pegasus/src/Pegasus/Common/SSLContext.cpp - diff

Return to SSLContext.cpp CVS log

Up to [Pegasus] / pegasus / src / Pegasus / Common

Diff for /pegasus/src/Pegasus/Common/SSLContext.cpp between version 1.107.2.5 and 1.107.2.6

version 1.107.2.5, 2014/03/12 22:35:02

version 1.107.2.6, 2014/05/05 16:47:44

Line 705

{

PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::_makeSSLContext()");

// OPENSSL_VERSION_NUMBER is defined as 0xnnnnnnnnnL

// MMNNFFPPS: major minor fix patch status

// The change 'const' SSL_METHOD

// was introduced in version 1.0.0

#if (OPENSSL_VERSION_NUMBER < 0x10000000L)

SSL_METHOD *sslProtocolMethod = SSLv23_method() ;

// create SSL Context Area

#else

const SSL_METHOD *sslProtocolMethod = SSLv23_method() ;

SSL_CTX *sslContext = NULL;

#endif

if (!(sslContext = SSL_CTX_new(SSLv23_method())))

{

PEG_METHOD_EXIT();

MessageLoaderParms parms(

"Common.SSLContext.COULD_NOT_GET",

"Could not get SSL CTX");

throw SSLException(parms);

}

int options = SSL_OP_ALL;

// create SSL Context Area

SSL_CTX_set_options(sslContext, options);

if ( _sslCompatibility == false )

{

#ifdef TLS1_2_VERSION

// Enable only TLSv1.2 and disable all other protocol (SSL v2, SSL v3,

// TLS v1.0, TLSv1.1)

sslProtocolMethod = TLSv1_2_method();

options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1;

options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_SSLv3;

#ifndef OPENSSL_NO_SSL3

options |= SSL_OP_NO_SSLv3;

#endif

}

SSL_CTX *sslContext = NULL;

options |= SSL_OP_NO_SSLv2;

if (!(sslContext = SSL_CTX_new(sslProtocolMethod)))

SSL_CTX_set_options(sslContext, options);

{

PEG_METHOD_EXIT();

MessageLoaderParms parms(

"Common.SSLContext.COULD_NOT_GET",

"Could not get SSL CTX");

throw SSLException(parms);

}

#ifdef PEGASUS_SSL_WEAKENCRYPTION

if (!(SSL_CTX_set_cipher_list(sslContext, SSL_TXT_EXP40)))

Line 760

Line 752

}

#endif

if (_cipherSuite != String::EMPTY)

if (_cipherSuite.size() != 0)

{

if (!(SSL_CTX_set_cipher_list(sslContext, _cipherSuite.getCString())))

{

Line 806

Line 798

SSL_CTX_set_mode (sslContext, SSL_MODE_RELEASE_BUFFERS);

#endif

#ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default

options |= SSL_OP_NO_SSLv2;

#endif

SSL_CTX_set_options(sslContext, options);

if (_verifyPeer)

{

// ATTN: We might still need a flag to specify

Line 823

Line 810

if (_certificateVerifyFunction != NULL)

{

PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3,

PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,

"---> SSL: certificate verification callback specified");

SSL_CTX_set_verify(sslContext,

SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, prepareForCallback);

}

else

{

PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3,

PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,

"---> SSL: Trust Store specified");

SSL_CTX_set_verify(sslContext,

SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE |

Line 850

Line 837

// Check if there is CA certificate file or directory specified. If

// specified, and is not empty, load the certificates from the Trust store.

if (_trustStore != String::EMPTY)

if (_trustStore.size() != 0)

{

// The truststore may be a single file of CA certificates OR

Line 863

Line 850

if (FileSystem::isDirectory(_trustStore))

{

PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3,

PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,

"---> SSL: Truststore is a directory");

// load certificates from the trust store

PEG_TRACE((TRC_SSL, Tracer::LEVEL3,

PEG_TRACE((TRC_SSL, Tracer::LEVEL4,

"---> SSL: Loading certificates from the trust store: %s",

(const char*)_trustStore.getCString()));

Line 905

Line 892

// load certificates from the trust store

PEG_TRACE((TRC_SSL, Tracer::LEVEL3,

PEG_TRACE((TRC_SSL, Tracer::LEVEL4,

"---> SSL: Loading certificates from the trust store: %s",

(const char*)_trustStore.getCString()));

Line 938

Line 925

}

if (_crlPath != String::EMPTY)

if (_crlPath.size() != 0)

{

// need to save this -- can we make it static since there's only

// one CRL for cimserver?

Line 957

Line 944

// during server startup

if (FileSystem::isDirectory(_crlPath))

{

PEG_TRACE((TRC_SSL, Tracer::LEVEL3,

PEG_TRACE((TRC_SSL, Tracer::LEVEL4,

"---> SSL: CRL store is a directory in %s",

(const char*)_crlPath.getCString()));

Line 982

Line 969

}

else

{

PEG_TRACE((TRC_SSL, Tracer::LEVEL3,

PEG_TRACE((TRC_SSL, Tracer::LEVEL4,

"---> SSL: CRL store is the file %s",

(const char*)_crlPath.getCString()));

Line 1002

Line 989

X509_LOOKUP_load_file(

pLookup, (const char*)_crlPath.getCString(), X509_FILETYPE_PEM);

PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3,

PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,

"---> SSL: Successfully configured CRL file");

}

Line 1014

Line 1001

// certificate) specified. If specified, validate and load the

// certificate.

if (_certPath != String::EMPTY)

if (_certPath.size() != 0)

{

// load the specified server certificates

PEG_TRACE((TRC_SSL, Tracer::LEVEL3,

PEG_TRACE((TRC_SSL, Tracer::LEVEL4,

"---> SSL: Loading server certificate from: %s",

(const char*)_certPath.getCString()));

Line 1047

Line 1034

// As of 2.4, if a keyfile is specified, its location is verified

// during server startup and will throw an error if the path is invalid.

if (_keyPath == String::EMPTY)

if (_keyPath.size() == 0)

{

PEG_TRACE((TRC_SSL, Tracer::LEVEL3,

PEG_TRACE((TRC_SSL, Tracer::LEVEL4,

"---> SSL: Key file empty, loading private key from "

"certificate file: %s",(const char*)_certPath.getCString()));

Line 1074

Line 1061

// private key) specified and the key was not already loaded.

// If specified, validate and load the key.

if (_keyPath != String::EMPTY && !keyLoaded)

if (_keyPath.size() != 0 && !keyLoaded )

{

PEG_TRACE((TRC_SSL, Tracer::LEVEL3,

PEG_TRACE((TRC_SSL, Tracer::LEVEL4,

"---> SSL: loading private key from: %s",

(const char*)_keyPath.getCString()));

Legend:

Removed from v.1.107.2.5
changed lines
	Added in v.1.107.2.6

No CVS admin address has been configured