From 77a82903fcf98f5b3b2d99932fc1db995bce937a Mon Sep 17 00:00:00 2001 From: Peter Conrad Date: Sun, 1 Sep 2019 15:17:59 +0200 Subject: [PATCH] Fix core #314 - Use windows default CAs for tls client connections --- src/network/http/websocket.cpp | 36 ++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/network/http/websocket.cpp b/src/network/http/websocket.cpp index 5138fb0..77ff233 100644 --- a/src/network/http/websocket.cpp +++ b/src/network/http/websocket.cpp @@ -20,6 +20,10 @@ #include #include +#if WIN32 +#include +#endif + #ifdef DEFAULT_LOGGER # undef DEFAULT_LOGGER #endif @@ -28,7 +32,33 @@ namespace fc { namespace http { namespace detail { +#if WIN32 + // taken from https://stackoverflow.com/questions/39772878/reliable-way-to-get-root-ca-certificates-on-windows/40710806 + static void add_windows_root_certs(boost::asio::ssl::context &ctx) + { + HCERTSTORE hStore = CertOpenSystemStore( 0, "ROOT" ); + if( hStore == NULL ) + return; + X509_STORE *store = X509_STORE_new(); + PCCERT_CONTEXT pContext = NULL; + while( (pContext = CertEnumCertificatesInStore( hStore, pContext )) != NULL ) + { + X509 *x509 = d2i_X509( NULL, (const unsigned char **)&pContext->pbCertEncoded, + pContext->cbCertEncoded); + if( x509 != NULL ) + { + X509_STORE_add_cert( store, x509 ); + X509_free( x509 ); + } + } + + CertFreeCertificateContext( pContext ); + CertCloseStore( hStore, 0 ); + + SSL_CTX_set_cert_store( ctx.native_handle(), store ); + } +#endif struct asio_with_stub_log : public websocketpp::config::asio { typedef asio_with_stub_log type; @@ -550,7 +580,13 @@ namespace fc { namespace http { return; ctx->set_verify_mode( boost::asio::ssl::verify_peer ); if( ca_filename == "_default" ) + { +#if WIN32 + add_windows_root_certs( *ctx ); +#else ctx->set_default_verify_paths(); +#endif + } else ctx->load_verify_file( ca_filename ); ctx->set_verify_depth(10);