New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sample for proper handling of loading root certificates #2194
Comments
Handling of root certificates is unfortunately OS-specific. I'm happy to do what I can to help you research what you need for your use case. |
Thank you for offering your help - It's greatly appreciated. BackgroundThe scenario: After reading some documentation/posts/mails from Vinnie I understood that boost.beast is a low-level HTTP & WS library and is intended to stay this way. Furthermore, Vinnie actively hopes that somebody will eventually provide a higher-level library on top of boost beast. I am going to attempt that. Therefore, the goal is to write a library which:
To reach this goal, eventually handling certificates properly is important. I would like to already gather information on this to get a better picture of the situation before actually starting to commit to a specific design or solution - although I have the feeling that there won't be a lot of room for decisions. The problem at handBasically I need to design a piece of C++ code which loads the root certificates provided by the underlying OS. This will inherently be OS dependent code as you pointed out. Unstructured brabblingSo, where to go from here? Can you provide me with rough guidelines regarding what I should be looking for/at? Lets start simple: I came across the existence of
How far does this get us? Is this a full implementation that already handles the underlying operating system implementation or does this only get us so far? To get back to boost.beast: If I understand correctly there's not really anything that needs to happen on the boost.beast side, right? Everything encryption related would directly be handled by boost.asio? Therefore, I also assume that there's no API or other functionality that ships with boost.beast that I have missed so far which would further help to get a step closer to the overall goal? Based on my very short & limited research it also seems like OpenSSL would handle most of the ugly stuff for us. Therefore, it should be possible to just ask OpenSSL to handle the certificate loading and pass the necessary information over to either boost.asio or boost.beast. But if that would be the case - surely this functionality would already ship with either boost.beast or boost.asio? What would helpThe above most likely contains a lot of unnecessary information for you - it's more to be sure that the overall scenario is known.
|
@madmongo1 bump |
Most functions on ssl::context are passthroughs to underlying openssl functions. https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_default_verify_paths.html This will almost certainly not load the system root certificates on windows or macos. I think some OS-specific trickery will be needed to load the certificates into memory. These can then be submitted to asio/openssl with |
@Tectu , please check out this github project: https://github.com/djarek/certify A short snippet from my codebase that illustrates usage: // verify SSL context
{
ssl_ctx.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::context::verify_fail_if_no_peer_cert);
ssl_ctx.set_default_verify_paths();
boost::certify::enable_native_https_server_verification(ssl_ctx);
} |
This looks very promising. I'll give that a try once I tackle this. |
Using the |
As the example under
/example/common/root_certificates.hpp
states, root certificates should be loaded through whatever mechanism the underlying OS provides.Is there any kind of sample code, snippet or even just a guideline to illustrate how to properly do this? It seems that beast does provide some higher-level API for this which in turn relies on OpenSSL. However, I couldn't spot a full example / proper documentation (other than the API).
I came across a few "blog post" talking about this but what I've seen doesn't inspire a lot of confidence. I'd like to find some sort of example or guideline preferably by beast itself or at least by somebody who has the experience of building real-world production ready applications rather than some copy-pasted together blog post.
Are there any resources that are of value you guys can point me at?
The text was updated successfully, but these errors were encountered: