diff options
| author | Lee Clagett <code@leeclagett.com> | 2019-03-11 22:01:03 -0400 |
|---|---|---|
| committer | Lee Clagett <code@leeclagett.com> | 2019-04-06 23:47:06 -0400 |
| commit | a3b0284837c9ea10865e6ddeb7f1244d621ae5c0 (patch) | |
| tree | 2c9738f2ac773eb44c6579c692c006eb75fb12f2 /src/wallet/wallet2.h | |
| parent | Merge pull request #5364 (diff) | |
| download | monero-a3b0284837c9ea10865e6ddeb7f1244d621ae5c0.tar.xz | |
Change SSL certificate file list to OpenSSL builtin load_verify_location
Specifying SSL certificates for peer verification does an exact match,
making it a not-so-obvious alias for the fingerprints option. This
changes the checks to OpenSSL which loads concatenated certificate(s)
from a single file and does a certificate-authority (chain of trust)
check instead. There is no drop in security - a compromised exact match
fingerprint has the same worse case failure. There is increased security
in allowing separate long-term CA key and short-term SSL server keys.
This also removes loading of the system-default CA files if a custom
CA file or certificate fingerprint is specified.
Diffstat (limited to 'src/wallet/wallet2.h')
| -rw-r--r-- | src/wallet/wallet2.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/wallet/wallet2.h b/src/wallet/wallet2.h index a24127800..58dc5f082 100644 --- a/src/wallet/wallet2.h +++ b/src/wallet/wallet2.h @@ -691,13 +691,13 @@ namespace tools bool trusted_daemon = true, epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_autodetect, const std::pair<std::string, std::string> &private_key_and_certificate_path = {}, - const std::list<std::string> &allowed_certificates = {}, const std::vector<std::vector<uint8_t>> &allowed_fingerprints = {}, + std::string ca_file = {}, const std::vector<std::vector<uint8_t>> &allowed_fingerprints = {}, bool allow_any_cert = false); bool set_daemon(std::string daemon_address = "http://localhost:8080", boost::optional<epee::net_utils::http::login> daemon_login = boost::none, bool trusted_daemon = true, epee::net_utils::ssl_support_t ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_autodetect, const std::pair<std::string, std::string> &private_key_and_certificate_path = {}, - const std::list<std::string> &allowed_certificates = {}, const std::vector<std::vector<uint8_t>> &allowed_fingerprints = {}, + std::string ca_file = {}, const std::vector<std::vector<uint8_t>> &allowed_fingerprints = {}, bool allow_any_cert = false); void stop() { m_run.store(false, std::memory_order_relaxed); m_message_store.stop(); } |