author: Mattes D <github@xoft.cz> 2023-05-09 19:59:15 +0200
committer: Mattes D <github@xoft.cz> 2023-05-19 16:25:12 +0200
commit: 97c49c6f294a0b7e931be2692c124bd78fc79946 (patch)
tree: 872fcdfbfc30ff0ed2e2e444bb965769ea147e60 /src
parent: cTCPLink: Use the original connection hostname for SNI. (diff)
download: cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.gz
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.bz2
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.lz
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.xz
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.zst
cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.zip
14 files changed, 240 insertions, 194 deletions
diff --git a/src/Bindings/LuaTCPLink.cpp b/src/Bindings/LuaTCPLink.cpp
index 14ea5c905..883361abb 100644
--- a/src/Bindings/LuaTCPLink.cpp
+++ b/src/Bindings/LuaTCPLink.cpp
@@ -166,7 +166,8 @@ void cLuaTCPLink::Close(void)
 AString cLuaTCPLink::StartTLSClient(
 	const AString & a_OwnCertData,
 	const AString & a_OwnPrivKeyData,
-	const AString & a_OwnPrivKeyPassword
+	const AString & a_OwnPrivKeyPassword,
+	const AString & a_TrustedRootCAs
 )
 {
 	auto link = m_Link;
@@ -193,7 +194,17 @@ AString cLuaTCPLink::StartTLSClient(
 			}
 		}
 
-		return link->StartTLSClient(ownCert, ownPrivKey);
+		cX509CertPtr trustedRootCAs;
+		if (!a_TrustedRootCAs.empty())
+		{
+			trustedRootCAs = std::make_shared<cX509Cert>();
+			auto res = trustedRootCAs->Parse(a_TrustedRootCAs.data(), a_TrustedRootCAs.size());
+			if (res != 0)
+			{
+				return fmt::format("Cannot parse trusted root CAs: {}", res);
+			}
+		}
+		return link->StartTLSClient(ownCert, ownPrivKey, trustedRootCAs);
 	}
 	return "";
 }
diff --git a/src/Bindings/LuaTCPLink.h b/src/Bindings/LuaTCPLink.h
index 6e5a78b4d..e5618f838 100644
--- a/src/Bindings/LuaTCPLink.h
+++ b/src/Bindings/LuaTCPLink.h
@@ -66,11 +66,13 @@ public:
 	If a client certificate should be used for the connection, set the certificate into a_OwnCertData and
 	its corresponding private key to a_OwnPrivKeyData. If both are empty, no client cert is presented.
 	a_OwnPrivKeyPassword is the password to be used for decoding PrivKey, empty if not passworded.
+	a_TrustedRootCAs is a \n-delimited concatenation of trusted root CAs' certificates in PEM format
 	Returns empty string on success, non-empty error description on failure. */
 	AString StartTLSClient(
 		const AString & a_OwnCertData,
 		const AString & a_OwnPrivKeyData,
-		const AString & a_OwnPrivKeyPassword
+		const AString & a_OwnPrivKeyPassword,
+		const AString & a_TrustedRootCAs
 	);
 
 	/** Starts a TLS handshake as a server connection.
diff --git a/src/Bindings/ManualBindings_Network.cpp b/src/Bindings/ManualBindings_Network.cpp
index 67385cce6..c184821e9 100644
--- a/src/Bindings/ManualBindings_Network.cpp
+++ b/src/Bindings/ManualBindings_Network.cpp
@@ -546,7 +546,7 @@ static int tolua_cTCPLink_Shutdown(lua_State * L)
 static int tolua_cTCPLink_StartTLSClient(lua_State * L)
 {
 	// Function signature:
-	// LinkInstance:StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword) -> [true] or [nil, ErrMsg]
+	// LinkInstance:StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs) -> [true] or [nil, ErrMsg]
 
 	// Get the link:
 	cLuaState S(L);
@@ -558,11 +558,11 @@ static int tolua_cTCPLink_StartTLSClient(lua_State * L)
 	ASSERT(Link != nullptr);  // Checked by CheckParamSelf()
 
 	// Read the (optional) params:
-	AString OwnCert, OwnPrivKey, OwnPrivKeyPassword;
-	S.GetStackValues(2, OwnCert, OwnPrivKey, OwnPrivKeyPassword);
+	AString OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs;
+	S.GetStackValues(2, OwnCert, OwnPrivKey, OwnPrivKeyPassword, cLuaState::cOptionalParam<std::string>(TrustedRootCAs));
 
 	// Start the TLS handshake:
-	AString res = Link->StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword);
+	AString res = Link->StartTLSClient(OwnCert, OwnPrivKey, OwnPrivKeyPassword, TrustedRootCAs);
 	if (!res.empty())
 	{
 		S.Push(cLuaState::Nil, fmt::format(
diff --git a/src/HTTP/UrlClient.cpp b/src/HTTP/UrlClient.cpp
index ed47341c3..eb52acfee 100644
--- a/src/HTTP/UrlClient.cpp
+++ b/src/HTTP/UrlClient.cpp
@@ -20,15 +20,18 @@ class cSchemeHandler;
 using cSchemeHandlerPtr = std::shared_ptr<cSchemeHandler>;
 
 
-/** This is a basic set of callbacks to enable quick implementation of HTTP request. */
+
+
+
 namespace
 {
-	class cSimpleHTTPCallbacks :
+	/** Callbacks implementing the blocking UrlClient behavior. */
+	class cBlockingHTTPCallbacks :
 		public cUrlClient::cCallbacks
 	{
 	public:
 
-		explicit cSimpleHTTPCallbacks(std::shared_ptr<cEvent> a_Event, AString & a_ResponseBody) :
+		explicit cBlockingHTTPCallbacks(std::shared_ptr<cEvent> a_Event, AString & a_ResponseBody) :
 			m_Event(std::move(a_Event)), m_ResponseBody(a_ResponseBody)
 		{
 		}
@@ -73,13 +76,13 @@ public:
 		cUrlClient::cCallbacksPtr && a_Callbacks,
 		AStringMap && a_Headers,
 		const AString & a_Body,
-		AStringMap && a_Options
+		const AStringMap & a_Options
 	)
 	{
 		// Create a new instance of cUrlClientRequest, wrapped in a SharedPtr, so that it has a controlled lifetime.
 		// Cannot use std::make_shared, because the constructor is not public
 		std::shared_ptr<cUrlClientRequest> ptr (new cUrlClientRequest(
-			a_Method, a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+			a_Method, a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
 		));
 		return ptr->DoRequest(ptr);
 	}
@@ -138,6 +141,24 @@ public:
 		return key;
 	}
 
+	/** Returns the parsed TrustedRootCAs from the options, or an empty pointer if the option is not set.
+	Throws a std::runtime_error if CAs are provided, but parsing them fails. */
+	cX509CertPtr GetTrustedRootCAs() const
+	{
+		auto itr = m_Options.find("TrustedRootCAs");
+		if (itr == m_Options.end())
+		{
+			return nullptr;
+		}
+		auto Cert = std::make_shared<cX509Cert>();
+		auto Res = Cert->Parse(itr->second.data(), itr->second.size());
+		if (Res != 0)
+		{
+			throw std::runtime_error(fmt::format("Failed to parse the TrustedRootCAs certificate: {}", Res));
+		}
+		return Cert;
+	}
+
 protected:
 
 	/** Method to be used for the request */
@@ -184,14 +205,14 @@ protected:
 		cUrlClient::cCallbacksPtr && a_Callbacks,
 		AStringMap && a_Headers,
 		const AString & a_Body,
-		AStringMap && a_Options
+		const AStringMap & a_Options
 	):
 		m_Method(a_Method),
 		m_Url(a_Url),
 		m_Callbacks(std::move(a_Callbacks)),
 		m_Headers(std::move(a_Headers)),
 		m_Body(a_Body),
-		m_Options(std::move(a_Options))
+		m_Options(a_Options)
 	{
 		m_NumRemainingRedirects = GetStringMapInteger(m_Options, "MaxRedirects", 30);
 	}
@@ -299,7 +320,7 @@ public:
 		m_Link = &a_Link;
 		if (m_IsTls)
 		{
-			m_Link->StartTLSClient(m_ParentRequest.GetOwnCert(), m_ParentRequest.GetOwnPrivKey());
+			m_Link->StartTLSClient(m_ParentRequest.GetOwnCert(), m_ParentRequest.GetOwnPrivKey(), m_ParentRequest.GetTrustedRootCAs());
 		}
 		else
 		{
@@ -652,11 +673,11 @@ std::pair<bool, AString> cUrlClient::Request(
 	cCallbacksPtr && a_Callbacks,
 	AStringMap && a_Headers,
 	const AString & a_Body,
-	AStringMap && a_Options
+	const AStringMap & a_Options
 )
 {
 	return cUrlClientRequest::Request(
-		a_Method, a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+		a_Method, a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
 	);
 }
 
@@ -669,11 +690,11 @@ std::pair<bool, AString> cUrlClient::Get(
 	cCallbacksPtr && a_Callbacks,
 	AStringMap && a_Headers,
 	const AString & a_Body,
-	AStringMap && a_Options
+	const AStringMap & a_Options
 )
 {
 	return cUrlClientRequest::Request(
-		"GET", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+		"GET", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
 	);
 }
 
@@ -686,11 +707,11 @@ std::pair<bool, AString> cUrlClient::Post(
 	cCallbacksPtr && a_Callbacks,
 	AStringMap && a_Headers,
 	const AString & a_Body,
-	AStringMap && a_Options
+	const AStringMap & a_Options
 )
 {
 	return cUrlClientRequest::Request(
-		"POST", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+		"POST", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
 	);
 }
 
@@ -703,11 +724,11 @@ std::pair<bool, AString> cUrlClient::Put(
 	cCallbacksPtr && a_Callbacks,
 	AStringMap && a_Headers,
 	const AString & a_Body,
-	AStringMap && a_Options
+	const AStringMap & a_Options
 )
 {
 	return cUrlClientRequest::Request(
-		"PUT", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, std::move(a_Options)
+		"PUT", a_URL, std::move(a_Callbacks), std::move(a_Headers), a_Body, a_Options
 	);
 }
 
@@ -715,15 +736,24 @@ std::pair<bool, AString> cUrlClient::Put(
 
 
 
-std::pair<bool, AString> cUrlClient::BlockingRequest(const AString & a_Method, const AString & a_URL, AStringMap && a_Headers, const AString & a_Body, AStringMap && a_Options)
+std::pair<bool, AString> cUrlClient::BlockingRequest(
+	const AString & a_Method,
+	const AString & a_URL,
+	AStringMap && a_Headers,
+	const AString & a_Body,
+	const AStringMap & a_Options
+)
 {
 	auto EvtFinished = std::make_shared<cEvent>();
 	AString Response;
-	auto Callbacks = std::make_unique<cSimpleHTTPCallbacks>(EvtFinished, Response);
-	auto [Success, ErrorMessage] = cUrlClient::Request(a_Method, a_URL, std::move(Callbacks), std::move(a_Headers), a_Body, std::move(a_Options));
+	auto Callbacks = std::make_unique<cBlockingHTTPCallbacks>(EvtFinished, Response);
+	auto [Success, ErrorMessage] = cUrlClient::Request(a_Method, a_URL, std::move(Callbacks), std::move(a_Headers), a_Body, a_Options);
 	if (Success)
 	{
-		EvtFinished->Wait();
+		if (!EvtFinished->Wait(10000))
+		{
+			return std::make_pair(false, "Timeout");
+		}
 	}
 	else
 	{
@@ -741,9 +771,10 @@ std::pair<bool, AString> cUrlClient::BlockingGet(
 	const AString & a_URL,
 	AStringMap a_Headers,
 	const AString & a_Body,
-	AStringMap a_Options)
+	const AStringMap & a_Options
+)
 {
-	return BlockingRequest("GET", a_URL, std::move(a_Headers), a_Body, std::move(a_Options));
+	return BlockingRequest("GET", a_URL, std::move(a_Headers), a_Body, a_Options);
 }
 
 
@@ -754,9 +785,10 @@ std::pair<bool, AString> cUrlClient::BlockingPost(
 	const AString & a_URL,
 	AStringMap && a_Headers,
 	const AString & a_Body,
-	AStringMap && a_Options)
+	const AStringMap & a_Options
+)
 {
-	return BlockingRequest("POST", a_URL, std::move(a_Headers), a_Body, std::move(a_Options));
+	return BlockingRequest("POST", a_URL, std::move(a_Headers), a_Body, a_Options);
 }
 
 
@@ -767,9 +799,10 @@ std::pair<bool, AString> cUrlClient::BlockingPut(
 	const AString & a_URL,
 	AStringMap && a_Headers,
 	const AString & a_Body,
-	AStringMap && a_Options)
+	const AStringMap & a_Options
+)
 {
-	return BlockingRequest("PUT", a_URL, std::move(a_Headers), a_Body, std::move(a_Options));
+	return BlockingRequest("PUT", a_URL, std::move(a_Headers), a_Body, a_Options);
 }
 
 
diff --git a/src/HTTP/UrlClient.h b/src/HTTP/UrlClient.h
index aaff60a87..a73f22521 100644
--- a/src/HTTP/UrlClient.h
+++ b/src/HTTP/UrlClient.h
@@ -9,6 +9,7 @@ Options that can be set via the Options parameter to the cUrlClient calls:
 "OwnCert":            The client certificate to use, if requested by the server. Any string that can be parsed by cX509Cert.
 "OwnPrivKey":         The private key appropriate for OwnCert. Any string that can be parsed by cCryptoKey.
 "OwnPrivKeyPassword": The password for OwnPrivKey. If not present or empty, no password is assumed.
+"TrustedRootCAs":     The trusted root CA certificates (\n-delimited concatenated PEM format) to be used for peer cert verification. If not present, peer cert is not verified.
 
 Behavior:
 - If a redirect is received, and redirection is allowed, the redirection is reported via OnRedirecting() callback
@@ -116,16 +117,16 @@ public:
 		cCallbacksPtr && a_Callbacks,
 		AStringMap && a_Headers,
 		const AString & a_Body,
-		AStringMap && a_Options
+		const AStringMap & a_Options
 	);
 
 	/** Alias for Request("GET", ...) */
 	static std::pair<bool, AString> Get(
 		const AString & a_URL,
 		cCallbacksPtr && a_Callbacks,
-		AStringMap && a_Headers = AStringMap(),
-		const AString & a_Body = AString(),
-		AStringMap && a_Options = AStringMap()
+		AStringMap && a_Headers = {},
+		const AString & a_Body = {},
+		const AStringMap & a_Options = {}
 	);
 
 	/** Alias for Request("POST", ...) */
@@ -134,7 +135,7 @@ public:
 		cCallbacksPtr && a_Callbacks,
 		AStringMap && a_Headers,
 		const AString & a_Body,
-		AStringMap && a_Options
+		const AStringMap & a_Options = {}
 	);
 
 	/** Alias for Request("PUT", ...) */
@@ -143,7 +144,7 @@ public:
 		cCallbacksPtr && a_Callbacks,
 		AStringMap && a_Headers,
 		const AString & a_Body,
-		AStringMap && a_Options
+		const AStringMap & a_Options = {}
 	);
 
 	/** The method will run a thread blocking HTTP request. Any error handling
@@ -153,17 +154,17 @@ public:
 	static std::pair<bool, AString> BlockingRequest(
 		const AString & a_Method,
 		const AString & a_URL,
-		AStringMap && a_Headers = AStringMap(),
-		const AString & a_Body = AString(),
-		AStringMap && a_Options = AStringMap()
+		AStringMap && a_Headers = {},
+		const AString & a_Body = {},
+		const AStringMap & a_Options = {}
 	);
 
 	/** Alias for BlockingRequest("GET", ...) */
 	static std::pair<bool, AString> BlockingGet(
 		const AString & a_URL,
-		AStringMap a_Headers = AStringMap(),
-		const AString & a_Body = AString(),
-		AStringMap a_Options = AStringMap()
+		AStringMap a_Headers = {},
+		const AString & a_Body = {},
+		const AStringMap & a_Options = {}
 	);
 
 	/** Alias for BlockingRequest("POST", ...) */
@@ -171,7 +172,7 @@ public:
 		const AString & a_URL,
 		AStringMap && a_Headers,
 		const AString & a_Body,
-		AStringMap && a_Options
+		const AStringMap & a_Options = {}
 	);
 
 	/** Alias for BlockingRequest("PUT", ...) */
@@ -179,7 +180,7 @@ public:
 		const AString & a_URL,
 		AStringMap && a_Headers,
 		const AString & a_Body,
-		AStringMap && a_Options
+		const AStringMap & a_Options = {}
 	);
 };
 
diff --git a/src/OSSupport/Network.h b/src/OSSupport/Network.h
index 32163b710..ca31d9948 100644
--- a/src/OSSupport/Network.h
+++ b/src/OSSupport/Network.h
@@ -113,7 +113,8 @@ public:
 	Returns empty string on success, non-empty error description on failure. */
 	virtual AString StartTLSClient(
 		cX509CertPtr a_OwnCert,
-		cCryptoKeyPtr a_OwnPrivKey
+		cCryptoKeyPtr a_OwnPrivKey,
+		cX509CertPtr a_TrustedRootCAs
 	) = 0;
 
 	/** Starts a TLS handshake as a server connection.
diff --git a/src/OSSupport/TCPLinkImpl.cpp b/src/OSSupport/TCPLinkImpl.cpp
index 6bd33e9f5..1e12f27ab 100644
--- a/src/OSSupport/TCPLinkImpl.cpp
+++ b/src/OSSupport/TCPLinkImpl.cpp
@@ -244,7 +244,8 @@ void cTCPLinkImpl::Close(void)
 
 AString cTCPLinkImpl::StartTLSClient(
 	cX509CertPtr a_OwnCert,
-	cCryptoKeyPtr a_OwnPrivKey
+	cCryptoKeyPtr a_OwnPrivKey,
+	cX509CertPtr a_TrustedRootCAs
 )
 {
 	// Check preconditions:
@@ -259,15 +260,25 @@ AString cTCPLinkImpl::StartTLSClient(
 
 	// Create the TLS context:
 	m_TlsContext = std::make_shared<cLinkTlsContext>(*this);
-	if (a_OwnCert != nullptr)
+	if ((a_OwnCert == nullptr) && (a_TrustedRootCAs == nullptr))
 	{
-		auto Config = cSslConfig::MakeDefaultConfig(true);
-		Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey));
-		m_TlsContext->Initialize(Config);
+		// Use the (shared) default TLS config
+		m_TlsContext->Initialize(true);
 	}
 	else
 	{
-		m_TlsContext->Initialize(true);
+		// Need a specialized config for the own certificate / trusted root CAs:
+		auto Config = cSslConfig::MakeDefaultConfig(true);
+		if (a_OwnCert != nullptr)
+		{
+			Config->SetOwnCert(std::move(a_OwnCert), std::move(a_OwnPrivKey));
+		}
+		if (a_TrustedRootCAs != nullptr)
+		{
+			Config->SetAuthMode(eSslAuthMode::Required);
+			Config->SetCACerts(std::move(a_TrustedRootCAs));
+		}
+		m_TlsContext->Initialize(Config);
 	}
 
 	// Enable SNI / peer name verification:
diff --git a/src/OSSupport/TCPLinkImpl.h b/src/OSSupport/TCPLinkImpl.h
index c757303d2..44e515504 100644
--- a/src/OSSupport/TCPLinkImpl.h
+++ b/src/OSSupport/TCPLinkImpl.h
@@ -75,7 +75,8 @@ public:
 	virtual void Close(void) override;
 	virtual AString StartTLSClient(
 		cX509CertPtr a_OwnCert,
-		cCryptoKeyPtr a_OwnPrivKey
+		cCryptoKeyPtr a_OwnPrivKey,
+		cX509CertPtr a_TrustedRootCAs
 	) override;
 	virtual AString StartTLSServer(
 		cX509CertPtr a_OwnCert,
diff --git a/src/Protocol/Authenticator.cpp b/src/Protocol/Authenticator.cpp
index 00b09c30d..41eac82d3 100644
--- a/src/Protocol/Authenticator.cpp
+++ b/src/Protocol/Authenticator.cpp
@@ -65,8 +65,8 @@ void cAuthenticator::ReadSettings(cSettingsRepositoryInterface & a_Settings)
 	}
 
 	{
-		auto [IsSuccessfull, ErrorMessage] = cUrlParser::Validate(m_Server);
-		if (!IsSuccessfull)
+		auto [IsSuccessful, ErrorMessage] = cUrlParser::Validate(m_Server);
+		if (!IsSuccessful)
 		{
 			LOGWARNING("%s %d: Supplied invalid URL for configuration value [Authentication: Server]: \"%s\", using default! Error: %s", __FUNCTION__, __LINE__, m_Server.c_str(), ErrorMessage.c_str());
 			m_Server = DEFAULT_AUTH_SERVER;
@@ -74,8 +74,8 @@ void cAuthenticator::ReadSettings(cSettingsRepositoryInterface & a_Settings)
 	}
 
 	{
-		auto [IsSuccessfull, ErrorMessage] = cUrlParser::Validate(m_Server);
-		if (!IsSuccessfull)
+		auto [IsSuccessful, ErrorMessage] = cUrlParser::Validate(m_Server);
+		if (!IsSuccessful)
 		{
 			LOGWARNING("%s %d: Supplied invalid URL for configuration value [Authentication: Address]: \"%s\", using default! Error: %s", __FUNCTION__, __LINE__, m_Address.c_str(), ErrorMessage.c_str());
 			m_Address = DEFAULT_AUTH_ADDRESS;
@@ -183,8 +183,8 @@ bool cAuthenticator::AuthWithYggdrasil(AString & a_UserName, const AString & a_S
 	ReplaceURL(ActualAddress, "%SERVERID%", a_ServerId);
 
 	// Create and send the HTTP request
-	auto [IsSuccessfull, Response] = cUrlClient::BlockingGet(m_Server + ActualAddress);
-	if (!IsSuccessfull)
+	auto [IsSuccessful, Response] = cUrlClient::BlockingGet(m_Server + ActualAddress);
+	if (!IsSuccessful)
 	{
 		return false;
 	}
@@ -230,8 +230,8 @@ bool cAuthenticator::GetPlayerProperties(const AString & a_UUID, Json::Value & a
 	LOGD("Trying to get properties for user %s", a_UUID.c_str());
 
 	// Create and send the HTTP request
-	auto [IsSuccessfull, Response] = cUrlClient::BlockingGet(m_Server + ActualAddress);
-	if (!IsSuccessfull)
+	auto [IsSuccessful, Response] = cUrlClient::BlockingGet(m_Server + ActualAddress);
+	if (!IsSuccessful)
 	{
 		return false;
 	}
diff --git a/src/Protocol/MojangAPI.cpp b/src/Protocol/MojangAPI.cpp
index 37c1b0911..57becce62 100644
--- a/src/Protocol/MojangAPI.cpp
+++ b/src/Protocol/MojangAPI.cpp
@@ -40,6 +40,99 @@ constexpr char DEFAULT_UUID_TO_PROFILE_ADDRESS[] = "/session/minecraft/profile/%
 
 
 
+namespace MojangTrustedRootCAs
+{
+	/** Returns the Options that should be used for cUrlClient queries to the Mojang APIs. */
+	static const AStringMap & UrlClientOptions()
+	{
+		static const AString CertString =
+			// DigiCert Global Root CA (sessionserver.mojang.com)
+			// Downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm
+
+			// DigiCert Global Root CA
+			"-----BEGIN CERTIFICATE-----\n"
+			"MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n"
+			"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
+			"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n"
+			"QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n"
+			"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
+			"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n"
+			"9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n"
+			"CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n"
+			"nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n"
+			"43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n"
+			"T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n"
+			"gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n"
+			"BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n"
+			"TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n"
+			"DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n"
+			"hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n"
+			"06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n"
+			"PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n"
+			"YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n"
+			"CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
+			"-----END CERTIFICATE-----\n"
+
+			// Amazon Root CA 1 (api.mojang.com)
+			// Downloaded from https://www.amazontrust.com/repository/
+			"-----BEGIN CERTIFICATE-----\n"
+			"MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF\n"
+			"ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6\n"
+			"b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL\n"
+			"MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv\n"
+			"b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj\n"
+			"ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM\n"
+			"9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw\n"
+			"IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6\n"
+			"VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L\n"
+			"93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm\n"
+			"jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
+			"AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA\n"
+			"A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI\n"
+			"U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs\n"
+			"N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv\n"
+			"o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU\n"
+			"5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy\n"
+			"rqXRfboQnoZsG4q5WTP468SQvvG5\n"
+			"-----END CERTIFICATE-----\n"
+
+			// AAA Certificate Services (authserver.ely.by GH#4832)
+			// Downloaded from https://www.tbs-certificates.co.uk/FAQ/en/Comodo_AAA_Certificate_Services.html
+			"-----BEGIN CERTIFICATE-----\n"
+			"MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb\n"
+			"MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow\n"
+			"GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj\n"
+			"YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL\n"
+			"MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n"
+			"BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM\n"
+			"GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
+			"ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua\n"
+			"BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe\n"
+			"3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4\n"
+			"YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR\n"
+			"rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm\n"
+			"ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU\n"
+			"oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF\n"
+			"MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v\n"
+			"QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t\n"
+			"b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF\n"
+			"AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q\n"
+			"GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz\n"
+			"Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2\n"
+			"G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi\n"
+			"l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3\n"
+			"smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==\n"
+			"-----END CERTIFICATE-----\n"
+		;
+		static const AStringMap UrlClientOptions = {{"TrustedRootCAs", CertString}};
+		return UrlClientOptions;
+	}
+}
+
+
+
+
+
 ////////////////////////////////////////////////////////////////////////////////
 // cMojangAPI::sProfile:
 
@@ -143,11 +236,7 @@ protected:
 ////////////////////////////////////////////////////////////////////////////////
 // cMojangAPI:
 
-cMojangAPI::cMojangAPI(void) :
-	m_NameToUUIDServer(DEFAULT_NAME_TO_UUID_SERVER),
-	m_NameToUUIDAddress(DEFAULT_NAME_TO_UUID_ADDRESS),
-	m_UUIDToProfileServer(DEFAULT_UUID_TO_PROFILE_SERVER),
-	m_UUIDToProfileAddress(DEFAULT_UUID_TO_PROFILE_ADDRESS),
+cMojangAPI::cMojangAPI():
 	m_RankMgr(nullptr),
 	m_UpdateThread(new cUpdateThread(*this))
 {
@@ -168,10 +257,12 @@ cMojangAPI::~cMojangAPI()
 
 void cMojangAPI::Start(cSettingsRepositoryInterface & a_Settings, bool a_ShouldAuth)
 {
-	m_NameToUUIDServer     = a_Settings.GetValueSet("MojangAPI", "NameToUUIDServer",     DEFAULT_NAME_TO_UUID_SERVER);
-	m_NameToUUIDAddress    = a_Settings.GetValueSet("MojangAPI", "NameToUUIDAddress",    DEFAULT_NAME_TO_UUID_ADDRESS);
-	m_UUIDToProfileServer  = a_Settings.GetValueSet("MojangAPI", "UUIDToProfileServer",  DEFAULT_UUID_TO_PROFILE_SERVER);
-	m_UUIDToProfileAddress = a_Settings.GetValueSet("MojangAPI", "UUIDToProfileAddress", DEFAULT_UUID_TO_PROFILE_ADDRESS);
+	auto NameToUUIDServer     = a_Settings.GetValueSet("MojangAPI", "NameToUUIDServer",     DEFAULT_NAME_TO_UUID_SERVER);
+	auto NameToUUIDAddress    = a_Settings.GetValueSet("MojangAPI", "NameToUUIDAddress",    DEFAULT_NAME_TO_UUID_ADDRESS);
+	auto UUIDToProfileServer  = a_Settings.GetValueSet("MojangAPI", "UUIDToProfileServer",  DEFAULT_UUID_TO_PROFILE_SERVER);
+	auto UUIDToProfileAddress = a_Settings.GetValueSet("MojangAPI", "UUIDToProfileAddress", DEFAULT_UUID_TO_PROFILE_ADDRESS);
+	m_NameToUUIDUrl = "https://" + NameToUUIDServer + NameToUUIDAddress;
+	m_UUIDToProfileUrl = "https://" + UUIDToProfileServer + UUIDToProfileAddress;
 	LoadCachesFromDisk();
 	if (a_ShouldAuth)
 	{
@@ -485,8 +576,8 @@ void cMojangAPI::QueryNamesToUUIDs(AStringVector & a_NamesToQuery)
 		auto RequestBody = JsonUtils::WriteFastString(root);
 
 		// Create and send the HTTP request
-		auto [IsSuccessfull, Response] = cUrlClient::BlockingPost(m_NameToUUIDAddress, AStringMap(), std::move(RequestBody), AStringMap());
-		if (!IsSuccessfull)
+		auto [IsSuccessful, Response] = cUrlClient::BlockingPost(m_NameToUUIDUrl, {}, std::move(RequestBody), MojangTrustedRootCAs::UrlClientOptions());
+		if (!IsSuccessful)
 		{
 			continue;
 		}
@@ -562,13 +653,11 @@ void cMojangAPI::CacheUUIDToProfile(const cUUID & a_UUID)
 
 void cMojangAPI::QueryUUIDToProfile(const cUUID & a_UUID)
 {
-	// Create the request address:
-	AString Address = m_UUIDToProfileAddress;
-	ReplaceURL(Address, "%UUID%", a_UUID.ToShortString());
-
 	// Create and send the HTTP request
-	auto [IsSuccessfull, Response] = cUrlClient::BlockingGet(Address);
-	if (!IsSuccessfull)
+	auto Url = m_UUIDToProfileUrl;
+	ReplaceString(Url, "%UUID%", URLEncode(a_UUID.ToShortString()));
+	auto [IsSuccessful, Response] = cUrlClient::BlockingGet(Url, {}, {}, MojangTrustedRootCAs::UrlClientOptions());
+	if (!IsSuccessful)
 	{
 		return;
 	}
diff --git a/src/Protocol/MojangAPI.h b/src/Protocol/MojangAPI.h
index f9267fefe..6d550662c 100644
--- a/src/Protocol/MojangAPI.h
+++ b/src/Protocol/MojangAPI.h
@@ -130,19 +130,14 @@ protected:
 	using cUUIDProfileMap = std::map<cUUID, sProfile>;
 
 
-	/** The server to connect to when converting player names to UUIDs. For example "api.mojang.com". */
-	AString m_NameToUUIDServer;
-
-	/** The URL to use for converting player names to UUIDs, without server part.
-	For example "/profiles/page/1". */
-	AString m_NameToUUIDAddress;
-
-	/** The server to connect to when converting UUID to profile. For example "sessionserver.mojang.com". */
-	AString m_UUIDToProfileServer;
-
-	/** The URL to use for converting UUID to profile, without the server part.
-	Will replace %UUID% with the actual UUID. For example "session/minecraft/profile/%UUID%?unsigned=false". */
-	AString m_UUIDToProfileAddress;
+	/** The full URL to check when converting player names to UUIDs.
+	For example: "https://api.mojang.com/profiles/page/1". */
+	AString m_NameToUUIDUrl;
+
+	/** The full URL to use for converting UUID to profile.
+	%UUID% will get replaced with the actual UUID.
+	For example "https://sessionserver.mojang.com/session/minecraft/profile/%UUID%?unsigned=false". */
+	AString m_UUIDToProfileUrl;
 
 	/** Cache for the Name-to-UUID lookups. The map key is lowercased PlayerName. Protected by m_CSNameToUUID. */
 	cProfileMap m_NameToUUID;
diff --git a/src/mbedTLS++/CMakeLists.txt b/src/mbedTLS++/CMakeLists.txt
index dcb5d23a0..42e0fc8b2 100644
--- a/src/mbedTLS++/CMakeLists.txt
+++ b/src/mbedTLS++/CMakeLists.txt
@@ -25,7 +25,6 @@ target_sources(
 	EntropyContext.h
 	ErrorCodes.h
 	RsaPrivateKey.h
-	RootCA.h
 	SslConfig.h
 	SslContext.h
 	Sha1Checksum.h
diff --git a/src/mbedTLS++/RootCA.h b/src/mbedTLS++/RootCA.h
deleted file mode 100644
index 3e0d654bd..000000000
--- a/src/mbedTLS++/RootCA.h
+++ /dev/null
@@ -1,97 +0,0 @@
-
-// This file contains the public keys for different root CAs
-
-#include "Globals.h"
-#include "mbedTLS++/X509Cert.h"
-
-static cX509CertPtr GetCACerts(void)
-{
-	static const char CertString[] =
-		// DigiCert Global Root CA (sessionserver.mojang.com)
-		// Downloaded from https://www.digicert.com/kb/digicert-root-certificates.htm
-
-		// DigiCert Global Root CA
-		"-----BEGIN CERTIFICATE-----\n"
-		"MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n"
-		"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
-		"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n"
-		"QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n"
-		"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
-		"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n"
-		"9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n"
-		"CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n"
-		"nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n"
-		"43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n"
-		"T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n"
-		"gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n"
-		"BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n"
-		"TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n"
-		"DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n"
-		"hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n"
-		"06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n"
-		"PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n"
-		"YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n"
-		"CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
-		"-----END CERTIFICATE-----\n"
-
-		// Amazon Root CA 1 (api.mojang.com)
-		// Downloaded from https://www.amazontrust.com/repository/
-		"-----BEGIN CERTIFICATE-----\n"
-		"MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF\n"
-		"ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6\n"
-		"b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL\n"
-		"MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv\n"
-		"b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj\n"
-		"ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM\n"
-		"9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw\n"
-		"IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6\n"
-		"VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L\n"
-		"93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm\n"
-		"jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\n"
-		"AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA\n"
-		"A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI\n"
-		"U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs\n"
-		"N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv\n"
-		"o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU\n"
-		"5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy\n"
-		"rqXRfboQnoZsG4q5WTP468SQvvG5\n"
-		"-----END CERTIFICATE-----\n"
-
-		// AAA Certificate Services (authserver.ely.by GH#4832)
-		// Downloaded from https://www.tbs-certificates.co.uk/FAQ/en/Comodo_AAA_Certificate_Services.html
-		"-----BEGIN CERTIFICATE-----\n"
-		"MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb\n"
-		"MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow\n"
-		"GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj\n"
-		"YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL\n"
-		"MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE\n"
-		"BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM\n"
-		"GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP\n"
-		"ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua\n"
-		"BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe\n"
-		"3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4\n"
-		"YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR\n"
-		"rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm\n"
-		"ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU\n"
-		"oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF\n"
-		"MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v\n"
-		"QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t\n"
-		"b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF\n"
-		"AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q\n"
-		"GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz\n"
-		"Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2\n"
-		"G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi\n"
-		"l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3\n"
-		"smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==\n"
-		"-----END CERTIFICATE-----\n"
-	;
-
-static auto X509Cert = [&]()
-{
-	auto Cert = std::make_shared<cX509Cert>();
-	VERIFY(0 == Cert->Parse(CertString, sizeof(CertString)));
-	return Cert;
-}();
-
-return X509Cert;
-}
diff --git a/src/mbedTLS++/SslConfig.cpp b/src/mbedTLS++/SslConfig.cpp
index 054d63980..9bcac741f 100644
--- a/src/mbedTLS++/SslConfig.cpp
+++ b/src/mbedTLS++/SslConfig.cpp
@@ -5,7 +5,7 @@
 
 #include "mbedTLS++/CryptoKey.h"
 #include "mbedTLS++/EntropyContext.h"
-#include "mbedTLS++/RootCA.h"
+#include "mbedTLS++/X509Cert.h"
 
 
 // This allows us to debug SSL and certificate problems, but produce way too much output,
@@ -235,8 +235,8 @@ std::shared_ptr<cSslConfig> cSslConfig::MakeDefaultConfig(bool a_IsClient)
 		Ret->SetRng(std::move(CtrDrbg));
 	}
 
-	Ret->SetAuthMode(eSslAuthMode::Required);
-	Ret->SetCACerts(GetCACerts());
+	// By default we have no root CAs, so no cert verification can be done:
+	Ret->SetAuthMode(eSslAuthMode::None);
 
 	#ifndef NDEBUG
 		#ifdef ENABLE_SSL_DEBUG_MSG
author	Mattes D <github@xoft.cz>	2023-05-09 19:59:15 +0200
committer	Mattes D <github@xoft.cz>	2023-05-19 16:25:12 +0200
commit	97c49c6f294a0b7e931be2692c124bd78fc79946 (patch)
tree	872fcdfbfc30ff0ed2e2e444bb965769ea147e60 /src
parent	cTCPLink: Use the original connection hostname for SNI. (diff)
download	cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.gz cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.bz2 cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.lz cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.xz cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.tar.zst cuberite-97c49c6f294a0b7e931be2692c124bd78fc79946.zip