From efe808764e948a17a585423e290656ea37e1473c Mon Sep 17 00:00:00 2001 From: Salvo Passaro Date: Sat, 25 Nov 2023 18:41:52 +0100 Subject: [PATCH 1/3] impl::TlsTransport: OpenSSL's default verify paths if mIsClient rather than only when a certificate is not provided --- src/impl/tlstransport.cpp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/impl/tlstransport.cpp b/src/impl/tlstransport.cpp index 0cca128cd..e04d0736c 100644 --- a/src/impl/tlstransport.cpp +++ b/src/impl/tlstransport.cpp @@ -592,14 +592,16 @@ TlsTransport::TlsTransport(variant, shared_ptrcredentials(); SSL_CTX_use_certificate(mCtx, x509); SSL_CTX_use_PrivateKey(mCtx, pkey); - } else { - if (!SSL_CTX_set_default_verify_paths(mCtx)) { - PLOG_WARNING << "SSL root CA certificates unavailable"; - } } SSL_CTX_set_options(mCtx, SSL_OP_NO_SSLv3 | SSL_OP_NO_RENEGOTIATION); From 47d0ec8c3b516c6b6fde8ade096469a5f5b5bf6a Mon Sep 17 00:00:00 2001 From: Salvo Passaro Date: Tue, 28 Nov 2023 21:18:50 +0100 Subject: [PATCH 2/3] WebSocket: allow client to provide a TLS certificate consistently with WebSocketServer --- include/rtc/websocket.hpp | 8 +++++++- src/websocket.cpp | 19 +++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/include/rtc/websocket.hpp b/include/rtc/websocket.hpp index 6f76f7a09..e63a54f7b 100644 --- a/include/rtc/websocket.hpp +++ b/include/rtc/websocket.hpp @@ -20,6 +20,7 @@ namespace rtc { namespace impl { struct WebSocket; +class Certificate; } @@ -40,10 +41,13 @@ class RTC_CPP_EXPORT WebSocket final : private CheshireCat, pub optional pingInterval; // zero to disable optional maxOutstandingPings; optional caCertificatePemFile; + optional certificatePemFile; + optional keyPemFile; + optional keyPemPass; }; WebSocket(); - WebSocket(Configuration config); + WebSocket(const Configuration& config); WebSocket(impl_ptr impl); ~WebSocket() override; @@ -63,6 +67,8 @@ class RTC_CPP_EXPORT WebSocket final : private CheshireCat, pub optional path() const; private: + static shared_ptr loadCertificate(const Configuration&); + using CheshireCat::impl; }; diff --git a/src/websocket.cpp b/src/websocket.cpp index 32458ec64..d574f12a4 100644 --- a/src/websocket.cpp +++ b/src/websocket.cpp @@ -13,13 +13,14 @@ #include "impl/internals.hpp" #include "impl/websocket.hpp" +#include "impl/certificate.hpp" namespace rtc { WebSocket::WebSocket() : WebSocket(Configuration()) {} -WebSocket::WebSocket(Configuration config) - : CheshireCat(std::move(config)), +WebSocket::WebSocket(const Configuration& config) + : CheshireCat(config, loadCertificate(config)), Channel(std::dynamic_pointer_cast(CheshireCat::impl())) {} WebSocket::WebSocket(impl_ptr impl) @@ -68,6 +69,20 @@ optional WebSocket::path() const { return state != State::Connecting && handshake ? make_optional(handshake->path()) : nullopt; } +impl::certificate_ptr WebSocket::loadCertificate(const Configuration& config) { + if (!config.certificatePemFile && !config.keyPemFile) + return nullptr; + + if (config.certificatePemFile && config.keyPemFile) { + return std::make_shared( + impl::Certificate::FromFile(*config.certificatePemFile, *config.keyPemFile, + config.keyPemPass.value_or(""))); + } + + throw std::invalid_argument( + "Either none or both certificate and key PEM files must be specified"); +} + } // namespace rtc #endif From 9167c31d5b35c43a8a4129cad7621f2a7dc6cacf Mon Sep 17 00:00:00 2001 From: Salvo Passaro Date: Thu, 30 Nov 2023 16:50:17 +0100 Subject: [PATCH 3/3] WebSocket: move client certificate loading to impl --- include/rtc/websocket.hpp | 5 +---- src/impl/websocket.cpp | 17 +++++++++++++++-- src/impl/websocket.hpp | 2 ++ src/websocket.cpp | 19 ++----------------- 4 files changed, 20 insertions(+), 23 deletions(-) diff --git a/include/rtc/websocket.hpp b/include/rtc/websocket.hpp index e63a54f7b..e6ce727ab 100644 --- a/include/rtc/websocket.hpp +++ b/include/rtc/websocket.hpp @@ -20,7 +20,6 @@ namespace rtc { namespace impl { struct WebSocket; -class Certificate; } @@ -47,7 +46,7 @@ class RTC_CPP_EXPORT WebSocket final : private CheshireCat, pub }; WebSocket(); - WebSocket(const Configuration& config); + WebSocket(Configuration config); WebSocket(impl_ptr impl); ~WebSocket() override; @@ -67,8 +66,6 @@ class RTC_CPP_EXPORT WebSocket final : private CheshireCat, pub optional path() const; private: - static shared_ptr loadCertificate(const Configuration&); - using CheshireCat::impl; }; diff --git a/src/impl/websocket.cpp b/src/impl/websocket.cpp index 77fe34bbe..a5c707247 100644 --- a/src/impl/websocket.cpp +++ b/src/impl/websocket.cpp @@ -36,8 +36,8 @@ using std::chrono::milliseconds; WebSocket::WebSocket(optional optConfig, certificate_ptr certificate) : config(optConfig ? std::move(*optConfig) : Configuration()), - mCertificate(std::move(certificate)), mIsSecure(mCertificate != nullptr), - mRecvQueue(RECV_QUEUE_LIMIT, message_size_func) { + mCertificate(certificate ? std::move(certificate) : std::move(loadCertificate(config))), + mIsSecure(mCertificate != nullptr), mRecvQueue(RECV_QUEUE_LIMIT, message_size_func) { PLOG_VERBOSE << "Creating WebSocket"; if (config.proxyServer) { if (config.proxyServer->type == ProxyServer::Type::Socks5) @@ -49,6 +49,19 @@ WebSocket::WebSocket(optional optConfig, certificate_ptr certific } } +certificate_ptr WebSocket::loadCertificate(const Configuration& config) { + if (!config.certificatePemFile) + return nullptr; + + if (config.keyPemFile) + return std::make_shared( + Certificate::FromFile(*config.certificatePemFile, *config.keyPemFile, + config.keyPemPass.value_or(""))); + + throw std::invalid_argument( + "Either none or both certificate and key PEM files must be specified"); +} + WebSocket::~WebSocket() { PLOG_VERBOSE << "Destroying WebSocket"; } void WebSocket::open(const string &url) { diff --git a/src/impl/websocket.hpp b/src/impl/websocket.hpp index 9287cf08b..ef82068d8 100644 --- a/src/impl/websocket.hpp +++ b/src/impl/websocket.hpp @@ -67,6 +67,8 @@ struct WebSocket final : public Channel, public std::enable_shared_from_this state = State::Closed; private: + static certificate_ptr loadCertificate(const Configuration& config); + void scheduleConnectionTimeout(); const init_token mInitToken = Init::Instance().token(); diff --git a/src/websocket.cpp b/src/websocket.cpp index d574f12a4..32458ec64 100644 --- a/src/websocket.cpp +++ b/src/websocket.cpp @@ -13,14 +13,13 @@ #include "impl/internals.hpp" #include "impl/websocket.hpp" -#include "impl/certificate.hpp" namespace rtc { WebSocket::WebSocket() : WebSocket(Configuration()) {} -WebSocket::WebSocket(const Configuration& config) - : CheshireCat(config, loadCertificate(config)), +WebSocket::WebSocket(Configuration config) + : CheshireCat(std::move(config)), Channel(std::dynamic_pointer_cast(CheshireCat::impl())) {} WebSocket::WebSocket(impl_ptr impl) @@ -69,20 +68,6 @@ optional WebSocket::path() const { return state != State::Connecting && handshake ? make_optional(handshake->path()) : nullopt; } -impl::certificate_ptr WebSocket::loadCertificate(const Configuration& config) { - if (!config.certificatePemFile && !config.keyPemFile) - return nullptr; - - if (config.certificatePemFile && config.keyPemFile) { - return std::make_shared( - impl::Certificate::FromFile(*config.certificatePemFile, *config.keyPemFile, - config.keyPemPass.value_or(""))); - } - - throw std::invalid_argument( - "Either none or both certificate and key PEM files must be specified"); -} - } // namespace rtc #endif