diff options
author | Tor Brede Vekterli <vekterli@verizonmedia.com> | 2020-02-13 16:03:07 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@verizonmedia.com> | 2020-02-17 16:40:26 +0000 |
commit | 79ef6b54da01e4819291ae10faa0fe5e832ac1a2 (patch) | |
tree | fbddd35a4d63f052a954a4bbfaf518beb959a293 /fbench | |
parent | 17c5ae02ee13cf47516788263aa1792414a8c6a6 (diff) |
Implement TLS client SNI and hostname validation in OpenSSL codec
Also adds `disable-hostname-validation` config entry to TLS JSON
config file parsing in C++.
For the time being, hostname validation is implicitly disabled
unless explicitly specified in the config file. This will be
gradually changed over to be implicitly enabled by default.
SNI is always sent when a valid connection spec is provided.
Diffstat (limited to 'fbench')
-rw-r--r-- | fbench/src/fbench/fbench.cpp | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/fbench/src/fbench/fbench.cpp b/fbench/src/fbench/fbench.cpp index 91475ce2125..593ae30a0e5 100644 --- a/fbench/src/fbench/fbench.cpp +++ b/fbench/src/fbench/fbench.cpp @@ -86,10 +86,13 @@ FBench::init_crypto_engine(const std::string &ca_certs_file_name, return false; } bool load_failed = false; - vespalib::net::tls::TransportSecurityOptions - tls_opts(maybe_load(ca_certs_file_name, load_failed), - maybe_load(cert_chain_file_name, load_failed), - maybe_load(private_key_file_name, load_failed)); + auto ts_builder = vespalib::net::tls::TransportSecurityOptions::Params(). + ca_certs_pem(maybe_load(ca_certs_file_name, load_failed)). + cert_chain_pem(maybe_load(cert_chain_file_name, load_failed)). + private_key_pem(maybe_load(private_key_file_name, load_failed)). + authorized_peers(vespalib::net::tls::AuthorizedPeers::allow_all_authenticated()). + disable_hostname_validation(true); // TODO configurable or default false! + vespalib::net::tls::TransportSecurityOptions tls_opts(std::move(ts_builder)); if (load_failed) { fprintf(stderr, "failed to load transport security options\n"); return false; |