SSL fixes for validator list (RIPD-1558)

Builds/CMake/CMakeFuncs.cmake

@@ -761,6 +761,6 @@ macro(link_common_libraries cur_project)
       $<$<OR:$<CONFIG:Release>,$<CONFIG:ReleaseClassic>>:VC/static/libeay32MT>)
     target_link_libraries(${cur_project}
       legacy_stdio_definitions.lib Shlwapi kernel32 user32 gdi32 winspool comdlg32
-      advapi32 shell32 ole32 oleaut32 uuid odbc32 odbccp32)
+      advapi32 shell32 ole32 oleaut32 uuid odbc32 odbccp32 crypt32)
   endif (NOT MSVC)
 endmacro()

Builds/VisualStudio2015/RippleD.vcxproj

@@ -110,7 +110,7 @@
       <AdditionalOptions>/bigobj /FS %(AdditionalOptions)</AdditionalOptions>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>advapi32.lib;comdlg32.lib;gdi32.lib;kernel32.lib;legacy_stdio_definitions.lib;odbc32.lib;odbccp32.lib;ole32.lib;oleaut32.lib;shell32.lib;Shlwapi.lib;user32.lib;uuid.lib;VC/static/libeay32MTd.lib;VC/static/ssleay32MTd.lib;winspool.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>advapi32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;kernel32.lib;legacy_stdio_definitions.lib;odbc32.lib;odbccp32.lib;ole32.lib;oleaut32.lib;shell32.lib;Shlwapi.lib;user32.lib;uuid.lib;VC/static/libeay32MTd.lib;VC/static/ssleay32MTd.lib;winspool.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <SuppressStartupBanner>True</SuppressStartupBanner>
       <ErrorReporting>NoErrorReport</ErrorReporting>
       <SubSystem>Console</SubSystem>
@@ -147,7 +147,7 @@
       <AdditionalOptions>/bigobj /FS %(AdditionalOptions)</AdditionalOptions>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>advapi32.lib;comdlg32.lib;gdi32.lib;kernel32.lib;legacy_stdio_definitions.lib;odbc32.lib;odbccp32.lib;ole32.lib;oleaut32.lib;shell32.lib;Shlwapi.lib;user32.lib;uuid.lib;VC/static/libeay32MTd.lib;VC/static/ssleay32MTd.lib;winspool.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>advapi32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;kernel32.lib;legacy_stdio_definitions.lib;odbc32.lib;odbccp32.lib;ole32.lib;oleaut32.lib;shell32.lib;Shlwapi.lib;user32.lib;uuid.lib;VC/static/libeay32MTd.lib;VC/static/ssleay32MTd.lib;winspool.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <SuppressStartupBanner>True</SuppressStartupBanner>
       <ErrorReporting>NoErrorReport</ErrorReporting>
       <SubSystem>Console</SubSystem>
@@ -182,7 +182,7 @@
       <AdditionalOptions>/bigobj /FS %(AdditionalOptions)</AdditionalOptions>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>advapi32.lib;comdlg32.lib;gdi32.lib;kernel32.lib;legacy_stdio_definitions.lib;odbc32.lib;odbccp32.lib;ole32.lib;oleaut32.lib;shell32.lib;Shlwapi.lib;user32.lib;uuid.lib;VC/static/libeay32MT.lib;VC/static/ssleay32MT.lib;winspool.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>advapi32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;kernel32.lib;legacy_stdio_definitions.lib;odbc32.lib;odbccp32.lib;ole32.lib;oleaut32.lib;shell32.lib;Shlwapi.lib;user32.lib;uuid.lib;VC/static/libeay32MT.lib;VC/static/ssleay32MT.lib;winspool.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <SuppressStartupBanner>True</SuppressStartupBanner>
       <ErrorReporting>NoErrorReport</ErrorReporting>
       <SubSystem>Console</SubSystem>
@@ -217,7 +217,7 @@
       <AdditionalOptions>/bigobj /FS %(AdditionalOptions)</AdditionalOptions>
     </ClCompile>
     <Link>
-      <AdditionalDependencies>advapi32.lib;comdlg32.lib;gdi32.lib;kernel32.lib;legacy_stdio_definitions.lib;odbc32.lib;odbccp32.lib;ole32.lib;oleaut32.lib;shell32.lib;Shlwapi.lib;user32.lib;uuid.lib;VC/static/libeay32MT.lib;VC/static/ssleay32MT.lib;winspool.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>advapi32.lib;comdlg32.lib;crypt32.lib;gdi32.lib;kernel32.lib;legacy_stdio_definitions.lib;odbc32.lib;odbccp32.lib;ole32.lib;oleaut32.lib;shell32.lib;Shlwapi.lib;user32.lib;uuid.lib;VC/static/libeay32MT.lib;VC/static/ssleay32MT.lib;winspool.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <SuppressStartupBanner>True</SuppressStartupBanner>
       <ErrorReporting>NoErrorReport</ErrorReporting>
       <SubSystem>Console</SubSystem>
@@ -2199,6 +2199,10 @@
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='debug|x64'">True</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='release|x64'">True</ExcludedFromBuild>
     </ClCompile>
+    <ClCompile Include="..\..\src\ripple\net\impl\RegisterSSLCerts.cpp">
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='debug|x64'">True</ExcludedFromBuild>
+      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='release|x64'">True</ExcludedFromBuild>
+    </ClCompile>
     <ClCompile Include="..\..\src\ripple\net\impl\RPCCall.cpp">
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='debug|x64'">True</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='release|x64'">True</ExcludedFromBuild>
@@ -2213,6 +2217,8 @@
     </ClCompile>
     <ClInclude Include="..\..\src\ripple\net\InfoSub.h">
     </ClInclude>
+    <ClInclude Include="..\..\src\ripple\net\RegisterSSLCerts.h">
+    </ClInclude>
     <ClInclude Include="..\..\src\ripple\net\RPCCall.h">
     </ClInclude>
     <ClInclude Include="..\..\src\ripple\net\RPCErr.h">

Builds/VisualStudio2015/RippleD.vcxproj.filters

@@ -2835,6 +2835,9 @@
     <ClCompile Include="..\..\src\ripple\net\impl\InfoSub.cpp">
       <Filter>ripple\net\impl</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\src\ripple\net\impl\RegisterSSLCerts.cpp">
+      <Filter>ripple\net\impl</Filter>
+    </ClCompile>
     <ClCompile Include="..\..\src\ripple\net\impl\RPCCall.cpp">
       <Filter>ripple\net\impl</Filter>
     </ClCompile>
@@ -2847,6 +2850,9 @@
     <ClInclude Include="..\..\src\ripple\net\InfoSub.h">
       <Filter>ripple\net</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\src\ripple\net\RegisterSSLCerts.h">
+      <Filter>ripple\net</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\src\ripple\net\RPCCall.h">
       <Filter>ripple\net</Filter>
     </ClInclude>

SConstruct

@@ -754,6 +754,7 @@ def config_env(toolchain, variant, env):
             'uuid.lib',
             'odbc32.lib',
             'odbccp32.lib',
+	    'crypt32.lib'
             ])
         env.Append(LINKFLAGS=[
             '/DEBUG',

src/ripple/app/misc/detail/WorkSSL.h

@@ -21,6 +21,7 @@
 #define RIPPLE_APP_MISC_DETAIL_WORKSSL_H_INCLUDED
 
 #include <ripple/app/misc/detail/WorkBase.h>
+#include <ripple/net/RegisterSSLCerts.h>
 #include <ripple/basics/contract.h>
 #include <boost/asio/ssl.hpp>
 #include <boost/bind.hpp>
@@ -37,8 +38,7 @@ class SSLContext : public boost::asio::ssl::context
     : boost::asio::ssl::context(boost::asio::ssl::context::sslv23)
     {
         boost::system::error_code ec;
-        set_default_verify_paths (ec);
-
+        registerSSLCerts(*this, ec);
         if (ec)
         {
             Throw<std::runtime_error> (
@@ -82,13 +82,12 @@ class WorkSSL : public WorkBase<WorkSSL>
     onHandshake(error_code const& ec);
 
     static bool
-    rfc2818_verify (
+    rfc2818_verify(
         std::string const& domain,
         bool preverified,
         boost::asio::ssl::verify_context& ctx)
     {
-        return
-            boost::asio::ssl::rfc2818_verification (domain) (preverified, ctx);
+        return boost::asio::ssl::rfc2818_verification(domain)(preverified, ctx);
     }
 };
 
@@ -102,9 +101,10 @@ WorkSSL::WorkSSL(
     , context_()
     , stream_ (socket_, context_)
 {
+    // Set SNI hostname
+    SSL_set_tlsext_host_name(stream_.native_handle(), host.c_str());
     stream_.set_verify_mode (boost::asio::ssl::verify_peer);
-    stream_.set_verify_callback (
-        std::bind (
+    stream_.set_verify_callback(    std::bind (
             &WorkSSL::rfc2818_verify, host_,
             std::placeholders::_1, std::placeholders::_2));
 }

src/ripple/net/AutoSocket.h

@@ -149,6 +149,10 @@ class AutoSocket
         return ec;
     }
 
+    void setTLSHostName(std::string const & host)
+    {
+        SSL_set_tlsext_host_name(mSocket->native_handle(), host.c_str());
+    }
 /*
     template <typename HandshakeHandler>
     BOOST_ASIO_INITFN_RESULT_TYPE(HandshakeHandler,

src/ripple/net/RegisterSSLCerts.h

@@ -0,0 +1,38 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of rippled: https://github.com/ripple/rippled
+    Copyright (c) 2016 Ripple Labs Inc.
+
+    Permission to use, copy, modify, and/or distribute this software for any
+    purpose  with  or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY  SPECIAL ,  DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#ifndef RIPPLE_NET_REGISTER_SSL_CERTS_H_INCLUDED
+#define RIPPLE_NET_REGISTER_SSL_CERTS_H_INCLUDED
+
+#include <boost/asio/ssl/context.hpp>
+
+namespace ripple {
+/** Register default SSL certificates.
+
+    Register the system default SSL root certificates. On linux/mac,
+    this just calls asio's `set_default_verify_paths` to look in standard
+    operating system locations. On windows, it uses the OS certificate
+    store accessible via CryptoAPI.
+*/
+void
+registerSSLCerts(boost::asio::ssl::context&, boost::system::error_code&);
+
+}  // namespace ripple
+
+#endif

src/ripple/net/impl/HTTPClient.cpp

@@ -23,6 +23,7 @@
 #include <ripple/basics/StringUtilities.h>
 #include <ripple/net/HTTPClient.h>
 #include <ripple/net/AutoSocket.h>
+#include <ripple/net/RegisterSSLCerts.h>
 #include <ripple/beast/core/LexicalCast.h>
 #include <boost/asio.hpp>
 #include <boost/asio/ssl.hpp>
@@ -48,7 +49,7 @@ class HTTPClientSSLContext
 
         if (config.SSL_VERIFY_FILE.empty ())
         {
-            m_context.set_default_verify_paths (ec);
+            registerSSLCerts(m_context, ec);
 
             if (ec && config.SSL_VERIFY_DIR.empty ())
                 Throw<std::runtime_error> (
@@ -278,6 +279,12 @@ class HTTPClientImp
         {
             JLOG (j_.trace()) << "Resolve complete.";
 
+            // If we intend  to verify the SSL connection, we need to
+            // set the default domain for server name indication *prior* to
+            // connecting
+            if (httpClientSSLContext->sslVerify())
+                mSocket.setTLSHostName(mDeqSites[0]);
+
             boost::asio::async_connect (
                 mSocket.lowest_layer (),
                 itrEndpoint,

src/ripple/net/impl/RegisterSSLCerts.cpp

@@ -0,0 +1,62 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of rippled: https://github.com/ripple/rippled
+    Copyright (c) 2012, 2013 Ripple Labs Inc.
+
+    Permission to use, copy, modify, and/or distribute this software for any
+    purpose  with  or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY  SPECIAL ,  DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+#include <BeastConfig.h>
+#include <ripple/net/RegisterSSLCerts.h>
+#if BEAST_WINDOWS
+#include <wincrypt.h>
+#endif
+
+namespace ripple {
+
+void
+registerSSLCerts(boost::asio::ssl::context& ctx, boost::system::error_code& ec)
+{
+#if BEAST_WINDOWS
+    HCERTSTORE hStore = CertOpenSystemStore(0, "ROOT");
+    if (hStore == NULL)
+    {
+        return;
+    }
+
+    X509_STORE* store = X509_STORE_new();
+    PCCERT_CONTEXT pContext = NULL;
+    while ((pContext = CertEnumCertificatesInStore(hStore, pContext)) != NULL)
+    {
+        X509* x509 = d2i_X509(
+            NULL,
+            (const unsigned char**)&pContext->pbCertEncoded,
+            pContext->cbCertEncoded);
+        if (x509 != NULL)
+        {
+            X509_STORE_add_cert(store, x509);
+            X509_free(x509);
+        }
+    }
+
+    CertFreeCertificateContext(pContext);
+    CertCloseStore(hStore, 0);
+
+    SSL_CTX_set_cert_store(ctx.native_handle(), store);
+#else
+
+    ctx.set_default_verify_paths(ec);
+#endif
+}
+
+}  // namespace ripple

src/ripple/unity/net.cpp

@@ -26,3 +26,4 @@
 #include <ripple/net/impl/RPCCall.cpp>
 #include <ripple/net/impl/RPCErr.cpp>
 #include <ripple/net/impl/RPCSub.cpp>
+#include <ripple/net/impl/RegisterSSLCerts.cpp>