Add SSL cert validation callback #826
Conversation
ckasabula
force-pushed
the
ck/ssl_verification_callback_take2
branch
from
ea88eca to
8df350f
Compare
| @@ -2594,6 +2594,8 @@ natsOptions_SetExpectedHostname(natsOptions *opts, const char *hostname); | |||
| * By default, the server certificate is verified. You can disable the verification | |||
There was a problem hiding this comment.
I am not sure what the discussion you had with @levb and @mtmk was, but I think your first approach may have been a bit better with the abstraction.
This PR would not compile as-is. You would need to add at the top of this file something like:
#if defined(NATS_HAS_TLS)
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
#endif
There was a problem hiding this comment.
Also, in CMakeLists.txt of examples, examples/getstarted, examples/stan and test/dylib directories, you would need to add:
if(NATS_BUILD_WITH_TLS)
include_directories(${OPENSSL_INCLUDE_DIR})
endif(NATS_BUILD_WITH_TLS)
so that those can be built with the openssl include directory.
src/nats.h
Outdated
| typedef struct x509_store_ctx_st X509_STORE_CTX; | ||
| typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); |
There was a problem hiding this comment.
Remove those 2 lines. This would cause errors otherwise saying that you are redefining them.
src/nats.h
Outdated
| @@ -2602,6 +2604,21 @@ natsOptions_SetExpectedHostname(natsOptions *opts, const char *hostname); | |||
| NATS_EXTERN natsStatus | |||
| natsOptions_SkipServerVerification(natsOptions *opts, bool skip); | |||
|
|
|||
| typedef struct x509_store_ctx_st X509_STORE_CTX; | |||
| typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); | |||
|
|
|||
There was a problem hiding this comment.
This whole function would need to be protected by the #if defined(NATS_HAS_TLS) / #endif because of SSL_verify_cb symbol.
| */ | ||
| NATS_EXTERN natsStatus | ||
| natsOptions_SetSSLVerificationCallback(natsOptions *opts, SSL_verify_cb callback); | ||
|
|
There was a problem hiding this comment.
This option will not show-up in the generated documentation as it stands. We would need to add to DoxyFile.NATS.Client.in:
diff --git a/doc/DoxyFile.NATS.Client.in b/doc/DoxyFile.NATS.Client.in
index be4b3485..8d70f132 100644
--- a/doc/DoxyFile.NATS.Client.in
+++ b/doc/DoxyFile.NATS.Client.in
@@ -2279,7 +2279,8 @@ INCLUDE_FILE_PATTERNS =
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
PREDEFINED = BUILD_IN_DOXYGEN \
- @NATS_DOC_INCLUDE_STREAMING@
+ @NATS_DOC_INCLUDE_STREAMING@ \
+ @NATS_DOC_INCLUDE_TLS@
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
# tag can be used to specify a list of macro names that should be expanded. The
and in the main CMakeLists.txt:
iMacSynadia:build ivan$ git diff
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 413e0523..534de81e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -246,6 +246,7 @@ if(NATS_BUILD_WITH_TLS)
if(NATS_BUILD_TLS_FORCE_HOST_VERIFY)
add_definitions(-DNATS_FORCE_HOST_VERIFICATION)
endif(NATS_BUILD_TLS_FORCE_HOST_VERIFY)
+ set(NATS_DOC_INCLUDE_TLS "NATS_HAS_TLS")
endif(NATS_BUILD_WITH_TLS)
When generating docs, it will update the file DoxyFile.NATS.Client:
diff --git a/doc/DoxyFile.NATS.Client b/doc/DoxyFile.NATS.Client
index 2157d431..acd3a0c6 100644
--- a/doc/DoxyFile.NATS.Client
+++ b/doc/DoxyFile.NATS.Client
@@ -2279,7 +2279,8 @@ INCLUDE_FILE_PATTERNS =
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
PREDEFINED = BUILD_IN_DOXYGEN \
- NATS_HAS_STREAMING
+ NATS_HAS_STREAMING \
+ NATS_HAS_TLS
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
# tag can be used to specify a list of macro names that should be expanded. The
|
@kozlovic I went with the abstraction originally so the client wouldn't need to include openssl headers and link w/ openssl. |
Not sure what you mean by |
|
@kozlovic I mean the code/application that uses the library.
|
|
@kozlovic I believe I have addressed your comments. I also updated the docs, which resulted in a lot of diffs. Let me know what you think. |
| @@ -2279,7 +2279,8 @@ INCLUDE_FILE_PATTERNS = | |||
| # This tag requires that the tag ENABLE_PREPROCESSING is set to YES. | |||
|
|
|||
| PREDEFINED = BUILD_IN_DOXYGEN \ | |||
| @NATS_DOC_INCLUDE_STREAMING@ | |||
| @NATS_DOC_INCLUDE_STREAMING@ \ | |||
| @NATS_DOC_INCLUDE_TLS@ | |||
There was a problem hiding this comment.
You need to do a make edit_cache and enable the NATS_UPDATE_DOC option. After that, do a make and it should rebuild but will generate the DoxyFile.NATS.Client (notice the extension that is not .in), which will be added to the changes.
| @@ -27,6 +27,13 @@ extern "C" { | |||
| #include "status.h" | |||
| #include "version.h" | |||
|
|
|||
| #if defined(NATS_HAS_TLS) | |||
| #include <openssl/ssl.h> | |||
There was a problem hiding this comment.
You need to add:
#include <openssl/x509v3.h>
Without this, I can't compile it on Windows.
| @@ -13,6 +13,10 @@ if(NOT NATS_BUILD_STATIC_EXAMPLES) | |||
| add_definitions(-Dnats_IMPORTS) | |||
| endif() | |||
|
|
|||
| if(NATS_BUILD_WITH_TLS) | |||
There was a problem hiding this comment.
You are missing this in the stan/CMakeLists.txt file.
No description provided.