feat: support more ssl verify mode (#3141)

koarz · web-flow · commit 8b6a9c04709b · 2025-12-08T10:54:52.000+08:00
* feat: support more ssl verify mode

* 1
diff --git a/src/brpc/details/ssl_helper.cpp b/src/brpc/details/ssl_helper.cpp
@@ -17,6 +17,7 @@
 
 
 
+#include "brpc/ssl_options.h"
 #include <openssl/bio.h>
 #ifndef USE_MESALINK
 
@@ -412,8 +413,18 @@ static int SetSSLOptions(SSL_CTX* ctx, const std::string& ciphers,
 
     // TODO: Verify the CNAME in certificate matches the requesting host
     if (verify.verify_depth > 0) {
-        SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
-                                 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+        if (verify.verify_mode == VerifyMode::VERIFY_FAIL_IF_NO_PEER_CERT) {
+            SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
+                                     | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+        } else if (verify.verify_mode == VerifyMode::VERIFY_PEER) {
+            SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+        } else if (verify.verify_mode == VerifyMode::VERIFY_NONE) {
+            SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+        } else {
+            // for forward compatibility
+            SSL_CTX_set_verify(ctx, (SSL_VERIFY_PEER
+                                     | SSL_VERIFY_FAIL_IF_NO_PEER_CERT), NULL);
+        }
         SSL_CTX_set_verify_depth(ctx, verify.verify_depth);
         std::string cafile = verify.ca_file_path;
         if (cafile.empty()) {
diff --git a/src/brpc/ssl_options.cpp b/src/brpc/ssl_options.cpp
@@ -20,7 +20,10 @@
 
 namespace brpc {
 
-VerifyOptions::VerifyOptions() : verify_depth(0) {}
+VerifyOptions::VerifyOptions()
+    : verify_depth(0)
+    , verify_mode(VerifyMode::NOT_SET)
+{}
 
 ChannelSSLOptions::ChannelSSLOptions()
     : ciphers("DEFAULT")
diff --git a/src/brpc/ssl_options.h b/src/brpc/ssl_options.h
@@ -41,6 +41,13 @@ struct CertInfo {
     std::vector<std::string> sni_filters;
 };
 
+enum class VerifyMode {
+    NOT_SET,
+    VERIFY_NONE,
+    VERIFY_PEER,
+    VERIFY_FAIL_IF_NO_PEER_CERT,
+};
+
 struct VerifyOptions {
     // Constructed with default options
     VerifyOptions();
@@ -50,6 +57,11 @@ struct VerifyOptions {
     // Default: 0
     int verify_depth;
 
+    // Set ssl verify mode for openssl
+    // If VERIFY_FAIL_IF_NO_PEER_CERT, it will set `SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_PEER`
+    // Default: NOT_SET
+    VerifyMode verify_mode;
+
     // Set the trusted CA file to verify the peer's certificate
     // If empty, use the system default CA files
     // Default: ""
