Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(core): Peer verification on TLS connections #52

Merged
merged 3 commits into from Jun 12, 2020
Merged

feat(core): Peer verification on TLS connections #52

merged 3 commits into from Jun 12, 2020

Conversation

the-nic
Copy link
Contributor

@the-nic the-nic commented May 14, 2020
edited

Up to now, the peer certificates in TLS connections have not been verified after establishing the connection to the host. This is not very good practice, as it allows for man in the middle attacks even if the connection is being established.

Therefore, extend NGActiveSSLSocket to enable peer verification for OpenSSL and GnuTLS.
Both will reuse the default CA root trust store in order to verify the certificate.

As an addition, also send Server Name indications to the peer which allows the server we are connecting to to choose the right certificate.

Fixes #5019

@the-nic the-nic changed the title fix(core): Peer verification on TLS connections feat(core): Peer verification on TLS connections May 14, 2020
@ajs124 ajs124 mentioned this pull request Jun 3, 2020
Closed
10 tasks
@the-nic
Copy link
Contributor Author

the-nic commented Jun 9, 2020

@cgx @extrafu Is there interest in merging/reviewing this? If there are changes needed, I can implement them, but IMHO this is quite important if you want to rely on TLS connections.

@extrafu
Copy link
Contributor

extrafu commented Jun 9, 2020

I'll have a look at it this week. Thanks!

@the-nic
fix(core): Disable Nagle for TLS connections
994caa9 
To improve TLS handshake performance, disable Nagle
algorithm on the underlying socket.
@the-nic
feat(core): NGActiveSSLSocket: Implement peer verification for OpenSSL
0370e1b 
Load system default CA trust store and verify the hostname of the
endpoint.
Simplify the SSL setup by reducing duplicate initialization code.

Require a host name argument now to be able to compare the host names
with.

Fixes #5019
@the-nic
feat(core): NGActiveSSLSocket: Check host name for GnuTLS
bc766e2 
Implement peer verification for TLS connections also
for GnuTLS. It will load the default system CA root store,
and also send the Server Name Indication (SNI).

Fixes #5019
@extrafu extrafu merged commit 0331616 into Alinto:master Jun 12, 2020
@the-nic the-nic deleted the bugfix/5019-tls-hostname branch June 14, 2020 13:01
@extrafu extrafu mentioned this pull request Jun 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@extrafu extrafu extrafu left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@the-nic @extrafu