summaryrefslogtreecommitdiffstats
path: root/src/OSSupport
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/OSSupport/Network.h3
-rw-r--r--src/OSSupport/TCPLinkImpl.cpp23
-rw-r--r--src/OSSupport/TCPLinkImpl.h3
3 files changed, 21 insertions, 8 deletions
diff --git a/src/OSSupport/Network.h b/src/OSSupport/Network.h
index 32163b710..ca31d9948 100644
--- a/src/OSSupport/Network.h
+++ b/src/OSSupport/Network.h
@@ -113,7 +113,8 @@ public:
Returns empty string on success, non-empty error description on failure. */
virtual AString StartTLSClient(
cX509CertPtr a_OwnCert,
- cCryptoKeyPtr a_OwnPrivKey
+ cCryptoKeyPtr a_OwnPrivKey,
+ cX509CertPtr a_TrustedRootCAs
) = 0;
/** Starts a TLS handshake as a server connection.
diff --git a/src/OSSupport/TCPLinkImpl.cpp b/src/OSSupport/TCPLinkImpl.cpp
index 6bd33e9f5..1e12f27ab 100644
--- a/src/OSSupport/TCPLinkImpl.cpp
+++ b/src/OSSupport/TCPLinkImpl.cpp
@@ -244,7 +244,8 @@ void cTCPLinkImpl::Close(void)
AString cTCPLinkImpl::StartTLSClient(
cX509CertPtr a_OwnCert,
- cCryptoKeyPtr a_OwnPrivKey
+ cCryptoKeyPtr a_OwnPrivKey,
+ cX509CertPtr a_TrustedRootCAs
)
{
// Check preconditions:
@@ -259,15 +260,25 @@ AString cTCPLinkImpl::StartTLSClient(
// Create the TLS context:
m_TlsContext = std::make_shared<cLinkTlsContext>(*this);
- if (a_OwnCert != nullptr)
+ if ((a_OwnCert == nullptr) && (a_TrustedRootCAs == nullptr))
{
- auto Config = cSslConfig::MakeDefaultConfig(true);
- Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey));
- m_TlsContext->Initialize(Config);
+ // Use the (shared) default TLS config
+ m_TlsContext->Initialize(true);
}
else
{
- m_TlsContext->Initialize(true);
+ // Need a specialized config for the own certificate / trusted root CAs:
+ auto Config = cSslConfig::MakeDefaultConfig(true);
+ if (a_OwnCert != nullptr)
+ {
+ Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey));
+ }
+ if (a_TrustedRootCAs != nullptr)
+ {
+ Config->SetAuthMode(eSslAuthMode::Required);
+ Config->SetCACerts(std::move(a_TrustedRootCAs));
+ }
+ m_TlsContext->Initialize(Config);
}
// Enable SNI / peer name verification:
diff --git a/src/OSSupport/TCPLinkImpl.h b/src/OSSupport/TCPLinkImpl.h
index c757303d2..44e515504 100644
--- a/src/OSSupport/TCPLinkImpl.h
+++ b/src/OSSupport/TCPLinkImpl.h
@@ -75,7 +75,8 @@ public:
virtual void Close(void) override;
virtual AString StartTLSClient(
cX509CertPtr a_OwnCert,
- cCryptoKeyPtr a_OwnPrivKey
+ cCryptoKeyPtr a_OwnPrivKey,
+ cX509CertPtr a_TrustedRootCAs
) override;
virtual AString StartTLSServer(
cX509CertPtr a_OwnCert,