diff options
author | Lee Clagett <code@leeclagett.com> | 2019-03-13 20:01:14 -0400 |
---|---|---|
committer | Lee Clagett <code@leeclagett.com> | 2019-04-06 23:47:07 -0400 |
commit | 1f5ed328aa3b0501bd85774dc960c17a73d79db3 (patch) | |
tree | 2012781c62caf2e6211d8bc7efb009c98fe4791d /src/wallet/wallet_rpc_server.cpp | |
parent | Do not require client certificate unless server has some whitelisted. (diff) | |
download | monero-1f5ed328aa3b0501bd85774dc960c17a73d79db3.tar.xz |
Change default SSL to "enabled" if user specifies fingerprint/certificate
Currently if a user specifies a ca file or fingerprint to verify peer,
the default behavior is SSL autodetect which allows for mitm downgrade
attacks. It should be investigated whether a manual override should be
allowed - the configuration is likely always invalid.
Diffstat (limited to 'src/wallet/wallet_rpc_server.cpp')
-rw-r--r-- | src/wallet/wallet_rpc_server.cpp | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/wallet/wallet_rpc_server.cpp b/src/wallet/wallet_rpc_server.cpp index 7824ed62e..a07e8e767 100644 --- a/src/wallet/wallet_rpc_server.cpp +++ b/src/wallet/wallet_rpc_server.cpp @@ -250,11 +250,16 @@ namespace tools auto rpc_ssl_ca_file = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates); auto rpc_ssl_allowed_fingerprints = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints); auto rpc_ssl = command_line::get_arg(vm, arg_rpc_ssl); - epee::net_utils::ssl_support_t rpc_ssl_support; - if (!epee::net_utils::ssl_support_from_string(rpc_ssl_support, rpc_ssl)) + epee::net_utils::ssl_support_t rpc_ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_enabled; + + // user specified CA file or fingeprints implies enabled SSL by default + if ((rpc_ssl_ca_file.empty() && rpc_ssl_allowed_fingerprints.empty()) || !command_line::is_arg_defaulted(vm, arg_rpc_ssl)) { - MERROR("Invalid argument for " << std::string(arg_rpc_ssl.name)); - return false; + if (!epee::net_utils::ssl_support_from_string(rpc_ssl_support, rpc_ssl)) + { + MERROR("Invalid argument for " << std::string(arg_rpc_ssl.name)); + return false; + } } std::vector<std::vector<uint8_t>> allowed_fingerprints{ rpc_ssl_allowed_fingerprints.size() }; |