85a7 (patch)
tree	e100a961a0d4f533957a2c4a2926008e1fcc9dfd /contrib/epee/src
parent	Only check top-level certificate against fingerprint list. (diff)
download	monero-d58f368289709e0869c9b7927778339670cb85a7.tar.xz