From f72bfc9df2684e9d74aa06f0ff123010cec83d59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com>
Date: Fri, 19 Jun 2020 15:21:17 -0400
Subject: [PATCH] http: use hostname for certificate authentication

---
 include/opendht/http.h |  2 +-
 src/http.cpp           | 18 ++++++++----------
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/include/opendht/http.h b/include/opendht/http.h
index 237c6318..cd533c8d 100644
--- a/include/opendht/http.h
+++ b/include/opendht/http.h
@@ -95,7 +95,7 @@ public:
     bool is_open() const;
     bool is_ssl() const;
 
-    void set_ssl_verification(const asio::ip::tcp::endpoint& endpoint, const asio::ssl::verify_mode verify_mode);
+    void set_ssl_verification(const std::string& hostname, const asio::ssl::verify_mode verify_mode);
 
     asio::streambuf& input();
     std::istream& data() { return istream_; }
diff --git a/src/http.cpp b/src/http.cpp
index 5c85e372..f4100a2b 100644
--- a/src/http.cpp
+++ b/src/http.cpp
@@ -76,7 +76,7 @@ Connection::Connection(asio::io_context& ctx, const bool ssl, std::shared_ptr<dh
     : id_(Connection::ids_++), ctx_(ctx), istream_(&read_buf_), logger_(l)
 {
     if (ssl){
-        ssl_ctx_ = std::make_shared<asio::ssl::context>(asio::ssl::context::sslv23);
+        ssl_ctx_ = std::make_shared<asio::ssl::context>(asio::ssl::context::tls_client);
         ssl_ctx_->set_default_verify_paths();
         ssl_ctx_->set_verify_mode(asio::ssl::verify_none);
         ssl_socket_ = std::make_unique<ssl_socket_t>(ctx_, ssl_ctx_);
@@ -94,7 +94,7 @@ Connection::Connection(asio::io_context& ctx, std::shared_ptr<dht::crypto::Certi
                        const dht::crypto::Identity& identity, std::shared_ptr<dht::Logger> l)
     : id_(Connection::ids_++), ctx_(ctx), istream_(&read_buf_), logger_(l)
 {
-    ssl_ctx_ = std::make_shared<asio::ssl::context>(asio::ssl::context::sslv23);
+    ssl_ctx_ = std::make_shared<asio::ssl::context>(asio::ssl::context::tls_client);
     ssl_ctx_->set_default_verify_paths();
     asio::error_code ec;
     if (server_ca){
@@ -160,15 +160,13 @@ Connection::is_ssl() const
 }
 
 void
-Connection::set_ssl_verification(const asio::ip::tcp::endpoint& endpoint, const asio::ssl::verify_mode verify_mode)
+Connection::set_ssl_verification(const std::string& hostname, const asio::ssl::verify_mode verify_mode)
 {
     std::lock_guard<std::mutex> lock(mutex_);
     if (ssl_socket_ and verify_mode != asio::ssl::verify_none) {
         ssl_socket_->asio_ssl_stream().set_verify_mode(verify_mode);
         ssl_socket_->asio_ssl_stream().set_verify_callback([
-                id = id_,
-                logger = logger_,
-                hostname = endpoint.address().to_string()
+                id = id_, logger = logger_, hostname
             ] (bool preverified, asio::ssl::verify_context& ctx) -> bool {
                 if (logger)
                     logger->d("[connection:%i] verify %s compliance to RFC 2818", id, hostname.c_str());
@@ -784,8 +782,8 @@ Request::connect(std::vector<asio::ip::tcp::endpoint>&& endpoints, HandlerCb cb)
             eps.append(endpoint.address().to_string() + ":" + std::to_string(endpoint.port()) + " ");
         logger_->d("[http:request:%i] connect begin: %s", id_, eps.c_str());
     }
-    if (get_url().protocol == "https"){
-        if (server_ca_)
+    if (get_url().protocol == "https") {
+        if (server_ca_ or client_identity_.first)
             conn_ = std::make_shared<Connection>(ctx_, server_ca_, client_identity_, logger_);
         else
             conn_ = std::make_shared<Connection>(ctx_, true/*ssl*/, logger_);
@@ -823,10 +821,10 @@ Request::connect(std::vector<asio::ip::tcp::endpoint>&& endpoints, HandlerCb cb)
 
             if (url.protocol == "https") {
                 if (this_.server_ca_)
-                    this_.conn_->set_ssl_verification(endpoint, asio::ssl::verify_peer
+                    this_.conn_->set_ssl_verification(url.host, asio::ssl::verify_peer
                                                           | asio::ssl::verify_fail_if_no_peer_cert);
 
-                if (this_.conn_ and this_.conn_->is_open() and this_.conn_->is_ssl()){
+                if (this_.conn_ and this_.conn_->is_open() and this_.conn_->is_ssl()) {
                     this_.conn_->async_handshake([id = this_.id_, cb, logger = this_.logger_](const asio::error_code& ec){
                         if (ec == asio::error::operation_aborted)
                             return;
-- 
GitLab