summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMattes D <github@xoft.cz>2023-05-09 19:59:15 +0200
committerMattes D <github@xoft.cz>2023-05-19 16:25:12 +0200
commit97c49c6f294a0b7e931be2692c124bd78fc79946 (patch)
tree872fcdfbfc30ff0ed2e2e444bb965769ea147e60 /src
parentcTCPLink: Use the original connection hostname for SNI. (diff)
downloadcuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.gz
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.bz2
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.lz
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.xz
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.zst
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.zip
Diffstat (limited to 'src')
-rw-r--r--src/Bindings/LuaTCPLink.cpp15
-rw-r--r--src/Bindings/LuaTCPLink.h4
-rw-r--r--src/Bindings/ManualBindings_Network.cpp8
-rw-r--r--src/HTTP/UrlClient.cpp85
-rw-r--r--src/HTTP/UrlClient.h29
-rw-r--r--src/OSSupport/Network.h3
-rw-r--r--src/OSSupport/TCPLinkImpl.cpp23
-rw-r--r--src/OSSupport/TCPLinkImpl.h3
-rw-r--r--src/Protocol/Authenticator.cpp16
-rw-r--r--src/Protocol/MojangAPI.cpp123
-rw-r--r--src/Protocol/MojangAPI.h21
-rw-r--r--src/mbedTLS++/CMakeLists.txt1
-rw-r--r--src/mbedTLS++/RootCA.h97
-rw-r--r--src/mbedTLS++/SslConfig.cpp6
14 files changed, 240 insertions, 194 deletions
diff --git a/src/Bindings/LuaTCPLink.cpp b/src/Bindings/LuaTCPLink.cpp
index 14ea5c905..883361abb 100644
--- a/src/Bindings/LuaTCPLink.cpp
+++ b/src/Bindings/LuaTCPLink.cpp
@@ -166,7 +166,8 @@ void cLuaTCPLink::Close(void)
AString cLuaTCPLink::StartTLSClient(
const AString & a_OwnCertData,
const AString & a_OwnPrivKeyData,
- const AString & a_OwnPrivKeyPassword
+ const AString & a_OwnPrivKeyPassword,
+ const AString & a_TrustedRootCAs
)
{
auto link = m_Link;
@@ -193,7 +194,17 @@ AString cLuaTCPLink::StartTLSClient(
}
}
- return link->StartTLSClient(ownCert, ownPrivKey);
+ cX509CertPtr trustedRootCAs;
+ if (!a_TrustedRootCAs.empty())
+ {
+ trustedRootCAs = std::make_shared<cX509Cert>();
+ auto res = trustedRootCAs->Parse(a_TrustedRootCAs.data(), a_TrustedRootCAs.size());
+ if (res != 0)
+ {
+ return fmt::format("Cannot parse trusted root CAs: {}", res);
+ }
+ }
+ return link->StartTLSClient(ownCert, ownPrivKey, trustedRootCAs);
}
return "";
}
diff --git a/src/Bindings/LuaTCPLink.h b/src/Bindings/LuaTCPLink.h
index 6e5a78b4d..e5618f838 100644
--- a/src/Bindings/LuaTCPLink.h
+++ b/src/Bindings/LuaTCPLink.h
@@ -66,11 +66,13 @@ public:
If a client certificate should be used for the connection, set the certificate into a_OwnCertData and
its corresponding private key to a_OwnPrivKeyData. If both are empty, no client cert is presented.
a_OwnPrivKeyPassword is the password to be used for decoding PrivKey, empty if not passworded.
+ a_TrustedRootCAs is a \n-delimited concatenation of trusted root CAs' certificates in PEM format
Returns empty string on success, non-empty error description on failure. */
AString StartTLSClient(
const AString & a_OwnCertData,
const AString & a_OwnPrivKeyData,
- const AString & a_OwnPrivKeyPassword
+ const AString & a_OwnPrivKeyPassword,
+ const AString & a_TrustedRootCAs
);
/** Starts a TLS handshake as a server connection.
diff --git a/src/Bindings/ManualBindings_Network.cpp b/src/Bindings/ManualBindings_Network.cpp
index 67385cce6..c184821e9 100644
--- a/src/Bindings/ManualBindings_Network.cpp
+++ b/src/Bindings/ManualBindings_Network.cpp
@@ -546,7 +546,7 @@ static int tolua_cTCPLink_Shutdown(lua_State * L)
static int tolua_cTCPLink_StartTLSClient(lua_State * L)
{
// Function signature:
- // LinkInstance:StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword) -> [true] or [nil, ErrMsg]
+ // LinkInstance:StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs) -> [true] or [nil, ErrMsg]
// Get the link:
cLuaState S(L);
@@ -558,11 +558,11 @@ static int tolua_cTCPLink_StartTLSClient(lua_State * L)
ASSERT(Link != nullptr); // Checked by CheckParamSelf()
// Read the (optional) params:
- AString OwnCert, OwnPrivKey, OwnPrivKeyPassword;
- S.GetStackValues(2, OwnCert, OwnPrivKey, OwnPrivKeyPassword);
+ AString OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs;
+ S.GetStackValues(2, OwnCert, OwnPrivKey, OwnPrivKeyPassword, cLuaState::cOptionalParam<std::string>(TrustedRootCAs));
// Start the TLS handshake:
- AString res = Link->StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword);
+ AString res = Link->StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs);
if (!res.empty())
{
S.Push(cLuaState::Nil, fmt::format(
diff --git a/src/HTTP/UrlClient.cpp b/src/HTTP/UrlClient.cpp
index ed47341c3..eb52acfee 100644
--- a/src/HTTP/UrlClient.cpp
+++ b/src/HTTP/UrlClient.cpp
@@ -20,15 +20,18 @@ class cSchemeHandler;
using cSchemeHandlerPtr = std::shared_ptr<cSchemeHandler>;
-/** This is a basic set of callbacks to enable quick implementation of HTTP request. */
+
+
+
namespace
{
- class cSimpleHTTPCallbacks :
+ /** Callbacks implementing the blocking UrlClient behavior. */
+ class cBlockingHTTPCallbacks :
public cUrlClient::cCallbacks
{
public:
- explicit cSimpleHTTPCallbacks(std::shared_ptr<cEvent> a_Event, AString & a_ResponseBody) :
+ explicit cBlockingHTTPCallbacks(std::shared_ptr<cEvent> a_Event, AString & a_ResponseBody) :
m_Event(std::move(a_Event)), m_ResponseBody(a_ResponseBody)
{
}
@@ -73,13 +76,13 @@ public:
cUrlClient::cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options
)
{
// Create a new instance of cUrlClientRequest, wrapped in a SharedPtr, so that it has a controlled lifetime.
// Cannot use std::make_shared, because the constructor is not public
std::shared_ptr<cUrlClientRequest> ptr (new cUrlClientRequest(
- a_Method, a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+ a_Method, a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
));
return ptr->DoRequest(ptr);
}
@@ -138,6 +141,24 @@ public:
return key;
}
+ /** Returns the parsed TrustedRootCAs from the options, or an empty pointer if the option is not set.
+ Throws a std::runtime_error if CAs are provided, but parsing them fails. */
+ cX509CertPtr GetTrustedRootCAs() const
+ {
+ auto itr = m_Options.find("TrustedRootCAs");
+ if (itr == m_Options.end())
+ {
+ return nullptr;
+ }
+ auto Cert = std::make_shared<cX509Cert>();
+ auto Res = Cert->Parse(itr->second.data(), itr->second.size());
+ if (Res != 0)
+ {
+ throw std::runtime_error(fmt::format("Failed to parse the TrustedRootCAs certificate: {}", Res));
+ }
+ return Cert;
+ }
+
protected:
/** Method to be used for the request */
@@ -184,14 +205,14 @@ protected:
cUrlClient::cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options
):
m_Method(a_Method),
m_Url(a_Url),
m_Callbacks(std::move(a_Callbacks)),
m_Headers(std::move(a_Headers)),
m_Body(a_Body),
- m_Options(std::move(a_Options))
+ m_Options(a_Options)
{
m_NumRemainingRedirects = GetStringMapInteger(m_Options, "MaxRedirects", 30);
}
@@ -299,7 +320,7 @@ public:
m_Link = &a_Link;
if (m_IsTls)
{
- m_Link->StartTLSClient(m_ParentRequest.GetOwnCert(), m_ParentRequest.GetOwnPrivKey());
+ m_Link->StartTLSClient(m_ParentRequest.GetOwnCert(), m_ParentRequest.GetOwnPrivKey(), m_ParentRequest.GetTrustedRootCAs());
}
else
{
@@ -652,11 +673,11 @@ std::pair<bool, AString> cUrlClient::Request(
cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options
)
{
return cUrlClientRequest::Request(
- a_Method, a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+ a_Method, a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
);
}
@@ -669,11 +690,11 @@ std::pair<bool, AString> cUrlClient::Get(
cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options
)
{
return cUrlClientRequest::Request(
- "GET", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+ "GET", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
);
}
@@ -686,11 +707,11 @@ std::pair<bool, AString> cUrlClient::Post(
cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options
)
{
return cUrlClientRequest::Request(
- "POST", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+ "POST", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
);
}
@@ -703,11 +724,11 @@ std::pair<bool, AString> cUrlClient::Put(
cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options
)
{
return cUrlClientRequest::Request(
- "PUT", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+ "PUT", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
);
}
@@ -715,15 +736,24 @@ std::pair<bool, AString> cUrlClient::Put(
-std::pair<bool, AString> cUrlClient::BlockingRequest(const AString & a_Method, const AString & a_URL, AStringMap && a_Headers, const AString & a_Body, AStringMap && a_Options)
+std::pair<bool, AString> cUrlClient::BlockingRequest(
+ const AString & a_Method,
+ const AString & a_URL,
+ AStringMap && a_Headers,
+ const AString & a_Body,
+ const AStringMap & a_Options
+)
{
auto EvtFinished = std::make_shared<cEvent>();
AString Response;
- auto Callbacks = std::make_unique<cSimpleHTTPCallbacks>(EvtFinished, Response);
- auto [Success, ErrorMessage] = cUrlClient::Request(a_Method, a_URL, std::move(Callbacks), std::move(a_Headers), a_Body, std::move(a_Options));
+ auto Callbacks = std::make_unique<cBlockingHTTPCallbacks>(EvtFinished, Response);
+ auto [Success, ErrorMessage] = cUrlClient::Request(a_Method, a_URL, std::move(Callbacks), std::move(a_Headers), a_Body, a_Options);
if (Success)
{
- EvtFinished->Wait();
+ if (!EvtFinished->Wait(10000))
+ {
+ return std::make_pair(false, "Timeout");
+ }
}
else
{
@@ -741,9 +771,10 @@ std::pair<bool, AString> cUrlClient::BlockingGet(
const AString & a_URL,
AStringMap a_Headers,
const AString & a_Body,
- AStringMap a_Options)
+ const AStringMap & a_Options
+)
{
- return BlockingRequest("GET", a_URL, std::move(a_Headers), a_Body, std::move(a_Options));
+ return BlockingRequest("GET", a_URL, std::move(a_Headers), a_Body, a_Options);
}
@@ -754,9 +785,10 @@ std::pair<bool, AString> cUrlClient::BlockingPost(
const AString & a_URL,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options)
+ const AStringMap & a_Options
+)
{
- return BlockingRequest("POST", a_URL, std::move(a_Headers), a_Body, std::move(a_Options));
+ return BlockingRequest("POST", a_URL, std::move(a_Headers), a_Body, a_Options);
}
@@ -767,9 +799,10 @@ std::pair<bool, AString> cUrlClient::BlockingPut(
const AString & a_URL,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options)
+ const AStringMap & a_Options
+)
{
- return BlockingRequest("PUT", a_URL, std::move(a_Headers), a_Body, std::move(a_Options));
+ return BlockingRequest("PUT", a_URL, std::move(a_Headers), a_Body, a_Options);
}
diff --git a/src/HTTP/UrlClient.h b/src/HTTP/UrlClient.h
index aaff60a87..a73f22521 100644
--- a/src/HTTP/UrlClient.h
+++ b/src/HTTP/UrlClient.h
@@ -9,6 +9,7 @@ Options that can be set via the Options parameter to the cUrlClient calls:
"OwnCert": The client certificate to use, if requested by the server. Any string that can be parsed by cX509Cert.
"OwnPrivKey": The private key appropriate for OwnCert. Any string that can be parsed by cCryptoKey.
"OwnPrivKeyPassword": The password for OwnPrivKey. If not present or empty, no password is assumed.
+"TrustedRootCAs": The trusted root CA certificates (\n-delimited concatenated PEM format) to be used for peer cert verification. If not present, peer cert is not verified.
Behavior:
- If a redirect is received, and redirection is allowed, the redirection is reported via OnRedirecting() callback
@@ -116,16 +117,16 @@ public:
cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options
);
/** Alias for Request("GET", ...) */
static std::pair<bool, AString> Get(
const AString & a_URL,
cCallbacksPtr && a_Callbacks,
- AStringMap && a_Headers = AStringMap(),
- const AString & a_Body = AString(),
- AStringMap && a_Options = AStringMap()
+ AStringMap && a_Headers = {},
+ const AString & a_Body = {},
+ const AStringMap & a_Options = {}
);
/** Alias for Request("POST", ...) */
@@ -134,7 +135,7 @@ public:
cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options = {}
);
/** Alias for Request("PUT", ...) */
@@ -143,7 +144,7 @@ public:
cCallbacksPtr && a_Callbacks,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options = {}
);
/** The method will run a thread blocking HTTP request. Any error handling
@@ -153,17 +154,17 @@ public:
static std::pair<bool, AString> BlockingRequest(
const AString & a_Method,
const AString & a_URL,
- AStringMap && a_Headers = AStringMap(),
- const AString & a_Body = AString(),
- AStringMap && a_Options = AStringMap()
+ AStringMap && a_Headers = {},
+ const AString & a_Body = {},
+ const AStringMap & a_Options = {}
);
/** Alias for BlockingRequest("GET", ...) */
static std::pair<bool, AString> BlockingGet(
const AString & a_URL,
- AStringMap a_Headers = AStringMap(),
- const AString & a_Body = AString(),
- AStringMap a_Options = AStringMap()
+ AStringMap a_Headers = {},
+ const AString & a_Body = {},
+ const AStringMap & a_Options = {}
);
/** Alias for BlockingRequest("POST", ...) */
@@ -171,7 +172,7 @@ public:
const AString & a_URL,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options = {}
);
/** Alias for BlockingRequest("PUT", ...) */
@@ -179,7 +180,7 @@ public:
const AString & a_URL,
AStringMap && a_Headers,
const AString & a_Body,
- AStringMap && a_Options
+ const AStringMap & a_Options = {}
);
};
diff --git a/src/OSSupport/Network.h b/src/OSSupport/Network.h
index 32163b710..ca31d9948 100644
--- a/src/OSSupport/Network.h
+++ b/src/OSSupport/Network.h
@@ -113,7 +113,8 @@ public:
Returns empty string on success, non-empty error description on failure. */
virtual AString StartTLSClient(
cX509CertPtr a_OwnCert,
- cCryptoKeyPtr a_OwnPrivKey
+ cCryptoKeyPtr a_OwnPrivKey,
+ cX509CertPtr a_TrustedRootCAs
) = 0;
/** Starts a TLS handshake as a server connection.
diff --git a/src/OSSupport/TCPLinkImpl.cpp b/src/OSSupport/TCPLinkImpl.cpp
index 6bd33e9f5..1e12f27ab 100644
--- a/src/OSSupport/TCPLinkImpl.cpp
+++ b/src/OSSupport/TCPLinkImpl.cpp
@@ -244,7 +244,8 @@ void cTCPLinkImpl::Close(void)
AString cTCPLinkImpl::StartTLSClient(
cX509CertPtr a_OwnCert,
- cCryptoKeyPtr a_OwnPrivKey
+ cCryptoKeyPtr a_OwnPrivKey,
+ cX509CertPtr a_TrustedRootCAs
)
{
// Check preconditions:
@@ -259,15 +260,25 @@ AString cTCPLinkImpl::StartTLSClient(
// Create the TLS context:
m_TlsContext = std::make_shared<cLinkTlsContext>(*this);
- if (a_OwnCert != nullptr)
+ if ((a_OwnCert == nullptr) && (a_TrustedRootCAs == nullptr))
{
- auto Config = cSslConfig::MakeDefaultConfig(true);
- Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey));
- m_TlsContext->Initialize(Config);
+ // Use the (shared) default TLS config
+ m_TlsContext->Initialize(true);
}
else
{
- m_TlsContext->Initialize(true);
+ // Need a specialized config for the own certificate / trusted root CAs:
+ auto Config = cSslConfig::MakeDefaultConfig(true);
+ if (a_OwnCert != nullptr)
+ {
+ Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey));
+ }
+ if (a_TrustedRootCAs != nullptr)
+ {
+ Config->SetAuthMode(eSslAuthMode::Required);
+ Config->SetCACerts(std::move(a_TrustedRootCAs));
+ }
+ m_TlsContext->Initialize(Config);
}
// Enable SNI / peer name verification:
diff --git a/src/OSSupport/TCPLinkImpl.h b/src/OSSupport/TCPLinkImpl.h
index c757303d2..44e515504 100644
--- a/src/OSSupport/TCPLinkImpl.h
+++ b/src/OSSupport/TCPLinkImpl.h
@@ -75,7 +75,8 @@ public:
virtual void Close(void) override;
virtual AString StartTLSClient(
cX509CertPtr a_OwnCert,
- cCryptoKeyPtr a_OwnPrivKey
+ cCryptoKeyPtr a_OwnPrivKey,
+ cX509CertPtr a_TrustedRootCAs
) override;
virtual AString StartTLSServer(
cX509CertPtr a_OwnCert,
diff --git a/src/Protocol/Authenticator.cpp b/src/Protocol/Authenticator.cpp
index 00b09c30d..41eac82d3 100644
--- a/src/Protocol/Authenticator.cpp
+++ b/src/Protocol/Authenticator.cpp
@@ -65,8 +65,8 @@ void cAuthenticator::ReadSettings(cSettingsRepositoryInterface & a_Settings)
}
{
- auto [IsSuccessfull, ErrorMessage] = cUrlParser::Validate(m_Server);
- if (!IsSuccessfull)
+ auto [IsSuccessful, ErrorMessage] = cUrlParser::Validate(m_Server);
+ if (!IsSuccessful)
{
LOGWARNING("%s %d: Supplied invalid URL for configuration value [Authentication: Server]: \"%s\", using default! Error: %s", __FUNCTION__, __LINE__, m_Server.c_str(), ErrorMessage.c_str());
m_Server = DEFAULT_AUTH_SERVER;
@@ -74,8 +74,8 @@ void cAuthenticator::ReadSettings(cSettingsRepositoryInterface & a_Settings)
}
{
- auto [IsSuccessfull, ErrorMessage] = cUrlParser::Validate(m_Server);
- if (!IsSuccessfull)
+ auto [IsSuccessful, ErrorMessage] = cUrlParser::Validate(m_Server);
+ if (!IsSuccessful)
{
LOGWARNING("%s %d: Supplied invalid URL for configuration value [Authentication: Address]: \"%s\", using default! Error: %s", __FUNCTION__, __LINE__, m_Address.c_str(), ErrorMessage.c_str());
m_Address = DEFAULT_AUTH_ADDRESS;
@@ -183,8 +183,8 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S
ReplaceURL(ActualAddress, "%SERVERID%", a_ServerId);
// Create and send the HTTP request
- auto [IsSuccessfull, Response] = cUrlClient::BlockingGet(m_Server + ActualAddress);
- if (!IsSuccessfull)
+ auto [IsSuccessful, Response] = cUrlClient::BlockingGet(m_Server + ActualAddress);
+ if (!IsSuccessful)
{
return false;
}
@@ -230,8 +230,8 @@ bool cAuthenticator::GetPlayerProperties(const AString & a_UUID, Json::Value & a
LOGD("Trying to get properties for user %s", a_UUID.c_str());
// Create and send the HTTP request
- auto [IsSuccessfull, Response] = cUrlClient::BlockingGet(m_Server + ActualAddress);
- if (!IsSuccessfull)
+ auto [IsSuccessful, Response] = cUrlClient::BlockingGet(m_Server + ActualAddress);
+ if (!IsSuccessful)
{
return false;
}
diff --git a/src/Protocol/MojangAPI.cpp b/src/Protocol/MojangAPI.cpp
index 37c1b0911..57becce62 100644
--- a/src/Protocol/MojangAPI.cpp
+++ b/src/Protocol/MojangAPI.cpp
@@ -40,6 +40,99 @@ constexpr char DEFAULT_UUID_TO_PROFILE_ADDRESS[] = "/session/minecraft/profile/%
+namespace MojangTrustedRootCAs
+{
+ /** Returns the Options that should be used for cUrlClient queries to the Mojang APIs. */
+ static const AStringMap & UrlClientOptions()
+ {
+ static const AString CertString =
+ // DigiCert Global Root CA (sessionserver.mojang.com)
+ // Downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm
+
+ // DigiCert Global Root CA
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n"
+ "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
+ "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n"
+ "QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n"
+ "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
+ "b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n"
+ "9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n"
+ "CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n"
+ "nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n"
+ "43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n"
+ "T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n"
+ "gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n"
+ "BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n"
+ "TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n"
+ "DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n"
+ "hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n"
+ "06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n"
+ "PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n"
+ "YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n"
+ "CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
+ "-----END CERTIFICATE-----\n"
+
+ // Amazon Root CA 1 (api.mojang.com)
+ // Downloaded from https://www.amazontrust.com/repository/
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF\n"
+ "ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6\n"
+ "b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL\n"
+ "MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv\n"
+ "b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj\n"
+ "ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM\n"
+ "9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw\n"
+ "IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6\n"
+ "VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L\n"
+ "93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm\n"
+ "jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+ "AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA\n"
+ "A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI\n"
+ "U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs\n"
+ "N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv\n"
+ "o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU\n"
+ "5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy\n"
+ "rqXRfboQnoZsG4q5WTP468SQvvG5\n"
+ "-----END CERTIFICATE-----\n"
+
+ // AAA Certificate Services (authserver.ely.by GH#4832)
+ // Downloaded from https://www.tbs-certificates.co.uk/FAQ/en/Comodo_AAA_Certificate_Services.html
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb\n"
+ "MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow\n"
+ "GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj\n"
+ "YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL\n"
+ "MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n"
+ "BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM\n"
+ "GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
+ "ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua\n"
+ "BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe\n"
+ "3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4\n"
+ "YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR\n"
+ "rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm\n"
+ "ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU\n"
+ "oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF\n"
+ "MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v\n"
+ "QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t\n"
+ "b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF\n"
+ "AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q\n"
+ "GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz\n"
+ "Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2\n"
+ "G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi\n"
+ "l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3\n"
+ "smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==\n"
+ "-----END CERTIFICATE-----\n"
+ ;
+ static const AStringMap UrlClientOptions = {{"TrustedRootCAs", CertString}};
+ return UrlClientOptions;
+ }
+}
+
+
+
+
+
////////////////////////////////////////////////////////////////////////////////
// cMojangAPI::sProfile:
@@ -143,11 +236,7 @@ protected:
////////////////////////////////////////////////////////////////////////////////
// cMojangAPI:
-cMojangAPI::cMojangAPI(void) :
- m_NameToUUIDServer(DEFAULT_NAME_TO_UUID_SERVER),
- m_NameToUUIDAddress(DEFAULT_NAME_TO_UUID_ADDRESS),
- m_UUIDToProfileServer(DEFAULT_UUID_TO_PROFILE_SERVER),
- m_UUIDToProfileAddress(DEFAULT_UUID_TO_PROFILE_ADDRESS),
+cMojangAPI::cMojangAPI():
m_RankMgr(nullptr),
m_UpdateThread(new cUpdateThread(*this))
{
@@ -168,10 +257,12 @@ cMojangAPI::~cMojangAPI()
void cMojangAPI::Start(cSettingsRepositoryInterface & a_Settings, bool a_ShouldAuth)
{
- m_NameToUUIDServer = a_Settings.GetValueSet("MojangAPI", "NameToUUIDServer", DEFAULT_NAME_TO_UUID_SERVER);
- m_NameToUUIDAddress = a_Settings.GetValueSet("MojangAPI", "NameToUUIDAddress", DEFAULT_NAME_TO_UUID_ADDRESS);
- m_UUIDToProfileServer = a_Settings.GetValueSet("MojangAPI", "UUIDToProfileServer", DEFAULT_UUID_TO_PROFILE_SERVER);
- m_UUIDToProfileAddress = a_Settings.GetValueSet("MojangAPI", "UUIDToProfileAddress", DEFAULT_UUID_TO_PROFILE_ADDRESS);
+ auto NameToUUIDServer = a_Settings.GetValueSet("MojangAPI", "NameToUUIDServer", DEFAULT_NAME_TO_UUID_SERVER);
+ auto NameToUUIDAddress = a_Settings.GetValueSet("MojangAPI", "NameToUUIDAddress", DEFAULT_NAME_TO_UUID_ADDRESS);
+ auto UUIDToProfileServer = a_Settings.GetValueSet("MojangAPI", "UUIDToProfileServer", DEFAULT_UUID_TO_PROFILE_SERVER);
+ auto UUIDToProfileAddress = a_Settings.GetValueSet("MojangAPI", "UUIDToProfileAddress", DEFAULT_UUID_TO_PROFILE_ADDRESS);
+ m_NameToUUIDUrl = "https://" + NameToUUIDServer + NameToUUIDAddress;
+ m_UUIDToProfileUrl = "https://" + UUIDToProfileServer + UUIDToProfileAddress;
LoadCachesFromDisk();
if (a_ShouldAuth)
{
@@ -485,8 +576,8 @@ void cMojangAPI::QueryNamesToUUIDs(AStringVector & a_NamesToQuery)
auto RequestBody = JsonUtils::WriteFastString(root);
// Create and send the HTTP request
- auto [IsSuccessfull, Response] = cUrlClient::BlockingPost(m_NameToUUIDAddress, AStringMap(), std::move(RequestBody), AStringMap());
- if (!IsSuccessfull)
+ auto [IsSuccessful, Response] = cUrlClient::BlockingPost(m_NameToUUIDUrl, {}, std::move(RequestBody), MojangTrustedRootCAs::UrlClientOptions());
+ if (!IsSuccessful)
{
continue;
}
@@ -562,13 +653,11 @@ void cMojangAPI::CacheUUIDToProfile(const cUUID & a_UUID)
void cMojangAPI::QueryUUIDToProfile(const cUUID & a_UUID)
{
- // Create the request address:
- AString Address = m_UUIDToProfileAddress;
- ReplaceURL(Address, "%UUID%", a_UUID.ToShortString());
-
// Create and send the HTTP request
- auto [IsSuccessfull, Response] = cUrlClient::BlockingGet(Address);
- if (!IsSuccessfull)
+ auto Url = m_UUIDToProfileUrl;
+ ReplaceString(Url, "%UUID%", URLEncode(a_UUID.ToShortString()));
+ auto [IsSuccessful, Response] = cUrlClient::BlockingGet(Url, {}, {}, MojangTrustedRootCAs::UrlClientOptions());
+ if (!IsSuccessful)
{
return;
}
diff --git a/src/Protocol/MojangAPI.h b/src/Protocol/MojangAPI.h
index f9267fefe..6d550662c 100644
--- a/src/Protocol/MojangAPI.h
+++ b/src/Protocol/MojangAPI.h
@@ -130,19 +130,14 @@ protected:
using cUUIDProfileMap = std::map<cUUID, sProfile>;
- /** The server to connect to when converting player names to UUIDs. For example "api.mojang.com". */
- AString m_NameToUUIDServer;
-
- /** The URL to use for converting player names to UUIDs, without server part.
- For example "/profiles/page/1". */
- AString m_NameToUUIDAddress;
-
- /** The server to connect to when converting UUID to profile. For example "sessionserver.mojang.com". */
- AString m_UUIDToProfileServer;
-
- /** The URL to use for converting UUID to profile, without the server part.
- Will replace %UUID% with the actual UUID. For example "session/minecraft/profile/%UUID%?unsigned=false". */
- AString m_UUIDToProfileAddress;
+ /** The full URL to check when converting player names to UUIDs.
+ For example: "https://api.mojang.com/profiles/page/1". */
+ AString m_NameToUUIDUrl;
+
+ /** The full URL to use for converting UUID to profile.
+ %UUID% will get replaced with the actual UUID.
+ For example "https://sessionserver.mojang.com/session/minecraft/profile/%UUID%?unsigned=false". */
+ AString m_UUIDToProfileUrl;
/** Cache for the Name-to-UUID lookups. The map key is lowercased PlayerName. Protected by m_CSNameToUUID. */
cProfileMap m_NameToUUID;
diff --git a/src/mbedTLS++/CMakeLists.txt b/src/mbedTLS++/CMakeLists.txt
index dcb5d23a0..42e0fc8b2 100644
--- a/src/mbedTLS++/CMakeLists.txt
+++ b/src/mbedTLS++/CMakeLists.txt
@@ -25,7 +25,6 @@ target_sources(
EntropyContext.h
ErrorCodes.h
RsaPrivateKey.h
- RootCA.h
SslConfig.h
SslContext.h
Sha1Checksum.h
diff --git a/src/mbedTLS++/RootCA.h b/src/mbedTLS++/RootCA.h
deleted file mode 100644
index 3e0d654bd..000000000
--- a/src/mbedTLS++/RootCA.h
+++ /dev/null
@@ -1,97 +0,0 @@
-
-// This file contains the public keys for different root CAs
-
-#include "Globals.h"
-#include "mbedTLS++/X509Cert.h"
-
-static cX509CertPtr GetCACerts(void)
-{
- static const char CertString[] =
- // DigiCert Global Root CA (sessionserver.mojang.com)
- // Downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm
-
- // DigiCert Global Root CA
- "-----BEGIN CERTIFICATE-----\n"
- "MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n"
- "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
- "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n"
- "QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n"
- "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
- "b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n"
- "9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n"
- "CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n"
- "nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n"
- "43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n"
- "T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n"
- "gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n"
- "BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n"
- "TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n"
- "DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n"
- "hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n"
- "06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n"
- "PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n"
- "YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n"
- "CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
- "-----END CERTIFICATE-----\n"
-
- // Amazon Root CA 1 (api.mojang.com)
- // Downloaded from https://www.amazontrust.com/repository/
- "-----BEGIN CERTIFICATE-----\n"
- "MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF\n"
- "ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6\n"
- "b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL\n"
- "MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv\n"
- "b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj\n"
- "ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM\n"
- "9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw\n"
- "IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6\n"
- "VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L\n"
- "93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm\n"
- "jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
- "AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA\n"
- "A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI\n"
- "U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs\n"
- "N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv\n"
- "o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU\n"
- "5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy\n"
- "rqXRfboQnoZsG4q5WTP468SQvvG5\n"
- "-----END CERTIFICATE-----\n"
-
- // AAA Certificate Services (authserver.ely.by GH#4832)
- // Downloaded from https://www.tbs-certificates.co.uk/FAQ/en/Comodo_AAA_Certificate_Services.html
- "-----BEGIN CERTIFICATE-----\n"
- "MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb\n"
- "MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow\n"
- "GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj\n"
- "YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL\n"
- "MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n"
- "BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM\n"
- "GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
- "ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua\n"
- "BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe\n"
- "3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4\n"
- "YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR\n"
- "rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm\n"
- "ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU\n"
- "oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF\n"
- "MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v\n"
- "QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t\n"
- "b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF\n"
- "AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q\n"
- "GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz\n"
- "Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2\n"
- "G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi\n"
- "l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3\n"
- "smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==\n"
- "-----END CERTIFICATE-----\n"
- ;
-
-static auto X509Cert = [&]()
-{
- auto Cert = std::make_shared<cX509Cert>();
- VERIFY(0 == Cert->Parse(CertString, sizeof(CertString)));
- return Cert;
-}();
-
-return X509Cert;
-}
diff --git a/src/mbedTLS++/SslConfig.cpp b/src/mbedTLS++/SslConfig.cpp
index 054d63980..9bcac741f 100644
--- a/src/mbedTLS++/SslConfig.cpp
+++ b/src/mbedTLS++/SslConfig.cpp
@@ -5,7 +5,7 @@
#include "mbedTLS++/CryptoKey.h"
#include "mbedTLS++/EntropyContext.h"
-#include "mbedTLS++/RootCA.h"
+#include "mbedTLS++/X509Cert.h"
// This allows us to debug SSL and certificate problems, but produce way too much output,
@@ -235,8 +235,8 @@ std::shared_ptr<cSslConfig> cSslConfig::MakeDefaultConfig(bool a_IsClient)
Ret->SetRng(std::move(CtrDrbg));
}
- Ret->SetAuthMode(eSslAuthMode::Required);
- Ret->SetCACerts(GetCACerts());
+ // By default we have no root CAs, so no cert verification can be done:
+ Ret->SetAuthMode(eSslAuthMode::None);
#ifndef NDEBUG
#ifdef ENABLE_SSL_DEBUG_MSG