walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Merge branch 'nghttp-verify-server-certificate'

This commit is contained in:
Tatsuhiro Tsujikawa 2017-04-06 20:17:29 +09:00
parent 7d53866157 7ae0b2dc09
commit 5c9f46a6b0
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/nghttp.cc
View File

@ -646,6 +646,11 @@ int HttpClient::resolve_host(const std::string &host, uint16_t port) {
return 0; return 0;
} }
namespace {
// Just returns 1 to continue handshake.
int verify_cb(int preverify_ok, X509_STORE_CTX *ctx) { return 1; }
} // namespace
int HttpClient::initiate_connection() { int HttpClient::initiate_connection() {
int rv; int rv;
@ -675,6 +680,17 @@ int HttpClient::initiate_connection() {
const auto &host_string = const auto &host_string =
config.host_override.empty() ? host : config.host_override; config.host_override.empty() ? host : config.host_override;
#if (!defined(LIBRESSL_VERSION_NUMBER) && \
OPENSSL_VERSION_NUMBER >= 0x10002000L) || \
defined(OPENSSL_IS_BORINGSSL)
auto param = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set_hostflags(param, 0);
X509_VERIFY_PARAM_set1_host(param, host_string.c_str(),
host_string.size());
#endif // (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >=
// 0x10002000L) || defined(OPENSSL_IS_BORINGSSL)
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
if (!util::numeric_host(host_string.c_str())) { if (!util::numeric_host(host_string.c_str())) {
SSL_set_tlsext_host_name(ssl, host_string.c_str()); SSL_set_tlsext_host_name(ssl, host_string.c_str());
} }
@ -1295,6 +1311,12 @@ int HttpClient::tls_handshake() {
readfn = &HttpClient::read_tls; readfn = &HttpClient::read_tls;
writefn = &HttpClient::write_tls; writefn = &HttpClient::write_tls;
auto verify_res = SSL_get_verify_result(ssl);
if (verify_res != X509_V_OK) {
std::cerr << "[WARNING] Certificate verification failed: "
<< X509_verify_cert_error_string(verify_res) << std::endl;
}
if (connection_made() != 0) { if (connection_made() != 0) {
return -1; return -1;
} }
@ -2247,6 +2269,11 @@ int communicate(
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
std::cerr << "[WARNING] Could not load system trusted CA certificates: "
<< ERR_error_string(ERR_get_error(), nullptr) << std::endl;
}
if (nghttp2::tls::ssl_ctx_set_proto_versions( if (nghttp2::tls::ssl_ctx_set_proto_versions(
ssl_ctx, nghttp2::tls::NGHTTP2_TLS_MIN_VERSION, ssl_ctx, nghttp2::tls::NGHTTP2_TLS_MIN_VERSION,
nghttp2::tls::NGHTTP2_TLS_MAX_VERSION) != 0) { nghttp2::tls::NGHTTP2_TLS_MAX_VERSION) != 0) {