This is an automated email from the ASF dual-hosted git repository.
wwbmmm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brpc.git
The following commit(s) were added to refs/heads/master by this push:
new 8b6a9c04 feat: support more ssl verify mode (#3141)
8b6a9c04 is described below
commit 8b6a9c04709b2d3da5d53637d0007d50fddcf1e1
Author: koarz <[email protected]>
AuthorDate: Mon Dec 8 10:54:52 2025 +0800
feat: support more ssl verify mode (#3141)
* feat: support more ssl verify mode
* 1
---
src/brpc/details/ssl_helper.cpp | 15 +++++++++++++--
src/brpc/ssl_options.cpp | 5 ++++-
src/brpc/ssl_options.h | 12 ++++++++++++
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/src/brpc/details/ssl_helper.cpp b/src/brpc/details/ssl_helper.cpp
index d33d0ee7..f38b16d6 100644
--- a/src/brpc/details/ssl_helper.cpp
+++ b/src/brpc/details/ssl_helper.cpp
@@ -17,6 +17,7 @@
+#include "brpc/ssl_options.h"
#include <openssl/bio.h>
#ifndef USE_MESALINK
@@ -412,8 +413,18 @@ static int SetSSLOptions(SSL_CTX* ctx, const std::string&
ciphers,
// TODO: Verify the CNAME in certificate matches the requesting host
if (verify.verify_depth > 0) {
- SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
- | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+ if (verify.verify_mode == VerifyMode::VERIFY_FAIL_IF_NO_PEER_CERT) {
+ SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
+ | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+ } else if (verify.verify_mode == VerifyMode::VERIFY_PEER) {
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+ } else if (verify.verify_mode == VerifyMode::VERIFY_NONE) {
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+ } else {
+ // for forward compatibility
+ SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
+ | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+ }
SSL_CTX_set_verify_depth(ctx, verify.verify_depth);
std::string cafile = verify.ca_file_path;
if (cafile.empty()) {
diff --git a/src/brpc/ssl_options.cpp b/src/brpc/ssl_options.cpp
index e3b8f5b1..748749ae 100644
--- a/src/brpc/ssl_options.cpp
+++ b/src/brpc/ssl_options.cpp
@@ -20,7 +20,10 @@
namespace brpc {
-VerifyOptions::VerifyOptions() : verify_depth(0) {}
+VerifyOptions::VerifyOptions()
+ : verify_depth(0)
+ , verify_mode(VerifyMode::NOT_SET)
+{}
ChannelSSLOptions::ChannelSSLOptions()
: ciphers("DEFAULT")
diff --git a/src/brpc/ssl_options.h b/src/brpc/ssl_options.h
index bbe9ccf1..8ddda248 100644
--- a/src/brpc/ssl_options.h
+++ b/src/brpc/ssl_options.h
@@ -41,6 +41,13 @@ struct CertInfo {
std::vector<std::string> sni_filters;
};
+enum class VerifyMode {
+ NOT_SET,
+ VERIFY_NONE,
+ VERIFY_PEER,
+ VERIFY_FAIL_IF_NO_PEER_CERT,
+};
+
struct VerifyOptions {
// Constructed with default options
VerifyOptions();
@@ -50,6 +57,11 @@ struct VerifyOptions {
// Default: 0
int verify_depth;
+ // Set ssl verify mode for openssl
+ // If VERIFY_FAIL_IF_NO_PEER_CERT, it will set
`SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER`
+ // Default: NOT_SET
+ VerifyMode verify_mode;
+
// Set the trusted CA file to verify the peer's certificate
// If empty, use the system default CA files
// Default: ""
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
