SSL certificate validation (#120)

Co-authored-by: an-tao <antao2002@gmail.com>

Author: marty1885

trantor/net/TcpClient.cc

@@ -149,6 +149,7 @@ void TcpClient::newConnection(int sockfd)
                                                    peerAddr,
                                                    sslCtxPtr_,
                                                    false,
+                                                   validateCert_,
                                                    SSLHostName_);
 #else
         LOG_FATAL << "OpenSSL is not found in your system!";
@@ -170,6 +171,12 @@ void TcpClient::newConnection(int sockfd)
         std::lock_guard<std::mutex> lock(mutex_);
         connection_ = conn;
     }
+    conn->setSSLErrorCallback([this](SSLError err) {
+        if (sslErrorCallback_)
+        {
+            sslErrorCallback_(err);
+        }
+    });
     conn->connectEstablished();
 }
 
@@ -195,11 +202,14 @@ void TcpClient::removeConnection(const TcpConnectionPtr &conn)
     }
 }
 
-void TcpClient::enableSSL(bool useOldTLS, std::string hostname)
+void TcpClient::enableSSL(bool useOldTLS,
+                          bool validateCert,
+                          std::string hostname)
 {
 #ifdef USE_OPENSSL
     /* Create a new OpenSSL context */
-    sslCtxPtr_ = newSSLContext(useOldTLS);
+    sslCtxPtr_ = newSSLContext(useOldTLS, validateCert);
+    validateCert_ = validateCert;
     if (!hostname.empty())
     {
         std::transform(hostname.begin(),

trantor/net/TcpClient.h

@@ -175,16 +175,33 @@ class TcpClient : NonCopyable
         writeCompleteCallback_ = std::move(cb);
     }
 
+    /**
+     * @brief Set the callback for errors of SSL
+     * @param cb The callback is called when an SSL error occurs.
+     */
+    void setSSLErrorCallback(const SSLErrorCallback &cb)
+    {
+        sslErrorCallback_ = cb;
+    }
+    void setSSLErrorCallback(SSLErrorCallback &&cb)
+    {
+        sslErrorCallback_ = std::move(cb);
+    }
+
     /**
      * @brief Enable SSL encryption.
      * @param useOldTLS If true, the TLS 1.0 and 1.1 are supported by the
      * client.
      * @param hostname The server hostname for SNI. If it is empty, the SNI is
      * not used.
+     * @param validateCert If true, we try to validate if the peer's SSL cert
+     * is valid.
      * @note It's well known that TLS 1.0 and 1.1 are not considered secure in
      * 2020. And it's a good practice to only use TLS 1.2 and above.
      */
-    void enableSSL(bool useOldTLS = false, std::string hostname = "");
+    void enableSSL(bool useOldTLS = false,
+                   bool validateCert = true,
+                   std::string hostname = "");
 
   private:
     /// Not thread safe, but in loop
@@ -199,12 +216,14 @@ class TcpClient : NonCopyable
     ConnectionErrorCallback connectionErrorCallback_;
     RecvMessageCallback messageCallback_;
     WriteCompleteCallback writeCompleteCallback_;
+    SSLErrorCallback sslErrorCallback_;
     std::atomic_bool retry_;    // atomic
     std::atomic_bool connect_;  // atomic
     // always in loop thread
     mutable std::mutex mutex_;
     TcpConnectionPtr connection_;  // @GuardedBy mutex_
     std::shared_ptr<SSLContext> sslCtxPtr_;
+    bool validateCert_{false};
     std::string SSLHostName_;
 #ifndef _WIN32
     class IgnoreSigPipe

trantor/net/TcpConnection.h

@@ -230,6 +230,7 @@ class TcpConnection
      */
     virtual void startClientEncryption(std::function<void()> callback,
                                        bool useOldTLS = false,
+                                       bool validateCert = true,
                                        std::string hostname = "") = 0;
 
     /**
@@ -242,6 +243,9 @@ class TcpConnection
     virtual void startServerEncryption(const std::shared_ptr<SSLContext> &ctx,
                                        std::function<void()> callback) = 0;
 
+  protected:
+    bool validateCert_ = false;
+
   private:
     std::shared_ptr<void> contextPtr_;
 };

trantor/net/callbacks.h

@@ -18,12 +18,11 @@
 #include <memory>
 namespace trantor
 {
-enum TrantorError
+enum class SSLError
 {
-    TrantorError_None,
-    TrantorError_UnkownError
+    kSSLHandshakeError,
+    kSSLInvalidCertificate
 };
-
 using TimerCallback = std::function<void()>;
 
 // the data has been read to (buf, len)
@@ -39,7 +38,6 @@ using CloseCallback = std::function<void(const TcpConnectionPtr &)>;
 using WriteCompleteCallback = std::function<void(const TcpConnectionPtr &)>;
 using HighWaterMarkCallback =
     std::function<void(const TcpConnectionPtr &, const size_t)>;
-
-using OperationCompleteCallback = std::function<void(const TrantorError)>;
+using SSLErrorCallback = std::function<void(SSLError)>;
 
 }  // namespace trantor