Menu
▾
▴
#2394 Support peer cert verification for SSL indications
This patch adds support for CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST on indications sent via https.
Currently SFCB supports verification of its certificate by the indication receiver but does not support the reverse: verification of the endpoint certificate by SFCB. This patch enables this support based on a new cfg parameter 'sslIndicationReceiverCert'.
Note that this continues the current strategy of sharing the same set of SSL certificates for both client connect and SSL indications. Sharing the certs is much simpler than having a separate set of certs for each function, and should be adequate for most applications.
Note that sharing a common CAcert file (for endpoint verification) between client connect and indication send does *not* mean these functions must use the same cert, since the OpenSSL truststore supports holding >1 certificate. In a configuration where the truststore is configured with two certs, a client connect endpoint *could* use a different certificate from an indication endpoint. The only limitation is: there is no way to ensure that SFCB uses *only* the desired cert for each operation. That is: the contents of the truststore are general; once the SSL library is pointed to a truststore file, all the contained certs become trusted.
Because sharing the certs can be confusing to the end user, this patch adds some clarifying remarks to the comment blocks in sfcb.cfg.
Committed to git master
patch for SFCB 1.4