mirror of
https://codeberg.org/anoncontributorxmr/monero.git
synced 2024-11-27 05:13:25 +01:00
Add verify_fail_if_no_cert
option for proper client authentication
Using `verify_peer` on server side requests a certificate from the client. If no certificate is provided, the server silently accepts the connection and rejects if the client sends an unexpected certificate. Adding `verify_fail_if_no_cert` has no affect on client and for server requires that the peer sends a certificate or fails the handshake. This is the desired behavior when the user specifies a fingerprint or CA file.
This commit is contained in:
parent
21eb1b0725
commit
96d602ac84
@ -330,7 +330,7 @@ bool ssl_options_t::handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::soc
|
|||||||
socket.set_verify_mode(boost::asio::ssl::verify_none);
|
socket.set_verify_mode(boost::asio::ssl::verify_none);
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
socket.set_verify_mode(boost::asio::ssl::verify_peer);
|
socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
|
||||||
socket.set_verify_callback([&](bool preverified, boost::asio::ssl::verify_context &ctx)
|
socket.set_verify_callback([&](bool preverified, boost::asio::ssl::verify_context &ctx)
|
||||||
{
|
{
|
||||||
// preverified means it passed system or user CA check. System CA is never loaded
|
// preverified means it passed system or user CA check. System CA is never loaded
|
||||||
|
Loading…
Reference in New Issue
Block a user