Git-Mirrors/monero
1
0
Fork 0
mirror of https://github.com/monero-project/monero.git synced 2025-06-05 04:19:08 -04:00
Code Issues Projects Releases Packages Wiki Activity

Perform RFC 2818 hostname verification in client SSL handshakes

Browse source 
If the verification mode is `system_ca`, clients will now do hostname
verification. Thus, only certificates from expected hostnames are
allowed when SSL is enabled. This can be overridden by forcible setting
the SSL mode to autodetect.

Clients will also send the hostname even when `system_ca` is not being
performed. This leaks possible metadata, but allows servers providing
multiple hostnames to respond with the correct certificate. One example
is cloudflare, which getmonero.org is currently using.
This commit is contained in:
Lee Clagett 2019-03-19 16:04:32 -04:00
parent 0416764cae
commit eca0fea45a
3 changed files with 26 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
contrib/epee/include/net/net_helper.h
View file

@ -174,7 +174,7 @@ namespace net_utils
// SSL Options
if (ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_enabled || ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect)
{
if (!m_ssl_options.handshake(*m_ssl_socket, boost::asio::ssl::stream_base::client))
if (!m_ssl_options.handshake(*m_ssl_socket, boost::asio::ssl::stream_base::client, addr))
{
if (ssl_support == epee::net_utils::ssl_support_t::e_ssl_support_autodetect)
{