Enabling daemon-rpc SSL now requires non-system CA verification

If `--daemon-ssl enabled` is set in the wallet, then a user certificate, fingerprint, or onion/i2p address must be provided.
2024-08-15 01:03:23 +00:00 · 2019-04-06 21:28:37 -04:00 · 2019-04-06 21:28:37 -04:00 · 2e578b8214
commit 2e578b8214
parent d58f368289
4 changed files with 51 additions and 17 deletions
--- a/contrib/epee/include/net/net_ssl.h
+++ b/contrib/epee/include/net/net_ssl.h
@ -100,6 +100,9 @@ namespace net_utils
    //! \return False iff ssl is disabled, otherwise true.
    explicit operator bool() const noexcept { return support != ssl_support_t::e_ssl_support_disabled; }

+    //! \retrurn True if `host` can be verified using `this` configuration WITHOUT system "root" CAs.
+    bool has_strong_verification(boost::string_ref host) const noexcept;
+
    //! Search against internal fingerprints. Always false if `behavior() != user_certificate_check`.
    bool has_fingerprint(boost::asio::ssl::verify_context &ctx) const;

--- a/contrib/epee/src/net_ssl.cpp
+++ b/contrib/epee/src/net_ssl.cpp
@ -278,6 +278,25 @@ bool is_ssl(const unsigned char *data, size_t len)
  return false;
 }

+bool ssl_options_t::has_strong_verification(boost::string_ref host) const noexcept
+{
+  // onion and i2p addresses contain information about the server cert
+  // which both authenticates and encrypts
+  if (host.ends_with(".onion") || host.ends_with(".i2p"))
+    return true;
+  switch (verification)
+  {
+    default:
+    case ssl_verification_t::none:
+    case ssl_verification_t::system_ca:
+      return false;
+    case ssl_verification_t::user_certificates:
+    case ssl_verification_t::user_ca:
+      break;
+  }
+  return true;
+}
+
 bool ssl_options_t::has_fingerprint(boost::asio::ssl::verify_context &ctx) const
 {
  // can we check the certificate against a list of fingerprints?