diff options
author | Tor Brede Vekterli <vekterli@oath.com> | 2018-09-10 12:18:26 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@oath.com> | 2018-09-10 12:26:58 +0000 |
commit | cbf1ef186e91111b16f5dcc910367abae6cffdcb (patch) | |
tree | 813953a0aedaac4adddcb133a1e0962a50ff19a8 /vespalib | |
parent | e3d76a10ea55c9e195bb19fd7c67a760b23a15c4 (diff) |
Enforce TLS peer certificate verification (client and server)
Diffstat (limited to 'vespalib')
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp | 9 | ||||
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h | 3 |
2 files changed, 10 insertions, 2 deletions
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp index defa8a91650..27250dd43fc 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp @@ -162,9 +162,9 @@ OpenSslTlsContextImpl::OpenSslTlsContextImpl(const TransportSecurityOptions& ts_ verify_private_key(); enable_ephemeral_key_exchange(); disable_compression(); + enforce_peer_certificate_verification(); // TODO set accepted cipher suites! // TODO `--> If not set in options, use Modern spec from https://wiki.mozilla.org/Security/Server_Side_TLS - // TODO set peer verification flags! } OpenSslTlsContextImpl::~OpenSslTlsContextImpl() = default; @@ -259,4 +259,11 @@ void OpenSslTlsContextImpl::disable_compression() { ::SSL_CTX_set_options(_ctx.get(), SSL_OP_NO_COMPRESSION); } +void OpenSslTlsContextImpl::enforce_peer_certificate_verification() { + // We require full mutual certificate verification. No way to configure + // out of this, at least not for the time being. + // TODO verification callback for custom CN/SAN etc checks. + SSL_CTX_set_verify(_ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); +} + } diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h index 208629d913a..72f9f3b570d 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h @@ -23,6 +23,7 @@ private: // Enable use of ephemeral key exchange (ECDHE), allowing forward secrecy. void enable_ephemeral_key_exchange(); void disable_compression(); + void enforce_peer_certificate_verification(); }; -}
\ No newline at end of file +} |