diff options
author | Tor Brede Vekterli <vekterli@verizonmedia.com> | 2020-02-13 16:03:07 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@verizonmedia.com> | 2020-02-17 16:40:26 +0000 |
commit | 79ef6b54da01e4819291ae10faa0fe5e832ac1a2 (patch) | |
tree | fbddd35a4d63f052a954a4bbfaf518beb959a293 /vbench | |
parent | 17c5ae02ee13cf47516788263aa1792414a8c6a6 (diff) |
Implement TLS client SNI and hostname validation in OpenSSL codec
Also adds `disable-hostname-validation` config entry to TLS JSON
config file parsing in C++.
For the time being, hostname validation is implicitly disabled
unless explicitly specified in the config file. This will be
gradually changed over to be implicitly enabled by default.
SNI is always sent when a valid connection spec is provided.
Diffstat (limited to 'vbench')
-rw-r--r-- | vbench/src/vbench/vbench/vbench.cpp | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/vbench/src/vbench/vbench/vbench.cpp b/vbench/src/vbench/vbench/vbench.cpp index 4f6efadfbdd..58854af705e 100644 --- a/vbench/src/vbench/vbench/vbench.cpp +++ b/vbench/src/vbench/vbench/vbench.cpp @@ -29,11 +29,13 @@ CryptoEngine::SP setup_crypto(const vespalib::slime::Inspector &tls) { if (!tls.valid()) { return std::make_shared<vespalib::NullCryptoEngine>(); } - vespalib::net::tls::TransportSecurityOptions - tls_opts(maybe_load(tls["ca-certificates"]), - maybe_load(tls["certificates"]), - maybe_load(tls["private-key"])); - return std::make_shared<vespalib::TlsCryptoEngine>(tls_opts); + auto ts_builder = vespalib::net::tls::TransportSecurityOptions::Params(). + ca_certs_pem(maybe_load(tls["ca-certificates"])). + cert_chain_pem(maybe_load(tls["certificates"])). + private_key_pem(maybe_load(tls["private-key"])). + authorized_peers(vespalib::net::tls::AuthorizedPeers::allow_all_authenticated()). + disable_hostname_validation(true); // TODO configurable or default false! + return std::make_shared<vespalib::TlsCryptoEngine>(vespalib::net::tls::TransportSecurityOptions(std::move(ts_builder))); } } // namespace vbench::<unnamed> |