Commit Graph

32 Commits

Author SHA1 Message Date
Lee Clagett
21eb1b0725 Pass SSL arguments via one class and use shared_ptr instead of reference 2019-04-07 00:44:37 -04:00
Lee Clagett
a3b0284837 Change SSL certificate file list to OpenSSL builtin load_verify_location
Specifying SSL certificates for peer verification does an exact match,
making it a not-so-obvious alias for the fingerprints option. This
changes the checks to OpenSSL which loads concatenated certificate(s)
from a single file and does a certificate-authority (chain of trust)
check instead. There is no drop in security - a compromised exact match
fingerprint has the same worse case failure. There is increased security
in allowing separate long-term CA key and short-term SSL server keys.

This also removes loading of the system-default CA files if a custom
CA file or certificate fingerprint is specified.
2019-04-06 23:47:06 -04:00
Riccardo Spagni
38317f384c
Merge pull request #5348
59776a64 epee: some more minor JSON parsing speedup (moneromooo-monero)
2019-04-06 16:00:18 +02:00
moneromooo-monero
59776a64ff
epee: some more minor JSON parsing speedup 2019-03-25 14:29:29 +00:00
Lee Clagett
7acfa9f3cc Added socks proxy (tor/i2pd/kovri) support to wallet 2019-03-25 01:35:13 +00:00
Martijn Otto
057c279cb4
epee: add SSL support
RPC connections now have optional tranparent SSL.

An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.

SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.

Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.

To generate long term certificates:

openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT

/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.

SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2019-03-05 14:16:08 +01:00
moneromooo-monero
2456945408
epee: add SSL support
RPC connections now have optional tranparent SSL.

An optional private key and certificate file can be passed,
using the --{rpc,daemon}-ssl-private-key and
--{rpc,daemon}-ssl-certificate options. Those have as
argument a path to a PEM format private private key and
certificate, respectively.
If not given, a temporary self signed certificate will be used.

SSL can be enabled or disabled using --{rpc}-ssl, which
accepts autodetect (default), disabled or enabled.

Access can be restricted to particular certificates using the
--rpc-ssl-allowed-certificates, which takes a list of
paths to PEM encoded certificates. This can allow a wallet to
connect to only the daemon they think they're connected to,
by forcing SSL and listing the paths to the known good
certificates.

To generate long term certificates:

openssl genrsa -out /tmp/KEY 4096
openssl req -new -key /tmp/KEY -out /tmp/REQ
openssl x509 -req -days 999999 -sha256 -in /tmp/REQ -signkey /tmp/KEY -out /tmp/CERT

/tmp/KEY is the private key, and /tmp/CERT is the certificate,
both in PEM format. /tmp/REQ can be removed. Adjust the last
command to set expiration date, etc, as needed. It doesn't
make a whole lot of sense for monero anyway, since most servers
will run with one time temporary self signed certificates anyway.

SSL support is transparent, so all communication is done on the
existing ports, with SSL autodetection. This means you can start
using an SSL daemon now, but you should not enforce SSL yet or
nothing will talk to you.
2019-02-02 20:05:33 +00:00
Dimitris Apostolou
57c0b1ed9f Fix typos in various files 2018-03-15 18:25:38 +02:00
moneromooo-monero
bd1f6029a3
http_client: rewrite header parsing manually for speed
boost::regex is stupendously atrocious at parsing malformed data
2017-12-23 11:29:58 +00:00
moneromooo-monero
f1bdc9a42a
tests: add http client fuzz test 2017-12-23 11:29:52 +00:00
moneromooo-monero
09ce03d612
move includes around to lessen overall load 2017-12-16 22:46:38 +00:00
Riccardo Spagni
5de492be40
Merge pull request #2629
383ff4f6 remove "using namespace std" from headers (moneromooo-monero)
2017-11-14 21:29:49 +02:00
moneromooo-monero
383ff4f689
remove "using namespace std" from headers
It's nasty, and actually breaks on Solaris, where if.h fails to
build due to:

  struct map *if_memmap;
2017-11-14 16:56:10 +00:00
Tim L
0bf0915446 Fix file permission issue
This branch fixes a file permission issue introduced by 69c37200aa
2017-11-03 11:27:50 -04:00
Tim L
69c37200aa RPC Add cross origin resource sharing support 2017-10-30 13:55:56 -04:00
Jaquee
1cf940f2a1 epee http_client SSL support 2017-10-15 17:29:04 +02:00
moneromooo-monero
333f70120c
http_client: add getters for host and port 2017-08-22 12:00:21 +01:00
moneromooo-monero
9bf017edf2
http_client: allow cancelling a download 2017-03-05 16:23:34 +00:00
moneromooo-monero
0d90123cac
http_client: allow derived class to get headers at start 2017-03-05 16:23:29 +00:00
moneromooo-monero
efb72e74e2
http_client: add a couple consts 2017-02-20 22:58:21 +00:00
Lee Clagett
ce7fcbb4ae Add server auth to monerod, and client auth to wallet-cli and wallet-rpc 2017-02-06 01:15:41 -05:00
Lee Clagett
c02e1cb943 Updates to epee HTTP client code
- http_simple_client now uses std::chrono for timeouts
  - http_simple_client accepts timeouts per connect / invoke call
  - shortened names of epee http invoke functions
  - invoke command functions only take relative path, connection
    is not automatically performed
2017-01-25 15:39:32 -05:00
moneromooo-monero
5833d66f65
Change logging to easylogging++
This replaces the epee and data_loggers logging systems with
a single one, and also adds filename:line and explicit severity
levels. Categories may be defined, and logging severity set
by category (or set of categories). epee style 0-4 log level
maps to a sensible severity configuration. Log files now also
rotate when reaching 100 MB.

To select which logs to output, use the MONERO_LOGS environment
variable, with a comma separated list of categories (globs are
supported), with their requested severity level after a colon.
If a log matches more than one such setting, the last one in
the configuration string applies. A few examples:

This one is (mostly) silent, only outputting fatal errors:

MONERO_LOGS=*:FATAL

This one is very verbose:

MONERO_LOGS=*:TRACE

This one is totally silent (logwise):

MONERO_LOGS=""

This one outputs all errors and warnings, except for the
"verify" category, which prints just fatal errors (the verify
category is used for logs about incoming transactions and
blocks, and it is expected that some/many will fail to verify,
hence we don't want the spam):

MONERO_LOGS=*:WARNING,verify:FATAL

Log levels are, in decreasing order of priority:
FATAL, ERROR, WARNING, INFO, DEBUG, TRACE

Subcategories may be added using prefixes and globs. This
example will output net.p2p logs at the TRACE level, but all
other net* logs only at INFO:

MONERO_LOGS=*:ERROR,net*:INFO,net.p2p:TRACE

Logs which are intended for the user (which Monero was using
a lot through epee, but really isn't a nice way to go things)
should use the "global" category. There are a few helper macros
for using this category, eg: MGINFO("this shows up by default")
or MGINFO_RED("this is red"), to try to keep a similar look
and feel for now.

Existing epee log macros still exist, and map to the new log
levels, but since they're used as a "user facing" UI element
as much as a logging system, they often don't map well to log
severities (ie, a log level 0 log may be an error, or may be
something we want the user to see, such as an important info).
In those cases, I tried to use the new macros. In other cases,
I left the existing macros in. When modifying logs, it is
probably best to switch to the new macros with explicit levels.

The --log-level options and set_log commands now also accept
category settings, in addition to the epee style log levels.
2017-01-16 00:25:46 +00:00
moneromooo-monero
d9001b43ac
epee: add functions to convert from URL format (ie, %XX values) 2016-11-28 17:54:16 +00:00
moneromooo-monero
eeb2bbc0fc
epee: optionally restrict HTTP service to a configurable user agent
This is intended to catch traffic coming from a web browser,
so we avoid issues with a web page sending a transfer RPC to
the wallet. Requiring a particular user agent can act as a
simple password scheme, while we wait for 0MQ and proper
authentication to be merged.
2016-09-18 20:32:02 +01:00
Henning Kopp
9abc4b831b more typos fixed 2016-01-25 13:42:44 +01:00
Riccardo Spagni
f4b69d553a
year updated in license 2015-01-02 18:52:46 +02:00
fluffypony
32f9d2b783 move modified epee code to new classes, revert license 2014-07-25 18:29:08 +02:00
fluffypony
6fc995fe5d License updated to BSD 3-clause 2014-07-23 15:03:52 +02:00
mydesktop
333f975760 initial [broken] update 2014-05-03 12:19:43 -04:00
Antonio Juarez
29c2859a3e json rpc for wallet and bugfix 2014-04-02 17:00:17 +01:00
Antonio Juarez
296ae46ed8 moved all stuff to github 2014-03-03 22:07:58 +00:00