mirror of
https://github.com/GothenburgBitFactory/taskwarrior.git
synced 2025-08-29 17:07:19 +02:00
TLSClient: add hostname verifcation
The CN or subjectAltNames of the TLS certification is now matched with the hostname connected to. taskd.trust is now a tristate value (allow all, ignore hostname, strict) to optionally disable the new hostname verification.
This commit is contained in:
parent
fdcc04d13e
commit
7fb1487993
5 changed files with 73 additions and 17 deletions
|
@ -232,8 +232,12 @@ int CmdDiagnostics::execute (std::string& output)
|
|||
? " (readable)" : " (not readable)")
|
||||
<< "\n";
|
||||
|
||||
if (context.config.get ("taskd.trust") != "")
|
||||
out << " Trust: override\n";
|
||||
if (context.config.get ("taskd.trust") == "allow all")
|
||||
out << " Trust: allow all\n";
|
||||
else if (context.config.get ("taskd.trust") == "ignore hostname")
|
||||
out << " Trust: ignore hostanme\n";
|
||||
else
|
||||
out << " Trust: strict\n";
|
||||
|
||||
out << " Cert: "
|
||||
<< context.config.get ("taskd.certificate")
|
||||
|
|
|
@ -29,7 +29,6 @@
|
|||
#include <inttypes.h>
|
||||
#include <signal.h>
|
||||
#include <Context.h>
|
||||
#include <TLSClient.h>
|
||||
#include <Color.h>
|
||||
#include <text.h>
|
||||
#include <util.h>
|
||||
|
@ -87,14 +86,18 @@ int CmdSync::execute (std::string& output)
|
|||
if (credentials.size () != 3)
|
||||
throw std::string (STRING_CMD_SYNC_BAD_CRED);
|
||||
|
||||
bool trust = context.config.getBoolean ("taskd.trust");
|
||||
enum TLSClient::trust_level trust = TLSClient::strict;
|
||||
if (context.config.get ("taskd.trust") == "allow all")
|
||||
trust = TLSClient::allow_all;
|
||||
else if (context.config.get ("taskd.trust") == "ignore hostname")
|
||||
trust = TLSClient::ignore_hostname;
|
||||
|
||||
// CA must exist, if provided.
|
||||
File ca (context.config.get ("taskd.ca"));
|
||||
if (ca._data != "" && ! ca.exists ())
|
||||
throw std::string (STRING_CMD_SYNC_BAD_CA);
|
||||
|
||||
if (trust && ca._data != "")
|
||||
if (trust == TLSClient::allow_all && ca._data != "")
|
||||
throw std::string (STRING_CMD_SYNC_TRUST_CA);
|
||||
|
||||
File certificate (context.config.get ("taskd.certificate"));
|
||||
|
@ -319,7 +322,7 @@ bool CmdSync::send (
|
|||
const std::string& ca,
|
||||
const std::string& certificate,
|
||||
const std::string& key,
|
||||
bool trust,
|
||||
const enum TLSClient::trust_level trust,
|
||||
const Msg& request,
|
||||
Msg& response)
|
||||
{
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
#include <string>
|
||||
#include <Command.h>
|
||||
#include <Msg.h>
|
||||
#include <TLSClient.h>
|
||||
|
||||
class CmdSync : public Command
|
||||
{
|
||||
|
@ -38,7 +39,7 @@ public:
|
|||
int execute (std::string&);
|
||||
|
||||
private:
|
||||
bool send (const std::string&, const std::string&, const std::string&, const std::string&, bool, const Msg&, Msg&);
|
||||
bool send (const std::string&, const std::string&, const std::string&, const std::string&, const enum TLSClient::trust_level, const Msg&, Msg&);
|
||||
};
|
||||
|
||||
#endif
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue