Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl config #1905

Merged
merged 3 commits into from
Dec 29, 2023
Merged

ssl config #1905

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d08af73
ssl config
turuslan Dec 21, 2023
137e472
system cert
turuslan Dec 21, 2023
d4a85b7
Merge branch 'master' into audit/20
turuslan Dec 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@

cmake_minimum_required(VERSION 3.12)

if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.27")
cmake_policy(SET CMP0144 NEW)
endif()

find_program(CCACHE_FOUND ccache)
if(CCACHE_FOUND)
set_property(GLOBAL PROPERTY RULE_LAUNCH_COMPILE ccache)
Expand Down
3 changes: 0 additions & 3 deletions cmake/functions.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,6 @@ function(addtest_part test_name)
target_sources(${test_name} PUBLIC
${ARGN}
)
target_link_libraries(${test_name}
turuslan marked this conversation as resolved.
Show resolved Hide resolved
GTest::gtest
)
endfunction()

# conditionally applies flag. If flag is supported by current compiler, it will be added to compile options.
Expand Down
31 changes: 5 additions & 26 deletions core/offchain/impl/http_request.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,27 +23,9 @@ namespace kagome::offchain {
HttpRequest::HttpRequest(RequestId id)
: id_(id),
resolver_(io_context_),
ssl_ctx_(boost::asio::ssl::context::sslv23),
deadline_timer_(io_context_),
log_(log::createLogger("HttpRequest#" + std::to_string(id_),
"offchain")) {
ssl_ctx_.set_default_verify_paths();
ssl_ctx_.set_verify_mode(boost::asio::ssl::verify_peer);
ssl_ctx_.set_verify_callback(
[log = log_, wp = weak_from_this()](
bool preverified, boost::asio::ssl::verify_context &ctx) {
// We will simply print the certificate's subject name here
char subject_name[256];
X509 *cert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
X509_NAME_oneline(X509_get_subject_name(cert), subject_name, 256);
SL_WARN(log,
"Verifying [{}] was {}",
subject_name,
preverified ? "Successful" : "Failed");

return preverified;
});
}
"offchain")) {}

bool HttpRequest::init(HttpMethod method,
std::string_view uri_arg,
Expand Down Expand Up @@ -85,7 +67,10 @@ namespace kagome::offchain {

if (uri_.Schema == "https") {
secure_ = true;
stream_ = std::make_unique<SslStream>(io_context_, ssl_ctx_);
if (not ssl_ctx_) {
ssl_ctx_.emplace(uri_.Host);
}
stream_ = std::make_unique<SslStream>(io_context_, *ssl_ctx_);
} else if (uri_.Schema == "http") {
secure_ = false;
stream_ = std::make_unique<TcpStream>(io_context_);
Expand Down Expand Up @@ -329,16 +314,10 @@ namespace kagome::offchain {

if (secure_) {
auto &stream = *boost::relaxed_get<SslStreamPtr>(stream_);
boost::system::error_code ec;
boost::beast::get_lowest_layer(stream).socket().shutdown(
boost::asio::ip::tcp::socket::shutdown_send, ec);
boost::beast::http::async_read(
stream, buffer_, parser_, std::move(read_handler));
} else {
auto &stream = *boost::relaxed_get<TcpStreamPtr>(stream_);
boost::system::error_code ec;
boost::beast::get_lowest_layer(stream).socket().shutdown(
boost::asio::ip::tcp::socket::shutdown_send, ec);
boost::beast::http::async_read(
stream, buffer_, parser_, std::move(read_handler));
}
Expand Down
3 changes: 2 additions & 1 deletion core/offchain/impl/http_request.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
#include "common/uri.hpp"
#include "log/logger.hpp"
#include "offchain/types.hpp"
#include "utils/asio_ssl_context_client.hpp"

namespace kagome::offchain {

Expand Down Expand Up @@ -63,7 +64,7 @@ namespace kagome::offchain {
int16_t id_;

boost::asio::ip::tcp::resolver resolver_;
boost::asio::ssl::context ssl_ctx_;
std::optional<AsioSslContextClient> ssl_ctx_;

using TcpStream = boost::beast::tcp_stream;
using SslStream = boost::beast::ssl_stream<TcpStream>;
Expand Down
6 changes: 4 additions & 2 deletions core/telemetry/impl/connection_impl.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ namespace kagome::telemetry {
callback_{std::move(callback)},
message_pool_{std::move(message_pool)},
scheduler_{std::move(scheduler)},
ssl_ctx_{boost::asio::ssl::context::sslv23},
resolver_{boost::asio::make_strand(*io_context_)} {
BOOST_ASSERT(io_context_);
BOOST_ASSERT(message_pool_);
Expand Down Expand Up @@ -86,8 +85,11 @@ namespace kagome::telemetry {
path_ = path.empty() ? "/" : path;

if (secure_) {
if (not ssl_ctx_) {
ssl_ctx_.emplace(endpoint_.uri().Host);
}
ws_ = std::make_unique<WsSslStream>(
boost::asio::make_strand(*io_context_), ssl_ctx_);
boost::asio::make_strand(*io_context_), *ssl_ctx_);
} else {
ws_ =
std::make_unique<WsTcpStream>(boost::asio::make_strand(*io_context_));
Expand Down
3 changes: 2 additions & 1 deletion core/telemetry/impl/connection_impl.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
#include <libp2p/basic/scheduler.hpp>
#include "log/logger.hpp"
#include "telemetry/impl/message_pool.hpp"
#include "utils/asio_ssl_context_client.hpp"

namespace kagome::telemetry {

Expand Down Expand Up @@ -135,7 +136,7 @@ namespace kagome::telemetry {
std::string path_;
std::string ws_handshake_hostname_;

boost::asio::ssl::context ssl_ctx_;
std::optional<AsioSslContextClient> ssl_ctx_;
boost::asio::ip::tcp::resolver resolver_;
boost::variant<WsTcpStreamPtr, WsSslStreamPtr> ws_;

Expand Down
38 changes: 38 additions & 0 deletions core/utils/asio_ssl_context_client.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/**
* Copyright Quadrivium LLC
* All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*/

#pragma once

#include <boost/asio/ssl/context.hpp>
#include <boost/asio/ssl/rfc2818_verification.hpp>
#include <filesystem>

namespace kagome {
// TODO(turuslan): move to qtils, reuse for libp2p "/wss"
struct AsioSslContextClient : boost::asio::ssl::context {
AsioSslContextClient(const std::string &host)
: context{context::tlsv13_client} {
// X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
// X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[[maybe_unused]] static bool find_system_certificates = [] {
constexpr auto extra = "/etc/ssl/cert.pem";
if (getenv(X509_get_default_cert_file_env()) == nullptr
and getenv(X509_get_default_cert_dir_env()) == nullptr
and std::string_view{X509_get_default_cert_file()} != extra
and std::filesystem::exists(extra)) {
setenv(X509_get_default_cert_file_env(), extra, true);
}
return true;
}();
set_options(context::default_workarounds | context::no_sslv2
| context::no_sslv3 | context::no_tlsv1 | context::no_tlsv1_1
| context::no_tlsv1_2 | context::single_dh_use);
Comment on lines +30 to +32
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, so strict.. Okay

set_default_verify_paths();
set_verify_mode(boost::asio::ssl::verify_peer);
set_verify_callback(boost::asio::ssl::rfc2818_verification{host});
}
};
} // namespace kagome
Loading