diff options
| author | Mattes D <github@xoft.cz> | 2023-05-09 19:59:15 +0200 |
|---|---|---|
| committer | Mattes D <github@xoft.cz> | 2023-05-19 16:25:12 +0200 |
| commit | 97c49c6f294a0b7e931be2692c124bd78fc79946 (patch) | |
| tree | 872fcdfbfc30ff0ed2e2e444bb965769ea147e60 /src/OSSupport | |
| parent | cTCPLink: Use the original connection hostname for SNI. (diff) | |
| download | cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.gz cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.bz2 cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.lz cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.xz cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.zst cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.zip | |
Diffstat (limited to '')
| -rw-r--r-- | src/OSSupport/Network.h | 3 | ||||
| -rw-r--r-- | src/OSSupport/TCPLinkImpl.cpp | 23 | ||||
| -rw-r--r-- | src/OSSupport/TCPLinkImpl.h | 3 |
3 files changed, 21 insertions, 8 deletions
diff --git a/src/OSSupport/Network.h b/src/OSSupport/Network.h index 32163b710..ca31d9948 100644 --- a/src/OSSupport/Network.h +++ b/src/OSSupport/Network.h @@ -113,7 +113,8 @@ public: Returns empty string on success, non-empty error description on failure. */ virtual AString StartTLSClient( cX509CertPtr a_OwnCert, - cCryptoKeyPtr a_OwnPrivKey + cCryptoKeyPtr a_OwnPrivKey, + cX509CertPtr a_TrustedRootCAs ) = 0; /** Starts a TLS handshake as a server connection. diff --git a/src/OSSupport/TCPLinkImpl.cpp b/src/OSSupport/TCPLinkImpl.cpp index 6bd33e9f5..1e12f27ab 100644 --- a/src/OSSupport/TCPLinkImpl.cpp +++ b/src/OSSupport/TCPLinkImpl.cpp @@ -244,7 +244,8 @@ void cTCPLinkImpl::Close(void) AString cTCPLinkImpl::StartTLSClient( cX509CertPtr a_OwnCert, - cCryptoKeyPtr a_OwnPrivKey + cCryptoKeyPtr a_OwnPrivKey, + cX509CertPtr a_TrustedRootCAs ) { // Check preconditions: @@ -259,15 +260,25 @@ AString cTCPLinkImpl::StartTLSClient( // Create the TLS context: m_TlsContext = std::make_shared<cLinkTlsContext>(*this); - if (a_OwnCert != nullptr) + if ((a_OwnCert == nullptr) && (a_TrustedRootCAs == nullptr)) { - auto Config = cSslConfig::MakeDefaultConfig(true); - Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey)); - m_TlsContext->Initialize(Config); + // Use the (shared) default TLS config + m_TlsContext->Initialize(true); } else { - m_TlsContext->Initialize(true); + // Need a specialized config for the own certificate / trusted root CAs: + auto Config = cSslConfig::MakeDefaultConfig(true); + if (a_OwnCert != nullptr) + { + Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey)); + } + if (a_TrustedRootCAs != nullptr) + { + Config->SetAuthMode(eSslAuthMode::Required); + Config->SetCACerts(std::move(a_TrustedRootCAs)); + } + m_TlsContext->Initialize(Config); } // Enable SNI / peer name verification: diff --git a/src/OSSupport/TCPLinkImpl.h b/src/OSSupport/TCPLinkImpl.h index c757303d2..44e515504 100644 --- a/src/OSSupport/TCPLinkImpl.h +++ b/src/OSSupport/TCPLinkImpl.h @@ -75,7 +75,8 @@ public: virtual void Close(void) override; virtual AString StartTLSClient( cX509CertPtr a_OwnCert, - cCryptoKeyPtr a_OwnPrivKey + cCryptoKeyPtr a_OwnPrivKey, + cX509CertPtr a_TrustedRootCAs ) override; virtual AString StartTLSServer( cX509CertPtr a_OwnCert, |