Add option for checking IP address in the certificate as host.
GitOrigin-RevId: dba5b87a59f3d3d3241051ee0257a5786fdf4fb0
This commit is contained in:
parent
3ae535eae7
commit
a74d02f412
@ -291,7 +291,7 @@ Result<SslCtx> create_ssl_ctx(CSlice cert_file, SslStream::VerifyPeer verify_pee
|
|||||||
|
|
||||||
class SslStreamImpl {
|
class SslStreamImpl {
|
||||||
public:
|
public:
|
||||||
Status init(CSlice host, CSlice cert_file, SslStream::VerifyPeer verify_peer) {
|
Status init(CSlice host, CSlice cert_file, SslStream::VerifyPeer verify_peer, bool check_ip_address_as_host) {
|
||||||
static bool init_openssl = [] {
|
static bool init_openssl = [] {
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||||
return OPENSSL_init_ssl(0, nullptr) != 0;
|
return OPENSSL_init_ssl(0, nullptr) != 0;
|
||||||
@ -317,7 +317,7 @@ class SslStreamImpl {
|
|||||||
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
X509_VERIFY_PARAM *param = SSL_get0_param(ssl_handle.get());
|
X509_VERIFY_PARAM *param = SSL_get0_param(ssl_handle.get());
|
||||||
X509_VERIFY_PARAM_set_hostflags(param, 0);
|
X509_VERIFY_PARAM_set_hostflags(param, 0);
|
||||||
if (r_ip_address.is_ok()) {
|
if (r_ip_address.is_ok() && !check_ip_address_as_host) {
|
||||||
LOG(DEBUG) << "Set verification IP address to " << r_ip_address.ok().get_ip_str();
|
LOG(DEBUG) << "Set verification IP address to " << r_ip_address.ok().get_ip_str();
|
||||||
X509_VERIFY_PARAM_set1_ip_asc(param, r_ip_address.ok().get_ip_str().c_str());
|
X509_VERIFY_PARAM_set1_ip_asc(param, r_ip_address.ok().get_ip_str().c_str());
|
||||||
} else {
|
} else {
|
||||||
@ -509,9 +509,10 @@ SslStream::SslStream(SslStream &&) = default;
|
|||||||
SslStream &SslStream::operator=(SslStream &&) = default;
|
SslStream &SslStream::operator=(SslStream &&) = default;
|
||||||
SslStream::~SslStream() = default;
|
SslStream::~SslStream() = default;
|
||||||
|
|
||||||
Result<SslStream> SslStream::create(CSlice host, CSlice cert_file, VerifyPeer verify_peer) {
|
Result<SslStream> SslStream::create(CSlice host, CSlice cert_file, VerifyPeer verify_peer,
|
||||||
|
bool use_ip_address_as_host) {
|
||||||
auto impl = make_unique<detail::SslStreamImpl>();
|
auto impl = make_unique<detail::SslStreamImpl>();
|
||||||
TRY_STATUS(impl->init(host, cert_file, verify_peer));
|
TRY_STATUS(impl->init(host, cert_file, verify_peer, use_ip_address_as_host));
|
||||||
return SslStream(std::move(impl));
|
return SslStream(std::move(impl));
|
||||||
}
|
}
|
||||||
SslStream::SslStream(unique_ptr<detail::SslStreamImpl> impl) : impl_(std::move(impl)) {
|
SslStream::SslStream(unique_ptr<detail::SslStreamImpl> impl) : impl_(std::move(impl)) {
|
||||||
|
@ -25,7 +25,8 @@ class SslStream {
|
|||||||
|
|
||||||
enum class VerifyPeer { On, Off };
|
enum class VerifyPeer { On, Off };
|
||||||
|
|
||||||
static Result<SslStream> create(CSlice host, CSlice cert_file = CSlice(), VerifyPeer verify_peer = VerifyPeer::On);
|
static Result<SslStream> create(CSlice host, CSlice cert_file = CSlice(), VerifyPeer verify_peer = VerifyPeer::On,
|
||||||
|
bool check_ip_address_as_host = false);
|
||||||
|
|
||||||
ByteFlowInterface &read_byte_flow();
|
ByteFlowInterface &read_byte_flow();
|
||||||
ByteFlowInterface &write_byte_flow();
|
ByteFlowInterface &write_byte_flow();
|
||||||
|
Loading…
Reference in New Issue
Block a user