ircd::net: Add more tls cert verification exceptions w/ conf.

2024-06-11 06:28:55 +02:00 · 2018-10-04 14:56:08 -07:00 · 2018-10-04 14:56:08 -07:00 · 0e5f8141c3
parent 5a5cf35042
commit 0e5f8141c3
2 changed files with 12 additions and 1 deletions
--- a/include/ircd/net/open.h
+++ b/include/ircd/net/open.h
@ -36,6 +36,7 @@ struct ircd::net::open_opts
 	static conf::item<milliseconds> default_handshake_timeout;
 	static conf::item<bool> default_verify_certificate;
 	static conf::item<bool> default_allow_self_signed;
+	static conf::item<bool> default_allow_self_chain;
 	static conf::item<bool> default_allow_expired;

 	// Get the proper target CN from the options structure
@ -95,7 +96,7 @@ struct ircd::net::open_opts

 	/// Option to toggle whether to allow self-signed certificate authorities
 	/// in the chain. This is what corporate network nanny's may use to spy.
-	bool allow_self_chain { false };
+	bool allow_self_chain { default_allow_self_chain };

 	/// Option to allow expired certificates.
 	bool allow_expired { default_allow_expired };
--- a/ircd/net.cc
+++ b/ircd/net.cc
@ -566,6 +566,13 @@ ircd::net::open_opts::default_allow_self_signed
 	{ "default",  false                              },
 };

+decltype(ircd::net::open_opts::default_allow_self_chain)
+ircd::net::open_opts::default_allow_self_chain
+{
+	{ "name",     "ircd.net.open.allow_self_chain"  },
+	{ "default",  false                             },
+};
+
 decltype(ircd::net::open_opts::default_allow_expired)
 ircd::net::open_opts::default_allow_expired
 {
@ -2666,6 +2673,9 @@ noexcept try
 			reject();
 			break;

+		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+		case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
 		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
 			if(opts.allow_self_chain)
 				return true;