aboutsummaryrefslogtreecommitdiffstats
path: root/vespalib
diff options
context:
space:
mode:
authorTor Brede Vekterli <vekterli@oath.com>2018-09-10 12:18:26 +0000
committerTor Brede Vekterli <vekterli@oath.com>2018-09-10 12:26:58 +0000
commitcbf1ef186e91111b16f5dcc910367abae6cffdcb (patch)
tree813953a0aedaac4adddcb133a1e0962a50ff19a8 /vespalib
parente3d76a10ea55c9e195bb19fd7c67a760b23a15c4 (diff)
Enforce TLS peer certificate verification (client and server)
Diffstat (limited to 'vespalib')
-rw-r--r--vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp9
-rw-r--r--vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h3
2 files changed, 10 insertions, 2 deletions
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp
index defa8a91650..27250dd43fc 100644
--- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp
+++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp
@@ -162,9 +162,9 @@ OpenSslTlsContextImpl::OpenSslTlsContextImpl(const TransportSecurityOptions& ts_
verify_private_key();
enable_ephemeral_key_exchange();
disable_compression();
+ enforce_peer_certificate_verification();
// TODO set accepted cipher suites!
// TODO `--> If not set in options, use Modern spec from https://wiki.mozilla.org/Security/Server_Side_TLS
- // TODO set peer verification flags!
}
OpenSslTlsContextImpl::~OpenSslTlsContextImpl() = default;
@@ -259,4 +259,11 @@ void OpenSslTlsContextImpl::disable_compression() {
::SSL_CTX_set_options(_ctx.get(), SSL_OP_NO_COMPRESSION);
}
+void OpenSslTlsContextImpl::enforce_peer_certificate_verification() {
+ // We require full mutual certificate verification. No way to configure
+ // out of this, at least not for the time being.
+ // TODO verification callback for custom CN/SAN etc checks.
+ SSL_CTX_set_verify(_ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
+}
+
}
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h
index 208629d913a..72f9f3b570d 100644
--- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h
+++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h
@@ -23,6 +23,7 @@ private:
// Enable use of ephemeral key exchange (ECDHE), allowing forward secrecy.
void enable_ephemeral_key_exchange();
void disable_compression();
+ void enforce_peer_certificate_verification();
};
-} \ No newline at end of file
+}