Git-Mirrors/monero
1
0
Fork 0
mirror of https://github.com/monero-project/monero.git synced 2025-08-08 17:32:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

Change default SSL to "enabled" if user specifies fingerprint/certificate

Browse source 
Currently if a user specifies a ca file or fingerprint to verify peer,
the default behavior is SSL autodetect which allows for mitm downgrade
attacks. It should be investigated whether a manual override should be
allowed - the configuration is likely always invalid.
This commit is contained in:
Lee Clagett 2019-03-13 20:01:14 -04:00
parent f18a069fcc
commit 1f5ed328aa
3 changed files with 29 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/wallet/wallet_rpc_server.cpp
View file

@ -250,11 +250,16 @@ namespace tools
auto rpc_ssl_ca_file = command_line::get_arg(vm, arg_rpc_ssl_ca_certificates);
auto rpc_ssl_allowed_fingerprints = command_line::get_arg(vm, arg_rpc_ssl_allowed_fingerprints);
auto rpc_ssl = command_line::get_arg(vm, arg_rpc_ssl);
epee::net_utils::ssl_support_t rpc_ssl_support;
if (!epee::net_utils::ssl_support_from_string(rpc_ssl_support, rpc_ssl))
epee::net_utils::ssl_support_t rpc_ssl_support = epee::net_utils::ssl_support_t::e_ssl_support_enabled;
// user specified CA file or fingeprints implies enabled SSL by default
if ((rpc_ssl_ca_file.empty() && rpc_ssl_allowed_fingerprints.empty()) || !command_line::is_arg_defaulted(vm, arg_rpc_ssl))
{
MERROR("Invalid argument for " << std::string(arg_rpc_ssl.name));
return false;
if (!epee::net_utils::ssl_support_from_string(rpc_ssl_support, rpc_ssl))
{
MERROR("Invalid argument for " << std::string(arg_rpc_ssl.name));
return false;
}
}
std::vector<std::vector<uint8_t>> allowed_fingerprints{ rpc_ssl_allowed_fingerprints.size() };