Change SSL certificate file list to OpenSSL builtin load_verify_location

Specifying SSL certificates for peer verification does an exact match,
making it a not-so-obvious alias for the fingerprints option. This
changes the checks to OpenSSL which loads concatenated certificate(s)
from a single file and does a certificate-authority (chain of trust)
check instead. There is no drop in security - a compromised exact match
fingerprint has the same worse case failure. There is increased security
in allowing separate long-term CA key and short-term SSL server keys.

This also removes loading of the system-default CA files if a custom
CA file or certificate fingerprint is specified.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/wallet/wallet_rpc_server_commands_defs.h b/src/wallet/wallet_rpc_server_commands_defs.h
index 7984f6584..4c945ab41 100644
--- a/src/wallet/wallet_rpc_server_commands_defs.h
+++ b/src/wallet/wallet_rpc_server_commands_defs.h
@@ -2448,7 +2448,7 @@ namespace wallet_rpc
       std::string ssl_support; // disabled, enabled, autodetect
       std::string ssl_private_key_path;
       std::string ssl_certificate_path;
-      std::list<std::string> ssl_allowed_certificates;
+      std::string ssl_ca_file;
       std::vector<std::string> ssl_allowed_fingerprints;
       bool ssl_allow_any_cert;
 
@@ -2458,7 +2458,7 @@ namespace wallet_rpc
         KV_SERIALIZE_OPT(ssl_support, (std::string)"autodetect")
         KV_SERIALIZE(ssl_private_key_path)
         KV_SERIALIZE(ssl_certificate_path)
-        KV_SERIALIZE(ssl_allowed_certificates)
+        KV_SERIALIZE(ssl_ca_file)
         KV_SERIALIZE(ssl_allowed_fingerprints)
         KV_SERIALIZE_OPT(ssl_allow_any_cert, false)
       END_KV_SERIALIZE_MAP()