Commit 70ea774f authored by Tatsuhiro Tsujikawa's avatar Tatsuhiro Tsujikawa

asio: Clear up TLS peer verification

parent e15d3029
......@@ -64,6 +64,8 @@ int main(int argc, char *argv[]) {
boost::asio::io_service io_service;
boost::asio::ssl::context tls_ctx(boost::asio::ssl::context::sslv23);
tls_ctx.set_default_verify_paths();
tls_ctx.set_verify_mode(boost::asio::ssl::verify_peer);
configure_tls_context(tls_ctx);
session sess(io_service, tls_ctx, "localhost", "3000");
......
......@@ -33,6 +33,11 @@ session_tls_impl::session_tls_impl(boost::asio::io_service &io_service,
const std::string &host,
const std::string &service)
: session_impl(io_service), socket_(io_service, tls_ctx) {
// this callback setting is no effect is
// ssl::context::set_verify_mode(boost::asio::ssl::verify_peer) is
// not used, which is what we want.
socket_.set_verify_callback(boost::asio::ssl::rfc2818_verification(host));
start_resolve(host, service);
}
......
......@@ -50,15 +50,6 @@ int client_select_next_proto_cb(SSL *ssl, unsigned char **out,
void configure_tls_context(boost::asio::ssl::context &tls_ctx) {
auto ctx = tls_ctx.native_handle();
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
SSL_CTX_set_cipher_list(ctx, ssl::DEFAULT_CIPHER_LIST);
SSL_CTX_set_next_proto_select_cb(ctx, client_select_next_proto_cb, nullptr);
}
......
......@@ -372,6 +372,8 @@ private:
std::unique_ptr<session_impl> impl_;
};
// configure |tls_ctx| for client use. Currently, we just set NPN
// callback for HTTP/2.
void configure_tls_context(boost::asio::ssl::context &tls_ctx);
} // namespace client
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment