version 1.107.2.5, 2014/03/12 22:35:02
|
version 1.107.2.6, 2014/05/05 16:47:44
|
|
|
{ | { |
PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::_makeSSLContext()"); | PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::_makeSSLContext()"); |
| |
// OPENSSL_VERSION_NUMBER is defined as 0xnnnnnnnnnL |
|
// MMNNFFPPS: major minor fix patch status |
|
// The change 'const' SSL_METHOD |
|
// was introduced in version 1.0.0 |
|
| |
#if (OPENSSL_VERSION_NUMBER < 0x10000000L) |
// |
SSL_METHOD *sslProtocolMethod = SSLv23_method() ; |
// create SSL Context Area |
#else |
// |
const SSL_METHOD *sslProtocolMethod = SSLv23_method() ; |
SSL_CTX *sslContext = NULL; |
#endif |
if (!(sslContext = SSL_CTX_new(SSLv23_method()))) |
|
{ |
|
PEG_METHOD_EXIT(); |
|
MessageLoaderParms parms( |
|
"Common.SSLContext.COULD_NOT_GET", |
|
"Could not get SSL CTX"); |
|
throw SSLException(parms); |
|
} |
|
|
| |
int options = SSL_OP_ALL; | int options = SSL_OP_ALL; |
| |
| |
// |
|
// create SSL Context Area |
|
// |
|
| |
|
SSL_CTX_set_options(sslContext, options); |
if ( _sslCompatibility == false ) | if ( _sslCompatibility == false ) |
{ | { |
| |
#ifdef TLS1_2_VERSION | #ifdef TLS1_2_VERSION |
// Enable only TLSv1.2 and disable all other protocol (SSL v2, SSL v3, | // Enable only TLSv1.2 and disable all other protocol (SSL v2, SSL v3, |
// TLS v1.0, TLSv1.1) | // TLS v1.0, TLSv1.1) |
sslProtocolMethod = TLSv1_2_method(); |
|
options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1; |
options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_SSLv3; |
#ifndef OPENSSL_NO_SSL3 |
|
options |= SSL_OP_NO_SSLv3; |
|
#endif |
|
#endif | #endif |
} | } |
| |
SSL_CTX *sslContext = NULL; |
options |= SSL_OP_NO_SSLv2; |
if (!(sslContext = SSL_CTX_new(sslProtocolMethod))) |
SSL_CTX_set_options(sslContext, options); |
{ |
|
PEG_METHOD_EXIT(); |
|
MessageLoaderParms parms( |
|
"Common.SSLContext.COULD_NOT_GET", |
|
"Could not get SSL CTX"); |
|
throw SSLException(parms); |
|
} |
|
| |
#ifdef PEGASUS_SSL_WEAKENCRYPTION | #ifdef PEGASUS_SSL_WEAKENCRYPTION |
if (!(SSL_CTX_set_cipher_list(sslContext, SSL_TXT_EXP40))) | if (!(SSL_CTX_set_cipher_list(sslContext, SSL_TXT_EXP40))) |
|
|
} | } |
#endif | #endif |
| |
if (_cipherSuite != String::EMPTY) |
if (_cipherSuite.size() != 0) |
{ | { |
if (!(SSL_CTX_set_cipher_list(sslContext, _cipherSuite.getCString()))) | if (!(SSL_CTX_set_cipher_list(sslContext, _cipherSuite.getCString()))) |
{ | { |
|
|
SSL_CTX_set_mode (sslContext, SSL_MODE_RELEASE_BUFFERS); | SSL_CTX_set_mode (sslContext, SSL_MODE_RELEASE_BUFFERS); |
#endif | #endif |
| |
#ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default |
|
options |= SSL_OP_NO_SSLv2; |
|
#endif |
|
SSL_CTX_set_options(sslContext, options); |
|
|
|
if (_verifyPeer) | if (_verifyPeer) |
{ | { |
// ATTN: We might still need a flag to specify | // ATTN: We might still need a flag to specify |
|
|
| |
if (_certificateVerifyFunction != NULL) | if (_certificateVerifyFunction != NULL) |
{ | { |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
"---> SSL: certificate verification callback specified"); | "---> SSL: certificate verification callback specified"); |
SSL_CTX_set_verify(sslContext, | SSL_CTX_set_verify(sslContext, |
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, prepareForCallback); | SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, prepareForCallback); |
} | } |
else | else |
{ | { |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
"---> SSL: Trust Store specified"); | "---> SSL: Trust Store specified"); |
SSL_CTX_set_verify(sslContext, | SSL_CTX_set_verify(sslContext, |
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | | SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | |
|
|
// Check if there is CA certificate file or directory specified. If | // Check if there is CA certificate file or directory specified. If |
// specified, and is not empty, load the certificates from the Trust store. | // specified, and is not empty, load the certificates from the Trust store. |
// | // |
if (_trustStore != String::EMPTY) |
if (_trustStore.size() != 0) |
{ | { |
// | // |
// The truststore may be a single file of CA certificates OR | // The truststore may be a single file of CA certificates OR |
|
|
// | // |
if (FileSystem::isDirectory(_trustStore)) | if (FileSystem::isDirectory(_trustStore)) |
{ | { |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
"---> SSL: Truststore is a directory"); | "---> SSL: Truststore is a directory"); |
// | // |
// load certificates from the trust store | // load certificates from the trust store |
// | // |
PEG_TRACE((TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
"---> SSL: Loading certificates from the trust store: %s", | "---> SSL: Loading certificates from the trust store: %s", |
(const char*)_trustStore.getCString())); | (const char*)_trustStore.getCString())); |
| |
|
|
// | // |
// load certificates from the trust store | // load certificates from the trust store |
// | // |
PEG_TRACE((TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
"---> SSL: Loading certificates from the trust store: %s", | "---> SSL: Loading certificates from the trust store: %s", |
(const char*)_trustStore.getCString())); | (const char*)_trustStore.getCString())); |
| |
|
|
} | } |
} | } |
| |
if (_crlPath != String::EMPTY) |
if (_crlPath.size() != 0) |
{ | { |
// need to save this -- can we make it static since there's only | // need to save this -- can we make it static since there's only |
// one CRL for cimserver? | // one CRL for cimserver? |
|
|
// during server startup | // during server startup |
if (FileSystem::isDirectory(_crlPath)) | if (FileSystem::isDirectory(_crlPath)) |
{ | { |
PEG_TRACE((TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
"---> SSL: CRL store is a directory in %s", | "---> SSL: CRL store is a directory in %s", |
(const char*)_crlPath.getCString())); | (const char*)_crlPath.getCString())); |
| |
|
|
} | } |
else | else |
{ | { |
PEG_TRACE((TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
"---> SSL: CRL store is the file %s", | "---> SSL: CRL store is the file %s", |
(const char*)_crlPath.getCString())); | (const char*)_crlPath.getCString())); |
| |
|
|
X509_LOOKUP_load_file( | X509_LOOKUP_load_file( |
pLookup, (const char*)_crlPath.getCString(), X509_FILETYPE_PEM); | pLookup, (const char*)_crlPath.getCString(), X509_FILETYPE_PEM); |
| |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
"---> SSL: Successfully configured CRL file"); | "---> SSL: Successfully configured CRL file"); |
} | } |
} | } |
|
|
// certificate) specified. If specified, validate and load the | // certificate) specified. If specified, validate and load the |
// certificate. | // certificate. |
// | // |
if (_certPath != String::EMPTY) |
if (_certPath.size() != 0) |
{ | { |
// | // |
// load the specified server certificates | // load the specified server certificates |
// | // |
PEG_TRACE((TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
"---> SSL: Loading server certificate from: %s", | "---> SSL: Loading server certificate from: %s", |
(const char*)_certPath.getCString())); | (const char*)_certPath.getCString())); |
| |
|
|
// As of 2.4, if a keyfile is specified, its location is verified | // As of 2.4, if a keyfile is specified, its location is verified |
// during server startup and will throw an error if the path is invalid. | // during server startup and will throw an error if the path is invalid. |
// | // |
if (_keyPath == String::EMPTY) |
if (_keyPath.size() == 0) |
{ | { |
PEG_TRACE((TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
"---> SSL: Key file empty, loading private key from " | "---> SSL: Key file empty, loading private key from " |
"certificate file: %s",(const char*)_certPath.getCString())); | "certificate file: %s",(const char*)_certPath.getCString())); |
// | // |
|
|
// private key) specified and the key was not already loaded. | // private key) specified and the key was not already loaded. |
// If specified, validate and load the key. | // If specified, validate and load the key. |
// | // |
if (_keyPath != String::EMPTY && !keyLoaded) |
if (_keyPath.size() != 0 && !keyLoaded ) |
{ | { |
PEG_TRACE((TRC_SSL, Tracer::LEVEL3, |
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
"---> SSL: loading private key from: %s", | "---> SSL: loading private key from: %s", |
(const char*)_keyPath.getCString())); | (const char*)_keyPath.getCString())); |
// | // |