boostorg/beast
1
0
Fork 1
mirror of https://github.com/boostorg/beast.git synced 2025-07-29 20:37:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

SSL examples verify peer cert hostname

Browse Source 
Fixes #2974
This commit is contained in:
Mohammad Nejati
2025-02-11 13:12:53 +00:00
committed by Mohammad Nejati
parent 4e384f086b
commit ea38d841b0
11 changed files with 109 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.drone.star
View File

@ -15,7 +15,7 @@ def main(ctx):
alljobs=[] alljobs=[]
customizedjobs = [ customizedjobs = [
linux_cxx("GCC 10, Debug + Coverage", "g++-10", packages="g++-10 libssl-dev libffi-dev binutils-gold gdb mlocate", image="cppalliance/droneubuntu2004:1", buildtype="boost_v1", buildscript="drone", environment={"GCOV": "gcov-10", "LCOV_VERSION": "1.15", "VARIANT": "beast_coverage", "TOOLSET": "gcc", "COMPILER": "g++-10", "CXXSTD": "14", "DRONE_BEFORE_INSTALL" : "beast_coverage", "CODECOV_TOKEN": {"from_secret": "codecov_token"}}, globalenv=globalenv, privileged=True), linux_cxx("GCC 10, Debug + Coverage", "g++-10", packages="g++-10 libssl-dev libffi-dev binutils-gold gdb mlocate", image="cppalliance/droneubuntu2004:1", buildtype="boost_v1", buildscript="drone", environment={"GCOV": "gcov-10", "LCOV_VERSION": "1.15", "VARIANT": "beast_coverage", "TOOLSET": "gcc", "COMPILER": "g++-10", "CXXSTD": "14", "DRONE_BEFORE_INSTALL" : "beast_coverage", "CODECOV_TOKEN": {"from_secret": "codecov_token"}}, globalenv=globalenv, privileged=True),
linux_cxx("Default clang++ with libc++", "clang++-libc++", packages="libc++-dev mlocate", image="cppalliance/droneubuntu1604:1", buildtype="boost_v1", buildscript="drone", environment={ "B2_TOOLSET": "clang-7", "B2_CXXSTD": "17,2a", "VARIANT": "debug", "TOOLSET": "clang", "COMPILER": "clang++-libc++", "CXXSTD": "11", "CXX_FLAGS": "<cxxflags>-stdlib=libc++ <linkflags>-stdlib=libc++", "TRAVISCLANG" : "yes" }, globalenv=globalenv), linux_cxx("Default clang++ with libc++", "clang++-libc++", packages="libc++-dev mlocate", image="cppalliance/droneubuntu1804:1", buildtype="boost_v1", buildscript="drone", environment={ "B2_TOOLSET": "clang-7", "B2_CXXSTD": "17,2a", "VARIANT": "debug", "TOOLSET": "clang", "COMPILER": "clang++-libc++", "CXXSTD": "11", "CXX_FLAGS": "<cxxflags>-stdlib=libc++ <linkflags>-stdlib=libc++", "TRAVISCLANG" : "yes" }, globalenv=globalenv),
linux_cxx("GCC Valgrind", "g++", packages="g++-14 libssl-dev valgrind", image="cppalliance/droneubuntu2404:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "beast_valgrind", "TOOLSET": "gcc", "COMPILER": "g++", "CXXSTD": "11" }, globalenv=globalenv), linux_cxx("GCC Valgrind", "g++", packages="g++-14 libssl-dev valgrind", image="cppalliance/droneubuntu2404:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "beast_valgrind", "TOOLSET": "gcc", "COMPILER": "g++", "CXXSTD": "11" }, globalenv=globalenv),
linux_cxx("Default g++", "g++", packages="mlocate", image="cppalliance/droneubuntu1604:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "release", "TOOLSET": "gcc", "COMPILER": "g++", "CXXSTD": "11" }, globalenv=globalenv), linux_cxx("Default g++", "g++", packages="mlocate", image="cppalliance/droneubuntu1604:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "release", "TOOLSET": "gcc", "COMPILER": "g++", "CXXSTD": "11" }, globalenv=globalenv),
linux_cxx("GCC 8, C++17, libstdc++, release", "g++-8", packages="g++-8 mlocate", image="cppalliance/droneubuntu1604:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "release", "TOOLSET": "gcc", "COMPILER": "g++-8", "CXXSTD" : "17" }, globalenv=globalenv), linux_cxx("GCC 8, C++17, libstdc++, release", "g++-8", packages="g++-8 mlocate", image="cppalliance/droneubuntu1604:1", buildtype="boost_v1", buildscript="drone", environment={ "VARIANT": "release", "TOOLSET": "gcc", "COMPILER": "g++-8", "CXXSTD" : "17" }, globalenv=globalenv),

2
.github/workflows/fuzz.yml vendored
View File

@ -43,7 +43,7 @@ jobs:
python tools/boostdep/depinst/depinst.py --git_args "--jobs 3" $LIBRARY python tools/boostdep/depinst/depinst.py --git_args "--jobs 3" $LIBRARY
- name: Fuzz corpus - name: Fuzz corpus
uses: actions/cache@v3.3.1 uses: actions/cache@v4
id: cache-corpus id: cache-corpus
with: with:
path: ${{ github.workspace }}/corpus.tar path: ${{ github.workspace }}/corpus.tar

14
example/http/client/async-ssl-system-executor/http_client_async_ssl_system_executor.cpp
View File

@ -77,7 +77,19 @@ public:
// Set SNI Hostname (many hosts need this to handshake successfully) // Set SNI Hostname (many hosts need this to handshake successfully)
if(! SSL_set_tlsext_host_name(stream_.native_handle(), host)) if(! SSL_set_tlsext_host_name(stream_.native_handle(), host))
{ {
beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()}; beast::error_code ec{
static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category()};
std::cerr << ec.message() << "\n";
return;
}
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(stream_.native_handle(), host))
{
beast::error_code ec{
static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category()};
std::cerr << ec.message() << "\n"; std::cerr << ec.message() << "\n";
return; return;
} }

14
example/http/client/async-ssl/http_client_async_ssl.cpp
View File

@ -69,7 +69,19 @@ public:
// Set SNI Hostname (many hosts need this to handshake successfully) // Set SNI Hostname (many hosts need this to handshake successfully)
if(! SSL_set_tlsext_host_name(stream_.native_handle(), host)) if(! SSL_set_tlsext_host_name(stream_.native_handle(), host))
{ {
beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()}; beast::error_code ec{
static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category()};
std::cerr << ec.message() << "\n";
return;
}
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(stream_.native_handle(), host))
{
beast::error_code ec{
static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category()};
std::cerr << ec.message() << "\n"; std::cerr << ec.message() << "\n";
return; return;
} }

12
example/http/client/awaitable-ssl/http_client_awaitable_ssl.cpp
View File

@ -51,9 +51,17 @@ do_session(
auto stream = ssl::stream<beast::tcp_stream>{ executor, ctx }; auto stream = ssl::stream<beast::tcp_stream>{ executor, ctx };
// Set SNI Hostname (many hosts need this to handshake successfully) // Set SNI Hostname (many hosts need this to handshake successfully)
if(!SSL_set_tlsext_host_name(stream.native_handle(), host.c_str())) if(! SSL_set_tlsext_host_name(stream.native_handle(), host.c_str()))
{ {
throw boost::system::system_error( throw beast::system_error(
static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category());
}
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(stream.native_handle(), host.c_str()))
{
throw beast::system_error(
static_cast<int>(::ERR_get_error()), static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category()); net::error::get_ssl_category());
} }

8
example/http/client/coro-ssl/http_client_coro_ssl.cpp
View File

@ -65,6 +65,14 @@ do_session(
return; return;
} }
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(stream.native_handle(), host.c_str()))
{
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
std::cerr << ec.message() << "\n";
return;
}
// Look up the domain name // Look up the domain name
auto const results = resolver.async_resolve(host, port, yield[ec]); auto const results = resolver.async_resolve(host, port, yield[ec]);
if(ec) if(ec)

13
example/http/client/sync-ssl/http_client_sync_ssl.cpp
View File

@ -69,8 +69,17 @@ int main(int argc, char** argv)
// Set SNI Hostname (many hosts need this to handshake successfully) // Set SNI Hostname (many hosts need this to handshake successfully)
if(! SSL_set_tlsext_host_name(stream.native_handle(), host)) if(! SSL_set_tlsext_host_name(stream.native_handle(), host))
{ {
beast::error_code ec{static_cast<int>(::ERR_get_error()), net::error::get_ssl_category()}; throw beast::system_error(
throw beast::system_error{ec}; static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category());
}
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(stream.native_handle(), host))
{
throw beast::system_error(
static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category());
} }
// Look up the domain name // Look up the domain name

19
example/websocket/client/async-ssl-system-executor/websocket_client_async_ssl_system_executor.cpp
View File

@ -116,13 +116,17 @@ public:
beast::get_lowest_layer(ws_).expires_after(std::chrono::seconds(30)); beast::get_lowest_layer(ws_).expires_after(std::chrono::seconds(30));
// Set SNI Hostname (many hosts need this to handshake successfully) // Set SNI Hostname (many hosts need this to handshake successfully)
if(! SSL_set_tlsext_host_name( if(! SSL_set_tlsext_host_name(ws_.next_layer().native_handle(), host_.c_str()))
ws_.next_layer().native_handle(),
host_.c_str()))
{ {
ec = beast::error_code(static_cast<int>(::ERR_get_error()), ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
net::error::get_ssl_category()); return fail(ec, "connect");
return fail(ec, "connect"); }
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(ws_.next_layer().native_handle(), host_.c_str()))
{
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
return fail(ec, "connect");
} }
// Update the host_ string. This will provide the value of the // Update the host_ string. This will provide the value of the
@ -252,6 +256,9 @@ int main(int argc, char** argv)
// The SSL context is required, and holds certificates // The SSL context is required, and holds certificates
ssl::context ctx{ssl::context::tlsv12_client}; ssl::context ctx{ssl::context::tlsv12_client};
// Verify the remote server's certificate
ctx.set_verify_mode(ssl::verify_peer);
// This holds the root certificate used for verification // This holds the root certificate used for verification
load_root_certificates(ctx); load_root_certificates(ctx);

17
example/websocket/client/async-ssl/websocket_client_async_ssl.cpp
View File

@ -108,12 +108,16 @@ public:
beast::get_lowest_layer(ws_).expires_after(std::chrono::seconds(30)); beast::get_lowest_layer(ws_).expires_after(std::chrono::seconds(30));
// Set SNI Hostname (many hosts need this to handshake successfully) // Set SNI Hostname (many hosts need this to handshake successfully)
if(! SSL_set_tlsext_host_name( if(! SSL_set_tlsext_host_name(ws_.next_layer().native_handle(), host_.c_str()))
ws_.next_layer().native_handle(),
host_.c_str()))
{ {
ec = beast::error_code(static_cast<int>(::ERR_get_error()), ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
net::error::get_ssl_category()); return fail(ec, "connect");
}
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(ws_.next_layer().native_handle(), host_.c_str()))
{
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
return fail(ec, "connect"); return fail(ec, "connect");
} }
@ -246,6 +250,9 @@ int main(int argc, char** argv)
// The SSL context is required, and holds certificates // The SSL context is required, and holds certificates
ssl::context ctx{ssl::context::tlsv12_client}; ssl::context ctx{ssl::context::tlsv12_client};
// Verify the remote server's certificate
ctx.set_verify_mode(ssl::verify_peer);
// This holds the root certificate used for verification // This holds the root certificate used for verification
load_root_certificates(ctx); load_root_certificates(ctx);

17
example/websocket/client/coro-ssl/websocket_client_coro_ssl.cpp
View File

@ -71,12 +71,16 @@ do_session(
return fail(ec, "connect"); return fail(ec, "connect");
// Set SNI Hostname (many hosts need this to handshake successfully) // Set SNI Hostname (many hosts need this to handshake successfully)
if(! SSL_set_tlsext_host_name( if(! SSL_set_tlsext_host_name(ws.next_layer().native_handle(), host.c_str()))
ws.next_layer().native_handle(),
host.c_str()))
{ {
ec = beast::error_code(static_cast<int>(::ERR_get_error()), ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
net::error::get_ssl_category()); return fail(ec, "connect");
}
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(ws.next_layer().native_handle(), host.c_str()))
{
ec.assign(static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
return fail(ec, "connect"); return fail(ec, "connect");
} }
@ -163,6 +167,9 @@ int main(int argc, char** argv)
// The SSL context is required, and holds certificates // The SSL context is required, and holds certificates
ssl::context ctx{ssl::context::tlsv12_client}; ssl::context ctx{ssl::context::tlsv12_client};
// Verify the remote server's certificate
ctx.set_verify_mode(ssl::verify_peer);
// This holds the root certificate used for verification // This holds the root certificate used for verification
load_root_certificates(ctx); load_root_certificates(ctx);

19
example/websocket/client/sync-ssl/websocket_client_sync_ssl.cpp
View File

@ -56,6 +56,9 @@ int main(int argc, char** argv)
// The SSL context is required, and holds certificates // The SSL context is required, and holds certificates
ssl::context ctx{ssl::context::tlsv12_client}; ssl::context ctx{ssl::context::tlsv12_client};
// Verify the remote server's certificate
ctx.set_verify_mode(ssl::verify_peer);
// This holds the root certificate used for verification // This holds the root certificate used for verification
load_root_certificates(ctx); load_root_certificates(ctx);
@ -71,11 +74,19 @@ int main(int argc, char** argv)
// Set SNI Hostname (many hosts need this to handshake successfully) // Set SNI Hostname (many hosts need this to handshake successfully)
if(! SSL_set_tlsext_host_name(ws.next_layer().native_handle(), host.c_str())) if(! SSL_set_tlsext_host_name(ws.next_layer().native_handle(), host.c_str()))
{
throw beast::system_error( throw beast::system_error(
beast::error_code( static_cast<int>(::ERR_get_error()),
static_cast<int>(::ERR_get_error()), net::error::get_ssl_category());
net::error::get_ssl_category()), }
"Failed to set SNI Hostname");
// Set the expected hostname in the peer certificate for verification
if(! SSL_set1_host(ws.next_layer().native_handle(), host.c_str()))
{
throw beast::system_error(
static_cast<int>(::ERR_get_error()),
net::error::get_ssl_category());
}
// Update the host_ string. This will provide the value of the // Update the host_ string. This will provide the value of the
// Host HTTP header during the WebSocket handshake. // Host HTTP header during the WebSocket handshake.