mirror of
https://codeberg.org/anoncontributorxmr/monero.git
synced 2024-11-25 08:52:26 +00:00
Merge pull request #8909
aed36a2
Set SSL SNI even when server verification is disabled (Lee *!* Clagett)
This commit is contained in:
commit
1eb1162923
1 changed files with 8 additions and 5 deletions
|
@ -496,6 +496,13 @@ void ssl_options_t::configure(
|
||||||
const std::string& host) const
|
const std::string& host) const
|
||||||
{
|
{
|
||||||
socket.next_layer().set_option(boost::asio::ip::tcp::no_delay(true));
|
socket.next_layer().set_option(boost::asio::ip::tcp::no_delay(true));
|
||||||
|
{
|
||||||
|
// in case server is doing "virtual" domains, set hostname
|
||||||
|
SSL* const ssl_ctx = socket.native_handle();
|
||||||
|
if (type == boost::asio::ssl::stream_base::client && !host.empty() && ssl_ctx)
|
||||||
|
SSL_set_tlsext_host_name(ssl_ctx, host.c_str());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Using system-wide CA store for client verification is funky - there is
|
/* Using system-wide CA store for client verification is funky - there is
|
||||||
no expected hostname for server to verify against. If server doesn't have
|
no expected hostname for server to verify against. If server doesn't have
|
||||||
|
@ -513,11 +520,7 @@ void ssl_options_t::configure(
|
||||||
{
|
{
|
||||||
socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
|
socket.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
|
||||||
|
|
||||||
// in case server is doing "virtual" domains, set hostname
|
|
||||||
SSL* const ssl_ctx = socket.native_handle();
|
|
||||||
if (type == boost::asio::ssl::stream_base::client && !host.empty() && ssl_ctx)
|
|
||||||
SSL_set_tlsext_host_name(ssl_ctx, host.c_str());
|
|
||||||
|
|
||||||
socket.set_verify_callback([&](const bool preverified, boost::asio::ssl::verify_context &ctx)
|
socket.set_verify_callback([&](const bool preverified, boost::asio::ssl::verify_context &ctx)
|
||||||
{
|
{
|
||||||
// preverified means it passed system or user CA check. System CA is never loaded
|
// preverified means it passed system or user CA check. System CA is never loaded
|
||||||
|
|
Loading…
Reference in a new issue