Skip to content

Commit

Permalink
ssl config (#1905)
Browse files Browse the repository at this point in the history
Signed-off-by: turuslan <[email protected]>
  • Loading branch information
turuslan authored Dec 29, 2023
1 parent fabe411 commit a0dd372
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 30 deletions.
31 changes: 5 additions & 26 deletions core/offchain/impl/http_request.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -23,27 +23,9 @@ namespace kagome::offchain {
HttpRequest::HttpRequest(RequestId id)
: id_(id),
resolver_(io_context_),
ssl_ctx_(boost::asio::ssl::context::sslv23),
deadline_timer_(io_context_),
log_(log::createLogger("HttpRequest#" + std::to_string(id_),
"offchain")) {
ssl_ctx_.set_default_verify_paths();
ssl_ctx_.set_verify_mode(boost::asio::ssl::verify_peer);
ssl_ctx_.set_verify_callback(
[log = log_, wp = weak_from_this()](
bool preverified, boost::asio::ssl::verify_context &ctx) {
// We will simply print the certificate's subject name here
char subject_name[256];
X509 *cert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
X509_NAME_oneline(X509_get_subject_name(cert), subject_name, 256);
SL_WARN(log,
"Verifying [{}] was {}",
subject_name,
preverified ? "Successful" : "Failed");

return preverified;
});
}
"offchain")) {}

bool HttpRequest::init(HttpMethod method,
std::string_view uri_arg,
Expand Down Expand Up @@ -85,7 +67,10 @@ namespace kagome::offchain {

if (uri_.Schema == "https") {
secure_ = true;
stream_ = std::make_unique<SslStream>(io_context_, ssl_ctx_);
if (not ssl_ctx_) {
ssl_ctx_.emplace(uri_.Host);
}
stream_ = std::make_unique<SslStream>(io_context_, *ssl_ctx_);
} else if (uri_.Schema == "http") {
secure_ = false;
stream_ = std::make_unique<TcpStream>(io_context_);
Expand Down Expand Up @@ -329,16 +314,10 @@ namespace kagome::offchain {

if (secure_) {
auto &stream = *boost::relaxed_get<SslStreamPtr>(stream_);
boost::system::error_code ec;
boost::beast::get_lowest_layer(stream).socket().shutdown(
boost::asio::ip::tcp::socket::shutdown_send, ec);
boost::beast::http::async_read(
stream, buffer_, parser_, std::move(read_handler));
} else {
auto &stream = *boost::relaxed_get<TcpStreamPtr>(stream_);
boost::system::error_code ec;
boost::beast::get_lowest_layer(stream).socket().shutdown(
boost::asio::ip::tcp::socket::shutdown_send, ec);
boost::beast::http::async_read(
stream, buffer_, parser_, std::move(read_handler));
}
Expand Down
3 changes: 2 additions & 1 deletion core/offchain/impl/http_request.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
#include "common/uri.hpp"
#include "log/logger.hpp"
#include "offchain/types.hpp"
#include "utils/asio_ssl_context_client.hpp"

namespace kagome::offchain {

Expand Down Expand Up @@ -63,7 +64,7 @@ namespace kagome::offchain {
int16_t id_;

boost::asio::ip::tcp::resolver resolver_;
boost::asio::ssl::context ssl_ctx_;
std::optional<AsioSslContextClient> ssl_ctx_;

using TcpStream = boost::beast::tcp_stream;
using SslStream = boost::beast::ssl_stream<TcpStream>;
Expand Down
6 changes: 4 additions & 2 deletions core/telemetry/impl/connection_impl.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ namespace kagome::telemetry {
callback_{std::move(callback)},
message_pool_{std::move(message_pool)},
scheduler_{std::move(scheduler)},
ssl_ctx_{boost::asio::ssl::context::sslv23},
resolver_{boost::asio::make_strand(*io_context_)} {
BOOST_ASSERT(io_context_);
BOOST_ASSERT(message_pool_);
Expand Down Expand Up @@ -86,8 +85,11 @@ namespace kagome::telemetry {
path_ = path.empty() ? "/" : path;

if (secure_) {
if (not ssl_ctx_) {
ssl_ctx_.emplace(endpoint_.uri().Host);
}
ws_ = std::make_unique<WsSslStream>(
boost::asio::make_strand(*io_context_), ssl_ctx_);
boost::asio::make_strand(*io_context_), *ssl_ctx_);
} else {
ws_ =
std::make_unique<WsTcpStream>(boost::asio::make_strand(*io_context_));
Expand Down
3 changes: 2 additions & 1 deletion core/telemetry/impl/connection_impl.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
#include <libp2p/basic/scheduler.hpp>
#include "log/logger.hpp"
#include "telemetry/impl/message_pool.hpp"
#include "utils/asio_ssl_context_client.hpp"

namespace kagome::telemetry {

Expand Down Expand Up @@ -135,7 +136,7 @@ namespace kagome::telemetry {
std::string path_;
std::string ws_handshake_hostname_;

boost::asio::ssl::context ssl_ctx_;
std::optional<AsioSslContextClient> ssl_ctx_;
boost::asio::ip::tcp::resolver resolver_;
boost::variant<WsTcpStreamPtr, WsSslStreamPtr> ws_;

Expand Down
38 changes: 38 additions & 0 deletions core/utils/asio_ssl_context_client.hpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/**
* Copyright Quadrivium LLC
* All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*/

#pragma once

#include <boost/asio/ssl/context.hpp>
#include <boost/asio/ssl/rfc2818_verification.hpp>
#include <filesystem>

namespace kagome {
// TODO(turuslan): move to qtils, reuse for libp2p "/wss"
struct AsioSslContextClient : boost::asio::ssl::context {
AsioSslContextClient(const std::string &host)
: context{context::tlsv13_client} {
// X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
// X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[[maybe_unused]] static bool find_system_certificates = [] {
constexpr auto extra = "/etc/ssl/cert.pem";
if (getenv(X509_get_default_cert_file_env()) == nullptr
and getenv(X509_get_default_cert_dir_env()) == nullptr
and std::string_view{X509_get_default_cert_file()} != extra
and std::filesystem::exists(extra)) {
setenv(X509_get_default_cert_file_env(), extra, true);
}
return true;
}();
set_options(context::default_workarounds | context::no_sslv2
| context::no_sslv3 | context::no_tlsv1 | context::no_tlsv1_1
| context::no_tlsv1_2 | context::single_dh_use);
set_default_verify_paths();
set_verify_mode(boost::asio::ssl::verify_peer);
set_verify_callback(boost::asio::ssl::rfc2818_verification{host});
}
};
} // namespace kagome

0 comments on commit a0dd372

Please sign in to comment.