diff options
| author | Tor Brede Vekterli <vekterli@oath.com> | 2018-09-10 15:13:43 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-09-10 15:13:43 +0200 |
| commit | eeef890a97afc420010bf40c9df7ac54a3c9261b (patch) | |
| tree | 8fb8f63635700986e520e491ec1aab232577721d /vespalib | |
| parent | 38b582486ca45285a1a17c2bfcb5edaac3f0b6fe (diff) | |
| parent | cbf1ef186e91111b16f5dcc910367abae6cffdcb (diff) | |
Merge pull request #6874 from vespa-engine/vekterli/enforce-tls-peer-certificate-verification
Enforce TLS peer certificate verification (client and server)
Diffstat (limited to 'vespalib')
| -rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp | 9 | ||||
| -rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h | 3 |
2 files changed, 10 insertions, 2 deletions
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp index defa8a91650..27250dd43fc 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp @@ -162,9 +162,9 @@ OpenSslTlsContextImpl::OpenSslTlsContextImpl(const TransportSecurityOptions& ts_ verify_private_key(); enable_ephemeral_key_exchange(); disable_compression(); + enforce_peer_certificate_verification(); // TODO set accepted cipher suites! // TODO `--> If not set in options, use Modern spec from https://wiki.mozilla.org/Security/Server_Side_TLS - // TODO set peer verification flags! } OpenSslTlsContextImpl::~OpenSslTlsContextImpl() = default; @@ -259,4 +259,11 @@ void OpenSslTlsContextImpl::disable_compression() { ::SSL_CTX_set_options(_ctx.get(), SSL_OP_NO_COMPRESSION); } +void OpenSslTlsContextImpl::enforce_peer_certificate_verification() { + // We require full mutual certificate verification. No way to configure + // out of this, at least not for the time being. + // TODO verification callback for custom CN/SAN etc checks. + SSL_CTX_set_verify(_ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); +} + } diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h index 208629d913a..72f9f3b570d 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h @@ -23,6 +23,7 @@ private: // Enable use of ephemeral key exchange (ECDHE), allowing forward secrecy. void enable_ephemeral_key_exchange(); void disable_compression(); + void enforce_peer_certificate_verification(); }; -}
\ No newline at end of file +} |