Improved certificate checking.

This commit is contained in:
Ylian Saint-Hilaire 2020-11-08 13:29:37 -08:00
parent 7aef3cda0c
commit c8b465e632
3 changed files with 18 additions and 2 deletions

View File

@ -776,7 +776,12 @@ function createMeshCore(agent) {
var woptions = http.parseUri(xurl);
woptions.perMessageDeflate = false;
if (typeof data.perMessageDeflate == 'boolean') { woptions.perMessageDeflate = data.perMessageDeflate; }
// Perform manual server TLS certificate checking based on the certificate hash given by the server.
woptions.rejectUnauthorized = 0;
woptions.checkServerIdentity = function checkServerIdentity(certs) { if ((checkServerIdentity.servertlshash != null) && (checkServerIdentity.servertlshash != certs[0].fingerprint.split(':').join('').toLowerCase())) { throw new Error('BadCert') } }
woptions.checkServerIdentity.servertlshash = data.servertlshash;
//sendConsoleText(JSON.stringify(woptions));
//sendConsoleText('TUNNEL: ' + JSON.stringify(data));
var tunnel = http.request(woptions);
@ -1147,7 +1152,12 @@ function createMeshCore(agent) {
data.url = 'http' + getServerTargetUrlEx('*/').substring(2);
var agentFileHttpOptions = http.parseUri(data.url);
agentFileHttpOptions.path = data.urlpath;
agentFileHttpOptions.rejectUnauthorized = 0; // TODO: Check TLS cert
// Perform manual server TLS certificate checking based on the certificate hash given by the server.
agentFileHttpOptions.rejectUnauthorized = 0;
agentFileHttpOptions.checkServerIdentity = function checkServerIdentity(certs) { if ((checkServerIdentity.servertlshash != null) && (checkServerIdentity.servertlshash != certs[0].fingerprint.split(':').join('').toLowerCase())) { throw new Error('BadCert') } }
agentFileHttpOptions.checkServerIdentity.servertlshash = data.servertlshash;
if (agentFileHttpOptions == null) break;
var agentFileHttpRequest = http.request(agentFileHttpOptions,
function (response) {

View File

@ -1328,6 +1328,10 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (url.query.p == '1') { requiredNonRights = MESHRIGHT_NOTERMINAL; }
else if ((url.query.p == '4') || (url.query.p == '5')) { requiredNonRights = MESHRIGHT_NOFILES; }
// Add server TLS cert hash
const tlsCertHash = parent.webCertificateHashs[domain.id];
if (tlsCertHash != null) { command.servertlshash = Buffer.from(tlsCertHash, 'binary').toString('hex'); }
// Add user consent messages
command.soptions = {};
if (typeof domain.consentmessages == 'object') {

View File

@ -3223,12 +3223,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Instruct one of more agents to download a URL to a given local drive location.
function handleUploadFileBatchEx(cmd) {
var tlsCertHash = obj.webCertificateHashs[cmd.domain.id];
if (tlsCertHash != null) { tlsCertHash = Buffer.from(tlsCertHash, 'binary').toString('hex'); }
for (var i in cmd.nodeids) {
obj.GetNodeWithRights(cmd.domain, cmd.user, cmd.nodeids[i], function (node, rights, visible) {
if ((node == null) || ((rights & 8) == 0) || (visible == false)) return; // We don't have remote control rights to this device
var agentPath = ((node.agent.id > 0) && (node.agent.id < 5)) ? cmd.windowsPath : cmd.linuxPath;
for (var f in cmd.files) {
const acmd = { action: 'wget', overwrite: cmd.overwrite, urlpath: '/agentdownload.ashx?c=' + obj.parent.encodeCookie({ a: 'tmpdl', d: cmd.domain.id, nid: node._id, f: cmd.files[f].target }, obj.parent.loginCookieEncryptionKey), path: obj.path.join(agentPath, cmd.files[f].name) };
const acmd = { action: 'wget', overwrite: cmd.overwrite, urlpath: '/agentdownload.ashx?c=' + obj.parent.encodeCookie({ a: 'tmpdl', d: cmd.domain.id, nid: node._id, f: cmd.files[f].target }, obj.parent.loginCookieEncryptionKey), path: obj.path.join(agentPath, cmd.files[f].name), servertlshash: tlsCertHash };
var agent = obj.wsagents[node._id];
if (agent != null) { try { agent.send(JSON.stringify(acmd)); } catch (ex) { } }
// TODO: Add support for peer servers.