From 97cd1fa98d58fa354ebbade47e894f169ee0c1e2 Mon Sep 17 00:00:00 2001 From: Lee Clagett Date: Thu, 4 Apr 2019 01:48:55 -0400 Subject: Only check top-level certificate against fingerprint list. This allows "chain" certificates to be used with the fingerprint whitelist option. A user can get a system-ca signature as backup while clients explicitly whitelist the server certificate. The user specified CA can also be combined with fingerprint whitelisting. --- contrib/epee/src/net_ssl.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'contrib/epee/src/net_ssl.cpp') diff --git a/contrib/epee/src/net_ssl.cpp b/contrib/epee/src/net_ssl.cpp index 0ac452343..77eaa43e2 100644 --- a/contrib/epee/src/net_ssl.cpp +++ b/contrib/epee/src/net_ssl.cpp @@ -285,8 +285,10 @@ bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const MERROR("Error getting verify_context handle"); return false; } - X509 *cert =X509_STORE_CTX_get_current_cert(sctx); - if (!cert) + + X509* cert = nullptr; + const STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(sctx); + if (!chain || sk_X509_num(chain) < 1 || !(cert = sk_X509_value(chain, 0))) { MERROR("No certificate found in verify_context"); return false; -- cgit v1.2.3