|
version 1.107.2.5, 2014/03/12 22:35:02
|
version 1.115, 2013/03/19 17:00:55
|
|
|
|
| # include <openssl/err.h> | # include <openssl/err.h> |
| # include <openssl/ssl.h> | # include <openssl/ssl.h> |
| # include <openssl/rand.h> | # include <openssl/rand.h> |
| # include <openssl/tls1.h> |
|
| #else | #else |
| # define SSL_CTX void | # define SSL_CTX void |
| #endif // end of PEGASUS_HAS_SSL | #endif // end of PEGASUS_HAS_SSL |
|
|
|
| const String& crlPath, | const String& crlPath, |
| SSLCertificateVerifyFunction* verifyCert, | SSLCertificateVerifyFunction* verifyCert, |
| const String& randomFile, | const String& randomFile, |
| const String& cipherSuite, |
const String& cipherSuite) |
| const Boolean& sslCompatibility) |
|
| { | { |
| PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::SSLContextRep()"); | PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::SSLContextRep()"); |
| | |
|
|
|
| _crlPath = crlPath; | _crlPath = crlPath; |
| _certificateVerifyFunction = verifyCert; | _certificateVerifyFunction = verifyCert; |
| _cipherSuite = cipherSuite; | _cipherSuite = cipherSuite; |
| _sslCompatibility = sslCompatibility; |
|
| // | // |
| // If a truststore and/or peer verification function is specified, | // If a truststore and/or peer verification function is specified, |
| // enable peer verification | // enable peer verification |
|
|
|
| _certificateVerifyFunction = sslContextRep._certificateVerifyFunction; | _certificateVerifyFunction = sslContextRep._certificateVerifyFunction; |
| _randomFile = sslContextRep._randomFile; | _randomFile = sslContextRep._randomFile; |
| _cipherSuite = sslContextRep._cipherSuite; | _cipherSuite = sslContextRep._cipherSuite; |
| _sslCompatibility = sslContextRep._sslCompatibility; |
|
| _sslContext = _makeSSLContext(); | _sslContext = _makeSSLContext(); |
| | |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
|
|
|
| { | { |
| PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::_makeSSLContext()"); | PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::_makeSSLContext()"); |
| | |
| // OPENSSL_VERSION_NUMBER is defined as 0xnnnnnnnnnL |
SSL_CTX * sslContext = 0; |
| // MMNNFFPPS: major minor fix patch status |
|
| // The change 'const' SSL_METHOD |
|
| // was introduced in version 1.0.0 |
|
| |
|
| #if (OPENSSL_VERSION_NUMBER < 0x10000000L) |
|
| SSL_METHOD *sslProtocolMethod = SSLv23_method() ; |
|
| #else |
|
| const SSL_METHOD *sslProtocolMethod = SSLv23_method() ; |
|
| #endif |
|
| |
|
| int options = SSL_OP_ALL; |
|
| |
|
| | |
| // | // |
| // create SSL Context Area | // create SSL Context Area |
| // | // |
| | |
| if ( _sslCompatibility == false ) |
if (!(sslContext = SSL_CTX_new(SSLv23_method()))) |
| { |
|
| |
|
| #ifdef TLS1_2_VERSION |
|
| // Enable only TLSv1.2 and disable all other protocol (SSL v2, SSL v3, |
|
| // TLS v1.0, TLSv1.1) |
|
| sslProtocolMethod = TLSv1_2_method(); |
|
| options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1; |
|
| #ifndef OPENSSL_NO_SSL3 |
|
| options |= SSL_OP_NO_SSLv3; |
|
| #endif |
|
| #endif |
|
| } |
|
| |
|
| SSL_CTX *sslContext = NULL; |
|
| if (!(sslContext = SSL_CTX_new(sslProtocolMethod))) |
|
| { | { |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| MessageLoaderParms parms( | MessageLoaderParms parms( |
|
|
|
| if (!(SSL_CTX_set_cipher_list(sslContext, SSL_TXT_EXP40))) | if (!(SSL_CTX_set_cipher_list(sslContext, SSL_TXT_EXP40))) |
| { | { |
| SSL_CTX_free(sslContext); | SSL_CTX_free(sslContext); |
| sslContext = NULL; |
|
| | |
| MessageLoaderParms parms( | MessageLoaderParms parms( |
| "Common.SSLContext.COULD_NOT_SET_CIPHER_LIST", | "Common.SSLContext.COULD_NOT_SET_CIPHER_LIST", |
|
|
|
| if (!(SSL_CTX_set_cipher_list(sslContext, _cipherSuite.getCString()))) | if (!(SSL_CTX_set_cipher_list(sslContext, _cipherSuite.getCString()))) |
| { | { |
| SSL_CTX_free(sslContext); | SSL_CTX_free(sslContext); |
| sslContext = NULL; |
|
| | |
| PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, | PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL3, |
| "---> SSL: Cipher Suite could not be specified"); | "---> SSL: Cipher Suite could not be specified"); |
|
|
|
| // | // |
| // set overall SSL Context flags | // set overall SSL Context flags |
| // | // |
| // For OpenSSLversion >1.0.0 use SSL_OP_NO_COMPRESSION to disable the |
|
| // compression For TLS 1.2 version, compression does not suffer from |
|
| // CRIME attack so don.t disable compression For other OpenSSL versions |
|
| // zero out the compression methods. |
|
| #ifdef SSL_OP_NO_COMPRESSION |
|
| #ifndef TLS1_2_VERSION |
|
| SSL_CTX_set_options(sslContext, SSL_OP_NO_COMPRESSION); |
|
| #endif |
|
| #elif OPENSSL_VERSION_NUMBER >= 0x00908000L |
|
| sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); |
|
| #endif |
|
| SSL_CTX_set_quiet_shutdown(sslContext, 1); | SSL_CTX_set_quiet_shutdown(sslContext, 1); |
| SSL_CTX_set_mode(sslContext, SSL_MODE_AUTO_RETRY); | SSL_CTX_set_mode(sslContext, SSL_MODE_AUTO_RETRY); |
| SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE); | SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE); |
|
|
|
| SSL_CTX_set_mode (sslContext, SSL_MODE_RELEASE_BUFFERS); | SSL_CTX_set_mode (sslContext, SSL_MODE_RELEASE_BUFFERS); |
| #endif | #endif |
| | |
| |
int options = SSL_OP_ALL; |
| #ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default | #ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default |
| options |= SSL_OP_NO_SSLv2; | options |= SSL_OP_NO_SSLv2; |
| #endif | #endif |
|
|
|
| MessageLoaderParms parms( | MessageLoaderParms parms( |
| "Common.SSLContext.COULD_NOT_LOAD_CERTIFICATES", | "Common.SSLContext.COULD_NOT_LOAD_CERTIFICATES", |
| "Could not load certificates in to trust store."); | "Could not load certificates in to trust store."); |
| SSL_CTX_free(sslContext); |
|
| sslContext = NULL; |
|
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw SSLException(parms); | throw SSLException(parms); |
| } | } |
|
|
|
| MessageLoaderParms parms( | MessageLoaderParms parms( |
| "Common.SSLContext.COULD_NOT_LOAD_CERTIFICATES", | "Common.SSLContext.COULD_NOT_LOAD_CERTIFICATES", |
| "Could not load certificates in to trust store."); | "Could not load certificates in to trust store."); |
| SSL_CTX_free(sslContext); |
|
| sslContext = NULL; |
|
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw SSLException(parms); | throw SSLException(parms); |
| } | } |
|
|
|
| _crlStore.reset(X509_STORE_new()); | _crlStore.reset(X509_STORE_new()); |
| if (_crlStore.get() == NULL) | if (_crlStore.get() == NULL) |
| { | { |
| SSL_CTX_free(sslContext); |
|
| sslContext = NULL; |
|
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw PEGASUS_STD(bad_alloc)(); | throw PEGASUS_STD(bad_alloc)(); |
| } | } |
|
|
|
| "Common.SSLContext.COULD_NOT_LOAD_CRLS", | "Common.SSLContext.COULD_NOT_LOAD_CRLS", |
| "Could not load certificate revocation list."); | "Could not load certificate revocation list."); |
| _crlStore.reset(); | _crlStore.reset(); |
| SSL_CTX_free(sslContext); |
|
| sslContext = NULL; |
|
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw SSLException(parms); | throw SSLException(parms); |
| } | } |
|
|
|
| "Common.SSLContext.COULD_NOT_LOAD_CRLS", | "Common.SSLContext.COULD_NOT_LOAD_CRLS", |
| "Could not load certificate revocation list."); | "Could not load certificate revocation list."); |
| _crlStore.reset(); | _crlStore.reset(); |
| SSL_CTX_free(sslContext); |
|
| sslContext = NULL; |
|
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw SSLException(parms); | throw SSLException(parms); |
| } | } |
|
|
|
| "Common.SSLContext.COULD_NOT_ACCESS_SERVER_CERTIFICATE", | "Common.SSLContext.COULD_NOT_ACCESS_SERVER_CERTIFICATE", |
| "Could not access server certificate in $0.", | "Could not access server certificate in $0.", |
| (const char*)_certPath.getCString()); | (const char*)_certPath.getCString()); |
| |
|
| SSL_CTX_free(sslContext); |
|
| sslContext = NULL; |
|
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw SSLException(parms); | throw SSLException(parms); |
| } | } |
|
|
|
| MessageLoaderParms parms( | MessageLoaderParms parms( |
| "Common.SSLContext.COULD_NOT_GET_PRIVATE_KEY", | "Common.SSLContext.COULD_NOT_GET_PRIVATE_KEY", |
| "Could not get private key."); | "Could not get private key."); |
| SSL_CTX_free(sslContext); |
|
| sslContext = NULL; |
|
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw SSLException(parms); | throw SSLException(parms); |
| } | } |
|
|
|
| MessageLoaderParms parms( | MessageLoaderParms parms( |
| "Common.SSLContext.COULD_NOT_GET_PRIVATE_KEY", | "Common.SSLContext.COULD_NOT_GET_PRIVATE_KEY", |
| "Could not get private key."); | "Could not get private key."); |
| SSL_CTX_free(sslContext); |
|
| sslContext = NULL; |
|
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw SSLException(parms); | throw SSLException(parms); |
| } | } |
|
|
|
| const String&, | const String&, |
| SSLCertificateVerifyFunction*, | SSLCertificateVerifyFunction*, |
| const String&, | const String&, |
| const String&, |
const String&) |
| const Boolean&) |
|
| { | { |
| } | } |
| | |
|
|
|
| String::EMPTY, | String::EMPTY, |
| verifyCert, | verifyCert, |
| randomFile, | randomFile, |
| String::EMPTY, |
String::EMPTY); |
| false); |
|
| } | } |
| | |
| SSLContext::SSLContext( | SSLContext::SSLContext( |
|
|
|
| const String& crlPath, | const String& crlPath, |
| SSLCertificateVerifyFunction* verifyCert, | SSLCertificateVerifyFunction* verifyCert, |
| const String& randomFile, | const String& randomFile, |
| const String& cipherSuite, |
const String& cipherSuite) |
| const Boolean& sslCompatibility) |
|
| { | { |
| #ifndef PEGASUS_ENABLE_SSL_CRL_VERIFICATION | #ifndef PEGASUS_ENABLE_SSL_CRL_VERIFICATION |
| if (crlPath.size() > 0) | if (crlPath.size() > 0) |
|
|
|
| #endif | #endif |
| _rep = new SSLContextRep( | _rep = new SSLContextRep( |
| trustStore, certPath, keyPath, crlPath, verifyCert, randomFile, | trustStore, certPath, keyPath, crlPath, verifyCert, randomFile, |
| cipherSuite,sslCompatibility); |
cipherSuite); |
| } | } |
| #endif | #endif |
| | |
Return to
SSLContext.cpp
CVS log
Up to [Pegasus] / pegasus / src / Pegasus / Common