diff options
Diffstat (limited to '')
-rw-r--r-- | src/OSSupport/Network.h | 3 | ||||
-rw-r--r-- | src/OSSupport/TCPLinkImpl.cpp | 23 | ||||
-rw-r--r-- | src/OSSupport/TCPLinkImpl.h | 3 |
3 files changed, 21 insertions, 8 deletions
diff --git a/src/OSSupport/Network.h b/src/OSSupport/Network.h index 32163b710..ca31d9948 100644 --- a/src/OSSupport/Network.h +++ b/src/OSSupport/Network.h @@ -113,7 +113,8 @@ public: Returns empty string on success, non-empty error description on failure. */ virtual AString StartTLSClient( cX509CertPtr a_OwnCert, - cCryptoKeyPtr a_OwnPrivKey + cCryptoKeyPtr a_OwnPrivKey, + cX509CertPtr a_TrustedRootCAs ) = 0; /** Starts a TLS handshake as a server connection. diff --git a/src/OSSupport/TCPLinkImpl.cpp b/src/OSSupport/TCPLinkImpl.cpp index 6bd33e9f5..1e12f27ab 100644 --- a/src/OSSupport/TCPLinkImpl.cpp +++ b/src/OSSupport/TCPLinkImpl.cpp @@ -244,7 +244,8 @@ void cTCPLinkImpl::Close(void) AString cTCPLinkImpl::StartTLSClient( cX509CertPtr a_OwnCert, - cCryptoKeyPtr a_OwnPrivKey + cCryptoKeyPtr a_OwnPrivKey, + cX509CertPtr a_TrustedRootCAs ) { // Check preconditions: @@ -259,15 +260,25 @@ AString cTCPLinkImpl::StartTLSClient( // Create the TLS context: m_TlsContext = std::make_shared<cLinkTlsContext>(*this); - if (a_OwnCert != nullptr) + if ((a_OwnCert == nullptr) && (a_TrustedRootCAs == nullptr)) { - auto Config = cSslConfig::MakeDefaultConfig(true); - Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey)); - m_TlsContext->Initialize(Config); + // Use the (shared) default TLS config + m_TlsContext->Initialize(true); } else { - m_TlsContext->Initialize(true); + // Need a specialized config for the own certificate / trusted root CAs: + auto Config = cSslConfig::MakeDefaultConfig(true); + if (a_OwnCert != nullptr) + { + Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey)); + } + if (a_TrustedRootCAs != nullptr) + { + Config->SetAuthMode(eSslAuthMode::Required); + Config->SetCACerts(std::move(a_TrustedRootCAs)); + } + m_TlsContext->Initialize(Config); } // Enable SNI / peer name verification: diff --git a/src/OSSupport/TCPLinkImpl.h b/src/OSSupport/TCPLinkImpl.h index c757303d2..44e515504 100644 --- a/src/OSSupport/TCPLinkImpl.h +++ b/src/OSSupport/TCPLinkImpl.h @@ -75,7 +75,8 @@ public: virtual void Close(void) override; virtual AString StartTLSClient( cX509CertPtr a_OwnCert, - cCryptoKeyPtr a_OwnPrivKey + cCryptoKeyPtr a_OwnPrivKey, + cX509CertPtr a_TrustedRootCAs ) override; virtual AString StartTLSServer( cX509CertPtr a_OwnCert, |