asio: Clear up TLS peer verification

examples/asio-cl.cc

@@ -64,6 +64,8 @@ int main(int argc, char *argv[]) {
     boost::asio::io_service io_service;
 
     boost::asio::ssl::context tls_ctx(boost::asio::ssl::context::sslv23);
+    tls_ctx.set_default_verify_paths();
+    tls_ctx.set_verify_mode(boost::asio::ssl::verify_peer);
     configure_tls_context(tls_ctx);
 
     session sess(io_service, tls_ctx, "localhost", "3000");

src/asio_client_session_tls_impl.cc

@@ -33,6 +33,11 @@ session_tls_impl::session_tls_impl(boost::asio::io_service &io_service,
                                    const std::string &host,
                                    const std::string &service)
     : session_impl(io_service), socket_(io_service, tls_ctx) {
+  // this callback setting is no effect is
+  // ssl::context::set_verify_mode(boost::asio::ssl::verify_peer) is
+  // not used, which is what we want.
+  socket_.set_verify_callback(boost::asio::ssl::rfc2818_verification(host));
+
   start_resolve(host, service);
 }
 

src/asio_client_tls_context.cc

@@ -50,15 +50,6 @@ int client_select_next_proto_cb(SSL *ssl, unsigned char **out,
 void configure_tls_context(boost::asio::ssl::context &tls_ctx) {
   auto ctx = tls_ctx.native_handle();
 
-  SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                               SSL_OP_NO_COMPRESSION |
-                               SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-
-  SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
-  SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
-
-  SSL_CTX_set_cipher_list(ctx, ssl::DEFAULT_CIPHER_LIST);
-
   SSL_CTX_set_next_proto_select_cb(ctx, client_select_next_proto_cb, nullptr);
 }
 

src/includes/nghttp2/asio_http2.h

@@ -372,6 +372,8 @@ private:
   std::unique_ptr<session_impl> impl_;
 };
 
+// configure |tls_ctx| for client use.  Currently, we just set NPN
+// callback for HTTP/2.
 void configure_tls_context(boost::asio::ssl::context &tls_ctx);
 
 } // namespace client