Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix the insecure bug not verifying remote host name for TLS egress
- Verify nothing if 'insecure' field is true
- Verify only with the CA file if it's specified
- Otherwise, verify according to RFC 2818
  • Loading branch information
pichi-router committed Mar 9, 2020
2 parents 899173a + 7d890a7 commit 4698664
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
3 changes: 3 additions & 0 deletions CMakeLists.txt
Expand Up @@ -22,6 +22,9 @@ if (ENABLE_TLS)
find_package(OpenSSL REQUIRED)
include_directories(${OPENSSL_INCLUDE_DIR})
link_libraries(${OPENSSL_LIBRARIES} ${CMAKE_DL_LIBS})
if (WIN32 AND STATIC_LINK)
link_libraries(crypt32)
endif ()
endif ()

include(Configure)
Expand Down
9 changes: 7 additions & 2 deletions src/net/asio.cpp
Expand Up @@ -27,6 +27,7 @@

#ifdef ENABLE_TLS
#include <boost/asio/ssl/context.hpp>
#include <boost/asio/ssl/rfc2818_verification.hpp>
#include <boost/asio/ssl/stream.hpp>
#endif // ENABLE_TLS

Expand Down Expand Up @@ -56,11 +57,15 @@ static auto createTlsContext(api::EgressVO const& vo)
auto ctx = ssl::context{ssl::context::tls_client};
if (*vo.insecure_) {
ctx.set_verify_mode(ssl::context::verify_none);
return ctx;
}

ctx.set_verify_mode(ssl::context::verify_peer);
if (vo.caFile_.has_value())
ctx.load_verify_file(*vo.caFile_);
else {
ctx.set_verify_mode(ssl::context::verify_peer);
ctx.set_default_verify_paths();
if (vo.caFile_.has_value()) ctx.load_verify_file(*vo.caFile_);
ctx.set_verify_callback(ssl::rfc2818_verification{*vo.host_});
}
return ctx;
}
Expand Down

0 comments on commit 4698664

Please sign in to comment.