• Chad Barb's avatar
    Added SSL to capture (enabled with -DWITHSSL) · 2e536ba3
    Chad Barb authored
    To tip (or tiptunnel on a normal acl,) capture behaves the same.
    However, if a client connects and presents "USESSL" as the first six characters of their
    connection key, both sides initiate SSL negotiation.
    The server then attempts to get the key again. The second one is used for the check.
    SSL initialization is done on the first attempt by a client to connect via SSL.
    Capture assumes $(prefix)/etc/capture/cert.pem contains its certificate unless
    the '-c <certfile>' option is used.. if the certificate is not found or invalid, that
    connection fails, but normal connections will still succeed (and it will try to find the file
    again, next time an SSL connection is attempted.)
    On the client side, tiptunnel only uses ssl if there is a "ssl-server-cert:"
    property in the acl file. This is the SHA hash of the certificate that the capture server is
    expected to have (in hex.) If the certificate presented by the server does not hash to the
    same value, the connection is dropped.
tiptunnel.c 10.7 KB