Specifying SSL certificates for peer verification does an exact match,
making it a not-so-obvious alias for the fingerprints option. This
changes the checks to OpenSSL which loads concatenated certificate(s)
from a single file and does a certificate-authority (chain of trust)
check instead. There is no drop in security - a compromised exact match
fingerprint has the same worse case failure. There is increased security
in allowing separate long-term CA key and short-term SSL server keys.
This also removes loading of the system-default CA files if a custom
CA file or certificate fingerprint is specified.
throwboost::system::system_error{err,"Failed to load user CA file at "+ssl_context.ca_path};
}
elseif(allowed_fingerprints.empty())
ssl_context.context.set_default_verify_paths();// only use system-CAs if no user-supplied cert info
CHECK_AND_ASSERT_THROW_MES(private_key_and_certificate_path.first.empty()==private_key_and_certificate_path.second.empty(),"private key and certificate must be either both given or both empty");
constcommand_line::arg_descriptor<std::string>daemon_ssl={"daemon-ssl",tools::wallet2::tr("Enable SSL on daemon RPC connections: enabled|disabled|autodetect"),"autodetect"};
constcommand_line::arg_descriptor<std::string>daemon_ssl_private_key={"daemon-ssl-private-key",tools::wallet2::tr("Path to a PEM format private key"),""};
constcommand_line::arg_descriptor<std::string>daemon_ssl_certificate={"daemon-ssl-certificate",tools::wallet2::tr("Path to a PEM format certificate"),""};
constcommand_line::arg_descriptor<std::vector<std::string>>daemon_ssl_allowed_certificates ={"daemon-ssl-allowed-certificates",tools::wallet2::tr("List of paths to PEM format certificates of allowed RPC servers")};
constcommand_line::arg_descriptor<std::string>daemon_ssl_ca_certificates ={"daemon-ssl-ca-certificates",tools::wallet2::tr("Path to file containing concatenated PEM format certificate(s) to replace system CA(s).")};
constcommand_line::arg_descriptor<std::vector<std::string>>daemon_ssl_allowed_fingerprints={"daemon-ssl-allowed-fingerprints",tools::wallet2::tr("List of valid fingerprints of allowed RPC servers")};
constcommand_line::arg_descriptor<bool>daemon_ssl_allow_any_cert={"daemon-ssl-allow-any-cert",tools::wallet2::tr("Allow any SSL certificate from the daemon"),false};
constcommand_line::arg_descriptor<bool>testnet={"testnet",tools::wallet2::tr("For testnet. Daemon must also be launched with --testnet flag"),false};
std::string{"Use of --"}+opts.proxy.name+" requires --"+opts.daemon_ssl_allowed_certificates.name+" or --"+opts.daemon_ssl_allowed_fingerprints.name+" or use of a .onion/.i2p domain"
std::string{"Use of --"}+opts.proxy.name+" requires --"+opts.daemon_ssl_ca_certificates.name+" or --"+opts.daemon_ssl_allowed_fingerprints.name+" or use of a .onion/.i2p domain"
constcommand_line::arg_descriptor<std::string>arg_rpc_ssl={"rpc-ssl",tools::wallet2::tr("Enable SSL on wallet RPC connections: enabled|disabled|autodetect"),"autodetect"};
constcommand_line::arg_descriptor<std::string>arg_rpc_ssl_private_key={"rpc-ssl-private-key",tools::wallet2::tr("Path to a PEM format private key"),""};
constcommand_line::arg_descriptor<std::string>arg_rpc_ssl_certificate={"rpc-ssl-certificate",tools::wallet2::tr("Path to a PEM format certificate"),""};
constcommand_line::arg_descriptor<std::vector<std::string>>arg_rpc_ssl_allowed_certificates ={"rpc-ssl-allowed-certificates",tools::wallet2::tr("List of paths to PEM format certificates of allowed RPC servers (all allowed if empty)")};
constcommand_line::arg_descriptor<std::string>arg_rpc_ssl_ca_certificates ={"rpc-ssl-ca-certificates",tools::wallet2::tr("Path to file containing concatenated PEM format certificate(s) to replace system CA(s).")};
constcommand_line::arg_descriptor<std::vector<std::string>>arg_rpc_ssl_allowed_fingerprints={"rpc-ssl-allowed-fingerprints",tools::wallet2::tr("List of certificate fingerprints to allow")};