mirror of
https://github.com/matrix-construct/construct
synced 2024-09-26 18:38:52 +02:00
ircd::net: Add more tls cert verification exceptions w/ conf.
This commit is contained in:
parent
5a5cf35042
commit
0e5f8141c3
2 changed files with 12 additions and 1 deletions
|
@ -36,6 +36,7 @@ struct ircd::net::open_opts
|
|||
static conf::item<milliseconds> default_handshake_timeout;
|
||||
static conf::item<bool> default_verify_certificate;
|
||||
static conf::item<bool> default_allow_self_signed;
|
||||
static conf::item<bool> default_allow_self_chain;
|
||||
static conf::item<bool> default_allow_expired;
|
||||
|
||||
// Get the proper target CN from the options structure
|
||||
|
@ -95,7 +96,7 @@ struct ircd::net::open_opts
|
|||
|
||||
/// Option to toggle whether to allow self-signed certificate authorities
|
||||
/// in the chain. This is what corporate network nanny's may use to spy.
|
||||
bool allow_self_chain { false };
|
||||
bool allow_self_chain { default_allow_self_chain };
|
||||
|
||||
/// Option to allow expired certificates.
|
||||
bool allow_expired { default_allow_expired };
|
||||
|
|
10
ircd/net.cc
10
ircd/net.cc
|
@ -566,6 +566,13 @@ ircd::net::open_opts::default_allow_self_signed
|
|||
{ "default", false },
|
||||
};
|
||||
|
||||
decltype(ircd::net::open_opts::default_allow_self_chain)
|
||||
ircd::net::open_opts::default_allow_self_chain
|
||||
{
|
||||
{ "name", "ircd.net.open.allow_self_chain" },
|
||||
{ "default", false },
|
||||
};
|
||||
|
||||
decltype(ircd::net::open_opts::default_allow_expired)
|
||||
ircd::net::open_opts::default_allow_expired
|
||||
{
|
||||
|
@ -2666,6 +2673,9 @@ noexcept try
|
|||
reject();
|
||||
break;
|
||||
|
||||
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
||||
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
|
||||
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
||||
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
||||
if(opts.allow_self_chain)
|
||||
return true;
|
||||
|
|
Loading…
Reference in a new issue