New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL torrent and url seeds #7592
Comments
sorry for the delay. I would be open to exposing an "official" way of adding certificates to the cert store. |
Hello @arvidn and thank you for the reply. I was actually thinking that the current way to handle cert(s) could be enough and it would just require a change in the doc and make sure that we can load more than 1 url. I have changed topic in the meantime but if I get a chance I will try to come up with a patch we could discuss. |
Whatever you get back from |
In your use case, you're adding a certificate to authenticate the web server, but is the web server also validating your client certificates? |
well s3 (yes this is for s3), does not allow this but then I am only adding the url seed manually and that one is a presigned url that I manage fully. Not ideal in the general case but it just works for me. |
libtorrent version (or branch): 2.0.9
platform/architecture: macOS, arm64
compiler and compiler version: clang
The is not strictly-speaking an issue but something I found it.
I have been carefully reading on #3892 and #6410. I was already trying to do the same.
The thing is that you do not necessarily have the same CA for a http seed (especially when stored on a CDN) and in the private network for your peers. @arvidn , as you mentioned the problem lies with the CA cert that we put in the SSL torrent. So basically for it to work, I need the SSL context to have 2 CA in its store and not only 1.
It turns out, there is a relatively easy solution without patching lib torrent. I the attached example, you can see the code and the associated torrent. It is an SSL torrent that has specific CA for the peer certs to check. And when I add the torrent to my session, I make sure I get the store and add the one for the http download (using Amazon S3 there).
I was wondering if the set_trust_certificate function is ssl.cpp should not simply be able to load multiple certificates from this piece of data. If you agree, I could provide a patch for lib torrent for this. It requires no change to the API and it would be backward compatible.
HTH
2ca.zip
The text was updated successfully, but these errors were encountered: