aboutsummaryrefslogtreecommitdiff
path: root/src/wallet/wallet2.cpp
diff options
context:
space:
mode:
authorLee Clagett <code@leeclagett.com>2019-03-13 20:01:14 -0400
committerLee Clagett <code@leeclagett.com>2019-04-06 23:47:07 -0400
commit1f5ed328aa3b0501bd85774dc960c17a73d79db3 (patch)
tree2012781c62caf2e6211d8bc7efb009c98fe4791d /src/wallet/wallet2.cpp
parentDo not require client certificate unless server has some whitelisted. (diff)
downloadmonero-1f5ed328aa3b0501bd85774dc960c17a73d79db3.tar.xz
Change default SSL to "enabled" if user specifies fingerprint/certificate
Currently if a user specifies a ca file or fingerprint to verify peer, the default behavior is SSL autodetect which allows for mitm downgrade attacks. It should be investigated whether a manual override should be allowed - the configuration is likely always invalid.
Diffstat (limited to '')
-rw-r--r--src/wallet/wallet2.cpp11
1 files changed, 8 insertions, 3 deletions
diff --git a/src/wallet/wallet2.cpp b/src/wallet/wallet2.cpp
index c4f466699..9e2a826d9 100644
--- a/src/wallet/wallet2.cpp
+++ b/src/wallet/wallet2.cpp
@@ -325,9 +325,14 @@ std::unique_ptr<tools::wallet2> make_basic(const boost::program_options::variabl
auto daemon_ssl_allowed_fingerprints = command_line::get_arg(vm, opts.daemon_ssl_allowed_fingerprints);
auto daemon_ssl_allow_any_cert = command_line::get_arg(vm, opts.daemon_ssl_allow_any_cert);
auto daemon_ssl = command_line::get_arg(vm, opts.daemon_ssl);
- epee::net_utils::ssl_support_t ssl_support;
- THROW_WALLET_EXCEPTION_IF(!epee::net_utils::ssl_support_from_string(ssl_support, daemon_ssl), tools::error::wallet_internal_error,
- tools::wallet2::tr("Invalid argument for ") + std::string(opts.daemon_ssl.name));
+
+ // user specified CA file or fingeprints implies enabled SSL by default
+ epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
+ if ((daemon_ssl_ca_file.empty() && daemon_ssl_allowed_fingerprints.empty()) || !command_line::is_arg_defaulted(vm, opts.daemon_ssl))
+ {
+ THROW_WALLET_EXCEPTION_IF(!epee::net_utils::ssl_support_from_string(ssl_support, daemon_ssl), tools::error::wallet_internal_error,
+ tools::wallet2::tr("Invalid argument for ") + std::string(opts.daemon_ssl.name));
+ }
THROW_WALLET_EXCEPTION_IF(!daemon_address.empty() && !daemon_host.empty() && 0 != daemon_port,
tools::error::wallet_internal_error, tools::wallet2::tr("can't specify daemon host or port more than once"));