diff options
Diffstat (limited to 'vespalib')
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp | 9 | ||||
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h | 3 |
2 files changed, 10 insertions, 2 deletions
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp index defa8a91650..27250dd43fc 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp @@ -162,9 +162,9 @@ OpenSslTlsContextImpl::OpenSslTlsContextImpl(const TransportSecurityOptions& ts_ verify_private_key(); enable_ephemeral_key_exchange(); disable_compression(); + enforce_peer_certificate_verification(); // TODO set accepted cipher suites! // TODO `--> If not set in options, use Modern spec from https://wiki.mozilla.org/Security/Server_Side_TLS - // TODO set peer verification flags! } OpenSslTlsContextImpl::~OpenSslTlsContextImpl() = default; @@ -259,4 +259,11 @@ void OpenSslTlsContextImpl::disable_compression() { ::SSL_CTX_set_options(_ctx.get(), SSL_OP_NO_COMPRESSION); } +void OpenSslTlsContextImpl::enforce_peer_certificate_verification() { + // We require full mutual certificate verification. No way to configure + // out of this, at least not for the time being. + // TODO verification callback for custom CN/SAN etc checks. + SSL_CTX_set_verify(_ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); +} + } diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h index 208629d913a..72f9f3b570d 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h @@ -23,6 +23,7 @@ private: // Enable use of ephemeral key exchange (ECDHE), allowing forward secrecy. void enable_ephemeral_key_exchange(); void disable_compression(); + void enforce_peer_certificate_verification(); }; -}
\ No newline at end of file +} |