SSL examples verify peer cert hostname

Fixes #2974

example/http/client/async-ssl-system-executor/http_client_async_ssl_system_executor.cpp

@@ -77,7 +77,19 @@ public:
         // Set SNI Hostname (many hosts need this to handshake successfully)
         if(! SSL_set_tlsext_host_name(stream_.native_handle(), host))
         {
-            beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()};
+            beast::error_code ec{
+                static_cast<int>(::ERR_get_error()),
+                net::error::get_ssl_category()};
+            std::cerr << ec.message() << "\n";
+            return;
+        }
+
+        // Set the expected hostname in the peer certificate for verification
+        if(! SSL_set1_host(stream_.native_handle(), host))
+        {
+            beast::error_code ec{
+                static_cast<int>(::ERR_get_error()),
+                net::error::get_ssl_category()};
             std::cerr << ec.message() << "\n";
             return;
         }

example/http/client/async-ssl/http_client_async_ssl.cpp

@@ -69,7 +69,19 @@ public:
         // Set SNI Hostname (many hosts need this to handshake successfully)
         if(! SSL_set_tlsext_host_name(stream_.native_handle(), host))
         {
-            beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()};
+            beast::error_code ec{
+                static_cast<int>(::ERR_get_error()),
+                net::error::get_ssl_category()};
+            std::cerr << ec.message() << "\n";
+            return;
+        }
+
+        // Set the expected hostname in the peer certificate for verification
+        if(! SSL_set1_host(stream_.native_handle(), host))
+        {
+            beast::error_code ec{
+                static_cast<int>(::ERR_get_error()),
+                net::error::get_ssl_category()};
             std::cerr << ec.message() << "\n";
             return;
         }

example/http/client/awaitable-ssl/http_client_awaitable_ssl.cpp

@@ -51,9 +51,17 @@ do_session(
     auto stream   = ssl::stream<beast::tcp_stream>{ executor, ctx };
 
     // Set SNI Hostname (many hosts need this to handshake successfully)
-    if(!SSL_set_tlsext_host_name(stream.native_handle(), host.c_str()))
+    if(! SSL_set_tlsext_host_name(stream.native_handle(), host.c_str()))
     {
-        throw boost::system::system_error(
+        throw beast::system_error(
+            static_cast<int>(::ERR_get_error()),
+            net::error::get_ssl_category());
+    }
+
+    // Set the expected hostname in the peer certificate for verification
+    if(! SSL_set1_host(stream.native_handle(), host.c_str()))
+    {
+        throw beast::system_error(
             static_cast<int>(::ERR_get_error()),
             net::error::get_ssl_category());
     }

example/http/client/coro-ssl/http_client_coro_ssl.cpp

@@ -65,6 +65,14 @@ do_session(
         return;
     }
 
+    // Set the expected hostname in the peer certificate for verification
+    if(! SSL_set1_host(stream.native_handle(), host.c_str()))
+    {
+        ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
+        std::cerr << ec.message() << "\n";
+        return;
+    }
+
     // Look up the domain name
     auto const results = resolver.async_resolve(host, port, yield[ec]);
     if(ec)

example/http/client/sync-ssl/http_client_sync_ssl.cpp

@@ -69,8 +69,17 @@ int main(int argc, char** argv)
         // Set SNI Hostname (many hosts need this to handshake successfully)
         if(! SSL_set_tlsext_host_name(stream.native_handle(), host))
         {
-            beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()};
-            throw beast::system_error{ec};
+            throw beast::system_error(
+                static_cast<int>(::ERR_get_error()),
+                net::error::get_ssl_category());
+        }
+
+        // Set the expected hostname in the peer certificate for verification
+        if(! SSL_set1_host(stream.native_handle(), host))
+        {
+            throw beast::system_error(
+                static_cast<int>(::ERR_get_error()),
+                net::error::get_ssl_category());
         }
 
         // Look up the domain name

example/websocket/client/async-ssl-system-executor/websocket_client_async_ssl_system_executor.cpp

@@ -116,13 +116,17 @@ public:
         beast::get_lowest_layer(ws_).expires_after(std::chrono::seconds(30));
 
         // Set SNI Hostname (many hosts need this to handshake successfully)
-        if(! SSL_set_tlsext_host_name(
-            ws_.next_layer().native_handle(),
-            host_.c_str()))
+        if(! SSL_set_tlsext_host_name(ws_.next_layer().native_handle(), host_.c_str()))
         {
-          ec = beast::error_code(static_cast<int>(::ERR_get_error()),
-                                 net::error::get_ssl_category());
-          return fail(ec, "connect");
+            ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
+            return fail(ec, "connect");
+        }
+
+        // Set the expected hostname in the peer certificate for verification
+        if(! SSL_set1_host(ws_.next_layer().native_handle(), host_.c_str()))
+        {
+            ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
+            return fail(ec, "connect");
         }
 
         // Update the host_ string. This will provide the value of the
@@ -252,6 +256,9 @@ int main(int argc, char** argv)
     // The SSL context is required, and holds certificates
     ssl::context ctx{ssl::context::tlsv12_client};
 
+    // Verify the remote server's certificate
+    ctx.set_verify_mode(ssl::verify_peer);
+
     // This holds the root certificate used for verification
     load_root_certificates(ctx);
 

example/websocket/client/async-ssl/websocket_client_async_ssl.cpp

@@ -108,12 +108,16 @@ public:
         beast::get_lowest_layer(ws_).expires_after(std::chrono::seconds(30));
 
         // Set SNI Hostname (many hosts need this to handshake successfully)
-        if(! SSL_set_tlsext_host_name(
-                ws_.next_layer().native_handle(),
-                host_.c_str()))
+        if(! SSL_set_tlsext_host_name(ws_.next_layer().native_handle(), host_.c_str()))
         {
-            ec = beast::error_code(static_cast<int>(::ERR_get_error()),
-                net::error::get_ssl_category());
+            ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
+            return fail(ec, "connect");
+        }
+
+        // Set the expected hostname in the peer certificate for verification
+        if(! SSL_set1_host(ws_.next_layer().native_handle(), host_.c_str()))
+        {
+            ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
             return fail(ec, "connect");
         }
 
@@ -246,6 +250,9 @@ int main(int argc, char** argv)
     // The SSL context is required, and holds certificates
     ssl::context ctx{ssl::context::tlsv12_client};
 
+    // Verify the remote server's certificate
+    ctx.set_verify_mode(ssl::verify_peer);
+
     // This holds the root certificate used for verification
     load_root_certificates(ctx);
 

example/websocket/client/coro-ssl/websocket_client_coro_ssl.cpp

@@ -71,12 +71,16 @@ do_session(
         return fail(ec, "connect");
 
     // Set SNI Hostname (many hosts need this to handshake successfully)
-    if(! SSL_set_tlsext_host_name(
-        ws.next_layer().native_handle(),
-        host.c_str()))
+    if(! SSL_set_tlsext_host_name(ws.next_layer().native_handle(), host.c_str()))
     {
-        ec = beast::error_code(static_cast<int>(::ERR_get_error()),
-            net::error::get_ssl_category());
+        ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
+        return fail(ec, "connect");
+    }
+
+    // Set the expected hostname in the peer certificate for verification
+    if(! SSL_set1_host(ws.next_layer().native_handle(), host.c_str()))
+    {
+        ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
         return fail(ec, "connect");
     }
 
@@ -163,6 +167,9 @@ int main(int argc, char** argv)
     // The SSL context is required, and holds certificates
     ssl::context ctx{ssl::context::tlsv12_client};
 
+    // Verify the remote server's certificate
+    ctx.set_verify_mode(ssl::verify_peer);
+
     // This holds the root certificate used for verification
     load_root_certificates(ctx);
 

example/websocket/client/sync-ssl/websocket_client_sync_ssl.cpp

@@ -56,6 +56,9 @@ int main(int argc, char** argv)
         // The SSL context is required, and holds certificates
         ssl::context ctx{ssl::context::tlsv12_client};
 
+        // Verify the remote server's certificate
+        ctx.set_verify_mode(ssl::verify_peer);
+
         // This holds the root certificate used for verification
         load_root_certificates(ctx);
 
@@ -71,11 +74,19 @@ int main(int argc, char** argv)
 
         // Set SNI Hostname (many hosts need this to handshake successfully)
         if(! SSL_set_tlsext_host_name(ws.next_layer().native_handle(), host.c_str()))
+        {
             throw beast::system_error(
-                beast::error_code(
-                    static_cast<int>(::ERR_get_error()),
-                    net::error::get_ssl_category()),
-                "Failed to set SNI Hostname");
+                static_cast<int>(::ERR_get_error()),
+                net::error::get_ssl_category());
+        }
+
+        // Set the expected hostname in the peer certificate for verification
+        if(! SSL_set1_host(ws.next_layer().native_handle(), host.c_str()))
+        {
+            throw beast::system_error(
+                static_cast<int>(::ERR_get_error()),
+                net::error::get_ssl_category());
+        }
 
         // Update the host_ string. This will provide the value of the
         // Host HTTP header during the WebSocket handshake.