aboutsummaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
authorLee Clagett <code@leeclagett.com>2019-04-04 13:35:33 -0400
committerLee Clagett <code@leeclagett.com>2019-04-07 00:44:37 -0400
commitd58f368289709e0869c9b7927778339670cb85a7 (patch)
treee100a961a0d4f533957a2c4a2926008e1fcc9dfd /contrib
parentOnly check top-level certificate against fingerprint list. (diff)
downloadmonero-d58f368289709e0869c9b7927778339670cb85a7.tar.xz
Require manual override for user chain certificates.
An override for the wallet to daemon connection is provided, but not for other SSL contexts. The intent is to prevent users from supplying a system CA as the "user" whitelisted certificate, which is less secure since the key is controlled by a third party.
Diffstat (limited to 'contrib')
-rw-r--r--contrib/epee/include/net/net_ssl.h3
-rw-r--r--contrib/epee/src/net_ssl.cpp3
2 files changed, 5 insertions, 1 deletions
diff --git a/contrib/epee/include/net/net_ssl.h b/contrib/epee/include/net/net_ssl.h
index ba6e2ee6d..726dcb61a 100644
--- a/contrib/epee/include/net/net_ssl.h
+++ b/contrib/epee/include/net/net_ssl.h
@@ -51,7 +51,8 @@ namespace net_utils
{
none = 0, //!< Do not verify peer.
system_ca, //!< Verify peer via system ca only (do not inspect user certificates)
- user_certificates //!< Verify peer via user certificate(s) only.
+ user_certificates,//!< Verify peer via specific (non-chain) certificate(s) only.
+ user_ca //!< Verify peer via specific (possibly chain) certificate(s) only.
};
struct ssl_authentication_t
diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp
index 77eaa43e2..1bc6f91b8 100644
--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@@ -221,6 +221,9 @@ boost::asio::ssl::context ssl_options_t::create_context() const
ssl_context.set_default_verify_paths();
break;
case ssl_verification_t::user_certificates:
+ ssl_context.set_verify_depth(0);
+ /* fallthrough */
+ case ssl_verification_t::user_ca:
if (!ca_path.empty())
{
const boost::system::error_code err = load_ca_file(ssl_context, ca_path);