Git-Mirrors/monero
1
0
Fork 0
mirror of https://github.com/monero-project/monero.git synced 2025-08-03 16:14:20 -04:00
Code Issues Projects Releases Packages Wiki Activity

Require server verification when SSL is enabled.

Browse source 
If SSL is "enabled" via command line without specifying a fingerprint or
certificate, the system CA list is checked for server verification and
_now_ fails the handshake if that check fails. This change was made to
remain consistent with standard SSL/TLS client behavior. This can still
be overridden by using the allow any certificate flag.

If the SSL behavior is autodetect, the system CA list is still checked
but a warning is logged if this fails. The stream is not rejected
because a re-connect will be attempted - its better to have an
unverified encrypted stream than an unverified + unencrypted stream.
This commit is contained in:
Lee Clagett 2019-03-17 22:06:36 -04:00
parent 96d602ac84
commit 0416764cae
2 changed files with 16 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
contrib/epee/include/net/net_ssl.h
View file

@ -104,6 +104,12 @@ namespace net_utils
boost::asio::ssl::context create_context() const;
/*! \note If `this->support == autodetect && this->verification != none`,
then the handshake will not fail when peer verification fails. The
assumption is that a re-connect will be attempted, so a warning is
logged instead of failure.
\return True if the SSL handshake completes with peer verification
settings. */
bool handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type) const;
};