diff options
Diffstat (limited to 'src/OSSupport/TCPLinkImpl.cpp')
-rw-r--r-- | src/OSSupport/TCPLinkImpl.cpp | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/src/OSSupport/TCPLinkImpl.cpp b/src/OSSupport/TCPLinkImpl.cpp index 6bd33e9f5..1e12f27ab 100644 --- a/src/OSSupport/TCPLinkImpl.cpp +++ b/src/OSSupport/TCPLinkImpl.cpp @@ -244,7 +244,8 @@ void cTCPLinkImpl::Close(void) AString cTCPLinkImpl::StartTLSClient( cX509CertPtr a_OwnCert, - cCryptoKeyPtr a_OwnPrivKey + cCryptoKeyPtr a_OwnPrivKey, + cX509CertPtr a_TrustedRootCAs ) { // Check preconditions: @@ -259,15 +260,25 @@ AString cTCPLinkImpl::StartTLSClient( // Create the TLS context: m_TlsContext = std::make_shared<cLinkTlsContext>(*this); - if (a_OwnCert != nullptr) + if ((a_OwnCert == nullptr) && (a_TrustedRootCAs == nullptr)) { - auto Config = cSslConfig::MakeDefaultConfig(true); - Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey)); - m_TlsContext->Initialize(Config); + // Use the (shared) default TLS config + m_TlsContext->Initialize(true); } else { - m_TlsContext->Initialize(true); + // Need a specialized config for the own certificate / trusted root CAs: + auto Config = cSslConfig::MakeDefaultConfig(true); + if (a_OwnCert != nullptr) + { + Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey)); + } + if (a_TrustedRootCAs != nullptr) + { + Config->SetAuthMode(eSslAuthMode::Required); + Config->SetCACerts(std::move(a_TrustedRootCAs)); + } + m_TlsContext->Initialize(Config); } // Enable SNI / peer name verification: |