From f72bfc9df2684e9d74aa06f0ff123010cec83d59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com>
Date: Fri, 19 Jun 2020 15:21:17 -0400
Subject: [PATCH] http: use hostname for certificate authentication
---
include/opendht/http.h | 2 +-
src/http.cpp | 18 ++++++++----------
2 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/include/opendht/http.h b/include/opendht/http.h
index 237c6318..cd533c8d 100644
--- a/include/opendht/http.h
+++ b/include/opendht/http.h
@@ -95,7 +95,7 @@ public:
bool is_open() const;
bool is_ssl() const;
- void set_ssl_verification(const asio::ip::tcp::endpoint& endpoint, const asio::ssl::verify_mode verify_mode);
+ void set_ssl_verification(const std::string& hostname, const asio::ssl::verify_mode verify_mode);
asio::streambuf& input();
std::istream& data() { return istream_; }
diff --git a/src/http.cpp b/src/http.cpp
index 5c85e372..f4100a2b 100644
--- a/src/http.cpp
+++ b/src/http.cpp
@@ -76,7 +76,7 @@ Connection::Connection(asio::io_context& ctx, const bool ssl, std::shared_ptr<dh
: id_(Connection::ids_++), ctx_(ctx), istream_(&read_buf_), logger_(l)
{
if (ssl){
- ssl_ctx_ = std::make_shared<asio::ssl::context>(asio::ssl::context::sslv23);
+ ssl_ctx_ = std::make_shared<asio::ssl::context>(asio::ssl::context::tls_client);
ssl_ctx_->set_default_verify_paths();
ssl_ctx_->set_verify_mode(asio::ssl::verify_none);
ssl_socket_ = std::make_unique<ssl_socket_t>(ctx_, ssl_ctx_);
@@ -94,7 +94,7 @@ Connection::Connection(asio::io_context& ctx, std::shared_ptr<dht::crypto::Certi
const dht::crypto::Identity& identity, std::shared_ptr<dht::Logger> l)
: id_(Connection::ids_++), ctx_(ctx), istream_(&read_buf_), logger_(l)
{
- ssl_ctx_ = std::make_shared<asio::ssl::context>(asio::ssl::context::sslv23);
+ ssl_ctx_ = std::make_shared<asio::ssl::context>(asio::ssl::context::tls_client);
ssl_ctx_->set_default_verify_paths();
asio::error_code ec;
if (server_ca){
@@ -160,15 +160,13 @@ Connection::is_ssl() const
}
void
-Connection::set_ssl_verification(const asio::ip::tcp::endpoint& endpoint, const asio::ssl::verify_mode verify_mode)
+Connection::set_ssl_verification(const std::string& hostname, const asio::ssl::verify_mode verify_mode)
{
std::lock_guard<std::mutex> lock(mutex_);
if (ssl_socket_ and verify_mode != asio::ssl::verify_none) {
ssl_socket_->asio_ssl_stream().set_verify_mode(verify_mode);
ssl_socket_->asio_ssl_stream().set_verify_callback([
- id = id_,
- logger = logger_,
- hostname = endpoint.address().to_string()
+ id = id_, logger = logger_, hostname
] (bool preverified, asio::ssl::verify_context& ctx) -> bool {
if (logger)
logger->d("[connection:%i] verify %s compliance to RFC 2818", id, hostname.c_str());
@@ -784,8 +782,8 @@ Request::connect(std::vector<asio::ip::tcp::endpoint>&& endpoints, HandlerCb cb)
eps.append(endpoint.address().to_string() + ":" + std::to_string(endpoint.port()) + " ");
logger_->d("[http:request:%i] connect begin: %s", id_, eps.c_str());
}
- if (get_url().protocol == "https"){
- if (server_ca_)
+ if (get_url().protocol == "https") {
+ if (server_ca_ or client_identity_.first)
conn_ = std::make_shared<Connection>(ctx_, server_ca_, client_identity_, logger_);
else
conn_ = std::make_shared<Connection>(ctx_, true/*ssl*/, logger_);
@@ -823,10 +821,10 @@ Request::connect(std::vector<asio::ip::tcp::endpoint>&& endpoints, HandlerCb cb)
if (url.protocol == "https") {
if (this_.server_ca_)
- this_.conn_->set_ssl_verification(endpoint, asio::ssl::verify_peer
+ this_.conn_->set_ssl_verification(url.host, asio::ssl::verify_peer
| asio::ssl::verify_fail_if_no_peer_cert);
- if (this_.conn_ and this_.conn_->is_open() and this_.conn_->is_ssl()){
+ if (this_.conn_ and this_.conn_->is_open() and this_.conn_->is_ssl()) {
this_.conn_->async_handshake([id = this_.id_, cb, logger = this_.logger_](const asio::error_code& ec){
if (ec == asio::error::operation_aborted)
return;
--
GitLab