Where to reinstate SSL verification spec?

Question

Where to reinstate SSL verification spec?

grapland0 opened this issue a year ago · 4 comments

in example/cpp20_intro_tls.cpp, it does

conn->next_layer().set_verify_mode(asio::ssl::verify_peer);
conn->next_layer().set_verify_callback(verify_certificate);

before async_exec.

I wonder whether this survives auto-reconnect? If not, where should I reinstate these for new connections?

Answer 1 · 2023-12-01T07:57:40.000Z

Reconnection is unfinished for ssl. I am think about adding a callback that will be called after this. Until there you can disable reconnection by setting the this to zero writing yourself the loop from the link above, it is easier if you are using coroutines.

Answer 2 · 2023-12-01T09:28:51.000Z

Before the reconnection ssl support is completed, can we let it throw an exception if users enable both reconnection and SSL?

Current implementation may introduce a vulnerability as:

step 1, the MITM forces the client to drop a connection.
step 2, MITM starts to intercept all connection from client to server, with a self-signed certificate.
step 3, boost.redis attempts to reconnect with refreshed default ssl modes, which in some implementation, to be ssl::verify_none equivalently.
step 4, connection won't fail by the forged certificate. then the MITM can monitor the traffic on this connection.

Answer 3 · 2024-01-04T10:00:57.000Z

I have opened a PR with the fix. Please have a look.

Answer 4 · 2024-01-04T13:23:15.000Z

@anarthal pointed out that if you set your options on the ssl::context, all subsequent connections created from it will use the new configuration. That would make my PR above unnecessary. @grapland0 Do you have a use case where setting options in the context directly is not possible?