Skip to content

Commit ea38d84

Browse files
ashtumashtum
committed
SSL examples verify peer cert hostname
Fixes boostorg#2974
1 parent 4e384f0 commit ea38d84

File tree

11 files changed

+109
-28
lines changed

11 files changed

+109
-28
lines changed

.drone.star

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ def main(ctx):
1515
alljobs=[]
1616
customizedjobs = [
1717
linux_cxx("GCC 10, Debug + Coverage", "g++-10", packages="g++-10 libssl-dev libffi-dev binutils-gold gdb mlocate", image="cppalliance/droneubuntu2004:1", buildtype="boost_v1", buildscript="drone", environment={"GCOV": "gcov-10", "LCOV_VERSION": "1.15", "VARIANT": "beast_coverage", "TOOLSET": "gcc", "COMPILER": "g++-10", "CXXSTD": "14", "DRONE_BEFORE_INSTALL" : "beast_coverage", "CODECOV_TOKEN": {"from_secret": "codecov_token"}}, globalenv=globalenv, privileged=True),
18-
linux_cxx("Default clang++ with libc++", "clang++-libc++", packages="libc++-dev mlocate", image="cppalliance/droneubuntu1604:1", buildtype="boost_v1", buildscript="drone", environment={ "B2_TOOLSET": "clang-7", "B2_CXXSTD": "17,2a", "VARIANT": "debug", "TOOLSET": "clang", "COMPILER": "clang++-libc++", "CXXSTD": "11", "CXX_FLAGS": "<cxxflags>-stdlib=libc++ <linkflags>-stdlib=libc++", "TRAVISCLANG" : "yes" }, globalenv=globalenv),
18+
linux_cxx("Default clang++ with libc++", "clang++-libc++", packages="libc++-dev mlocate", image="cppalliance/droneubuntu1804:1", buildtype="boost_v1", buildscript="drone", environment={ "B2_TOOLSET": "clang-7", "B2_CXXSTD": "17,2a", "VARIANT": "debug", "TOOLSET": "clang", "COMPILER": "clang++-libc++", "CXXSTD": "11", "CXX_FLAGS": "<cxxflags>-stdlib=libc++ <linkflags>-stdlib=libc++", "TRAVISCLANG" : "yes" }, globalenv=globalenv),
1919
linux_cxx("GCC Valgrind", "g++", packages="g++-14 libssl-dev valgrind", image="cppalliance/droneubuntu2404:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "beast_valgrind", "TOOLSET": "gcc", "COMPILER": "g++", "CXXSTD": "11" }, globalenv=globalenv),
2020
linux_cxx("Default g++", "g++", packages="mlocate", image="cppalliance/droneubuntu1604:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "release", "TOOLSET": "gcc", "COMPILER": "g++", "CXXSTD": "11" }, globalenv=globalenv),
2121
linux_cxx("GCC 8, C++17, libstdc++, release", "g++-8", packages="g++-8 mlocate", image="cppalliance/droneubuntu1604:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "release", "TOOLSET": "gcc", "COMPILER": "g++-8", "CXXSTD" : "17" }, globalenv=globalenv),

.github/workflows/fuzz.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ jobs:
4343
python tools/boostdep/depinst/depinst.py --git_args "--jobs 3" $LIBRARY
4444
4545
- name: Fuzz corpus
46-
uses: actions/cache@v3.3.1
46+
uses: actions/cache@v4
4747
id: cache-corpus
4848
with:
4949
path: ${{ github.workspace }}/corpus.tar

example/http/client/async-ssl-system-executor/http_client_async_ssl_system_executor.cpp

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,19 @@ class session : public std::enable_shared_from_this<session>
7777
// Set SNI Hostname (many hosts need this to handshake successfully)
7878
if(! SSL_set_tlsext_host_name(stream_.native_handle(), host))
7979
{
80-
beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()};
80+
beast::error_code ec{
81+
static_cast<int>(::ERR_get_error()),
82+
net::error::get_ssl_category()};
83+
std::cerr << ec.message() << "\n";
84+
return;
85+
}
86+
87+
// Set the expected hostname in the peer certificate for verification
88+
if(! SSL_set1_host(stream_.native_handle(), host))
89+
{
90+
beast::error_code ec{
91+
static_cast<int>(::ERR_get_error()),
92+
net::error::get_ssl_category()};
8193
std::cerr << ec.message() << "\n";
8294
return;
8395
}

example/http/client/async-ssl/http_client_async_ssl.cpp

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,19 @@ class session : public std::enable_shared_from_this<session>
6969
// Set SNI Hostname (many hosts need this to handshake successfully)
7070
if(! SSL_set_tlsext_host_name(stream_.native_handle(), host))
7171
{
72-
beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()};
72+
beast::error_code ec{
73+
static_cast<int>(::ERR_get_error()),
74+
net::error::get_ssl_category()};
75+
std::cerr << ec.message() << "\n";
76+
return;
77+
}
78+
79+
// Set the expected hostname in the peer certificate for verification
80+
if(! SSL_set1_host(stream_.native_handle(), host))
81+
{
82+
beast::error_code ec{
83+
static_cast<int>(::ERR_get_error()),
84+
net::error::get_ssl_category()};
7385
std::cerr << ec.message() << "\n";
7486
return;
7587
}

example/http/client/awaitable-ssl/http_client_awaitable_ssl.cpp

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,9 +51,17 @@ do_session(
5151
auto stream = ssl::stream<beast::tcp_stream>{ executor, ctx };
5252

5353
// Set SNI Hostname (many hosts need this to handshake successfully)
54-
if(!SSL_set_tlsext_host_name(stream.native_handle(), host.c_str()))
54+
if(! SSL_set_tlsext_host_name(stream.native_handle(), host.c_str()))
5555
{
56-
throw boost::system::system_error(
56+
throw beast::system_error(
57+
static_cast<int>(::ERR_get_error()),
58+
net::error::get_ssl_category());
59+
}
60+
61+
// Set the expected hostname in the peer certificate for verification
62+
if(! SSL_set1_host(stream.native_handle(), host.c_str()))
63+
{
64+
throw beast::system_error(
5765
static_cast<int>(::ERR_get_error()),
5866
net::error::get_ssl_category());
5967
}

example/http/client/coro-ssl/http_client_coro_ssl.cpp

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,14 @@ do_session(
6565
return;
6666
}
6767

68+
// Set the expected hostname in the peer certificate for verification
69+
if(! SSL_set1_host(stream.native_handle(), host.c_str()))
70+
{
71+
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
72+
std::cerr << ec.message() << "\n";
73+
return;
74+
}
75+
6876
// Look up the domain name
6977
auto const results = resolver.async_resolve(host, port, yield[ec]);
7078
if(ec)

example/http/client/sync-ssl/http_client_sync_ssl.cpp

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,8 +69,17 @@ int main(int argc, char** argv)
6969
// Set SNI Hostname (many hosts need this to handshake successfully)
7070
if(! SSL_set_tlsext_host_name(stream.native_handle(), host))
7171
{
72-
beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()};
73-
throw beast::system_error{ec};
72+
throw beast::system_error(
73+
static_cast<int>(::ERR_get_error()),
74+
net::error::get_ssl_category());
75+
}
76+
77+
// Set the expected hostname in the peer certificate for verification
78+
if(! SSL_set1_host(stream.native_handle(), host))
79+
{
80+
throw beast::system_error(
81+
static_cast<int>(::ERR_get_error()),
82+
net::error::get_ssl_category());
7483
}
7584

7685
// Look up the domain name

example/websocket/client/async-ssl-system-executor/websocket_client_async_ssl_system_executor.cpp

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -116,13 +116,17 @@ class session : public std::enable_shared_from_this<session>
116116
beast::get_lowest_layer(ws_).expires_after(std::chrono::seconds(30));
117117

118118
// Set SNI Hostname (many hosts need this to handshake successfully)
119-
if(! SSL_set_tlsext_host_name(
120-
ws_.next_layer().native_handle(),
121-
host_.c_str()))
119+
if(! SSL_set_tlsext_host_name(ws_.next_layer().native_handle(), host_.c_str()))
122120
{
123-
ec = beast::error_code(static_cast<int>(::ERR_get_error()),
124-
net::error::get_ssl_category());
125-
return fail(ec, "connect");
121+
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
122+
return fail(ec, "connect");
123+
}
124+
125+
// Set the expected hostname in the peer certificate for verification
126+
if(! SSL_set1_host(ws_.next_layer().native_handle(), host_.c_str()))
127+
{
128+
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
129+
return fail(ec, "connect");
126130
}
127131

128132
// Update the host_ string. This will provide the value of the
@@ -252,6 +256,9 @@ int main(int argc, char** argv)
252256
// The SSL context is required, and holds certificates
253257
ssl::context ctx{ssl::context::tlsv12_client};
254258

259+
// Verify the remote server's certificate
260+
ctx.set_verify_mode(ssl::verify_peer);
261+
255262
// This holds the root certificate used for verification
256263
load_root_certificates(ctx);
257264

example/websocket/client/async-ssl/websocket_client_async_ssl.cpp

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -108,12 +108,16 @@ class session : public std::enable_shared_from_this<session>
108108
beast::get_lowest_layer(ws_).expires_after(std::chrono::seconds(30));
109109

110110
// Set SNI Hostname (many hosts need this to handshake successfully)
111-
if(! SSL_set_tlsext_host_name(
112-
ws_.next_layer().native_handle(),
113-
host_.c_str()))
111+
if(! SSL_set_tlsext_host_name(ws_.next_layer().native_handle(), host_.c_str()))
114112
{
115-
ec = beast::error_code(static_cast<int>(::ERR_get_error()),
116-
net::error::get_ssl_category());
113+
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
114+
return fail(ec, "connect");
115+
}
116+
117+
// Set the expected hostname in the peer certificate for verification
118+
if(! SSL_set1_host(ws_.next_layer().native_handle(), host_.c_str()))
119+
{
120+
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
117121
return fail(ec, "connect");
118122
}
119123

@@ -246,6 +250,9 @@ int main(int argc, char** argv)
246250
// The SSL context is required, and holds certificates
247251
ssl::context ctx{ssl::context::tlsv12_client};
248252

253+
// Verify the remote server's certificate
254+
ctx.set_verify_mode(ssl::verify_peer);
255+
249256
// This holds the root certificate used for verification
250257
load_root_certificates(ctx);
251258

example/websocket/client/coro-ssl/websocket_client_coro_ssl.cpp

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -71,12 +71,16 @@ do_session(
7171
return fail(ec, "connect");
7272

7373
// Set SNI Hostname (many hosts need this to handshake successfully)
74-
if(! SSL_set_tlsext_host_name(
75-
ws.next_layer().native_handle(),
76-
host.c_str()))
74+
if(! SSL_set_tlsext_host_name(ws.next_layer().native_handle(), host.c_str()))
7775
{
78-
ec = beast::error_code(static_cast<int>(::ERR_get_error()),
79-
net::error::get_ssl_category());
76+
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
77+
return fail(ec, "connect");
78+
}
79+
80+
// Set the expected hostname in the peer certificate for verification
81+
if(! SSL_set1_host(ws.next_layer().native_handle(), host.c_str()))
82+
{
83+
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
8084
return fail(ec, "connect");
8185
}
8286

@@ -163,6 +167,9 @@ int main(int argc, char** argv)
163167
// The SSL context is required, and holds certificates
164168
ssl::context ctx{ssl::context::tlsv12_client};
165169

170+
// Verify the remote server's certificate
171+
ctx.set_verify_mode(ssl::verify_peer);
172+
166173
// This holds the root certificate used for verification
167174
load_root_certificates(ctx);
168175

0 commit comments

Comments
 (0)