search

Stiffstream / restinio

Cross-platform, efficient, customizable, and robust asynchronous HTTP(S)/WebSocket server C++ library with the right balance between performance and ease of use
Other
1.15k stars 93 forks source link

rfc2818_verification with the tls_socket #39

Closed binarytrails closed 5 years ago

binarytrails commented 5 years ago

Let's say I want to perform a standard rfc2818_verification using the tls_socket adapter implementation, how would one be able to set_verify_callback for this purpose using thessl::stream containing our socket if that interface is not exposed (private)?

eao197 commented 5 years ago

It's a good question. I don't know an answer yet. I'll take some time to think about it.

binarytrails commented 5 years ago

@eao197 I implemented the two required template functions, tested with my http asio client build on top of restinio and it works!

[103939.773136] [http:resolver] resolved ns.jami.net:443: address=2607:fad8:4:6::228 ipv6
[103939.773185] [http:resolver] resolved ns.jami.net:443: address=173.231.120.228 ipv4
[103939.773437] [http:request:1] [connect] begin endpoints { 2607:fad8:4:6::228 173.231.120.228 }
[103939.801865] [http:request:1] [connect] success
[103939.820771] [http:request:1] [connect:ssl] secure channel established
[103939.821065] [http:request:1] [post]
GET /name/strace HTTP/1.1
Accept: */*
Content-Type: application/json
Host: ns.jami.net:443
User-Agent: RESTinio client

[103939.821098] state=1 code=0
[103939.821360] [http:request:1] [write] success
[103939.821373] state=3 code=0
[103939.830858] [http:request:1] [read:header]
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 06 Aug 2019 17:04:05 GMT
Content-Type: application/json
Content-Length: 1851
Connection: keep-alive
Access-Control-Allow-Origin: *

...
eao197 commented 5 years ago

Can you show how do you use these new methods?

binarytrails commented 5 years ago

@eao197 absolutely!

they verify the remote host's certificate before the handshake; below is the standard way using the asio rfc2818_verification method but one could implement its own verify_callback if needed to confirm the validity of a certificate with a boolean return:

sock.set_verify_mode(ssl::verify_peer);
sock.set_verify_callback(ssl::rfc2818_verification("host.name"));
sock.handshake(ssl_socket::client);

Here is my current implementation using it: https://github.com/binarytrails/opendht/blob/proxy_openssl/src/http.cpp#L137

ngrodzitski commented 5 years ago

A linked discussion: https://github.com/Stiffstream/restinio/pull/40

eao197 commented 5 years ago

@binarytrails, @ngrodzitski The update is in the master branch. The new method has the name asio_ssl_stream to reflect access to the underlying Asio-related entity: https://github.com/Stiffstream/restinio/blob/97ce6e36bb1fa74c18e435dc83eb4c18d790dc05/dev/restinio/impl/tls_socket.hpp#L80-L99 Any suggestions about a more appropriate name are welcome.