version 1.115, 2013/03/19 17:00:55
|
version 1.118, 2013/08/07 07:05:27
|
|
|
# include <openssl/err.h> | # include <openssl/err.h> |
# include <openssl/ssl.h> | # include <openssl/ssl.h> |
# include <openssl/rand.h> | # include <openssl/rand.h> |
|
# include <openssl/tls1.h> |
#else | #else |
# define SSL_CTX void | # define SSL_CTX void |
#endif // end of PEGASUS_HAS_SSL | #endif // end of PEGASUS_HAS_SSL |
|
|
const String& crlPath, | const String& crlPath, |
SSLCertificateVerifyFunction* verifyCert, | SSLCertificateVerifyFunction* verifyCert, |
const String& randomFile, | const String& randomFile, |
const String& cipherSuite) |
const String& cipherSuite, |
|
const Boolean& sslCompatibility) |
{ | { |
PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::SSLContextRep()"); | PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::SSLContextRep()"); |
| |
|
|
_crlPath = crlPath; | _crlPath = crlPath; |
_certificateVerifyFunction = verifyCert; | _certificateVerifyFunction = verifyCert; |
_cipherSuite = cipherSuite; | _cipherSuite = cipherSuite; |
|
_sslCompatibility = sslCompatibility; |
// | // |
// If a truststore and/or peer verification function is specified, | // If a truststore and/or peer verification function is specified, |
// enable peer verification | // enable peer verification |
|
|
_certificateVerifyFunction = sslContextRep._certificateVerifyFunction; | _certificateVerifyFunction = sslContextRep._certificateVerifyFunction; |
_randomFile = sslContextRep._randomFile; | _randomFile = sslContextRep._randomFile; |
_cipherSuite = sslContextRep._cipherSuite; | _cipherSuite = sslContextRep._cipherSuite; |
|
_sslCompatibility = sslContextRep._sslCompatibility; |
_sslContext = _makeSSLContext(); | _sslContext = _makeSSLContext(); |
| |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
|
|
PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::_makeSSLContext()"); | PEG_METHOD_ENTER(TRC_SSL, "SSLContextRep::_makeSSLContext()"); |
| |
SSL_CTX * sslContext = 0; | SSL_CTX * sslContext = 0; |
|
const SSL_METHOD *sslProtocolMethod = SSLv23_method() ; |
|
int options = SSL_OP_ALL; |
|
|
| |
// | // |
// create SSL Context Area | // create SSL Context Area |
// | // |
| |
if (!(sslContext = SSL_CTX_new(SSLv23_method()))) |
if ( _sslCompatibility == false ) |
|
{ |
|
|
|
#ifdef TLS1_2_VERSION |
|
// Enable only TLSv1.2 and disable all other protocol (SSL v2, SSL v3, |
|
// TLS v1.0, TLSv1.1) |
|
sslProtocolMethod = TLSv1_2_method(); |
|
options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1; |
|
#ifndef OPENSSL_NO_SSL3 |
|
options |= SSL_OP_NO_SSLv3; |
|
#endif |
|
#endif |
|
} |
|
|
|
if (!(sslContext = SSL_CTX_new(sslProtocolMethod))) |
{ | { |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
MessageLoaderParms parms( | MessageLoaderParms parms( |
|
|
// | // |
// set overall SSL Context flags | // set overall SSL Context flags |
// | // |
|
// For OpenSSLversion >1.0.0 use SSL_OP_NO_COMPRESSION to disable the |
|
// compression For TLS 1.2 version, compression does not suffer from |
|
// CRIME attack so don.t disable compression For other OpenSSL versions |
|
// zero out the compression methods. |
|
#ifdef SSL_OP_NO_COMPRESSION |
|
#ifndef TLS1_2_VERSION |
|
SSL_CTX_set_options(sslContext, SSL_OP_NO_COMPRESSION); |
|
#endif |
|
#elif OPENSSL_VERSION_NUMBER >= 0x00908000L |
|
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); |
|
#endif |
SSL_CTX_set_quiet_shutdown(sslContext, 1); | SSL_CTX_set_quiet_shutdown(sslContext, 1); |
SSL_CTX_set_mode(sslContext, SSL_MODE_AUTO_RETRY); | SSL_CTX_set_mode(sslContext, SSL_MODE_AUTO_RETRY); |
SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE); | SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE); |
|
|
SSL_CTX_set_mode (sslContext, SSL_MODE_RELEASE_BUFFERS); | SSL_CTX_set_mode (sslContext, SSL_MODE_RELEASE_BUFFERS); |
#endif | #endif |
| |
int options = SSL_OP_ALL; |
|
#ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default | #ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default |
options |= SSL_OP_NO_SSLv2; | options |= SSL_OP_NO_SSLv2; |
#endif | #endif |
|
|
const String&, | const String&, |
SSLCertificateVerifyFunction*, | SSLCertificateVerifyFunction*, |
const String&, | const String&, |
const String&) |
const String&, |
|
const Boolean&) |
{ | { |
} | } |
| |
|
|
String::EMPTY, | String::EMPTY, |
verifyCert, | verifyCert, |
randomFile, | randomFile, |
String::EMPTY); |
String::EMPTY, |
|
false); |
} | } |
| |
SSLContext::SSLContext( | SSLContext::SSLContext( |
|
|
trustStore, certPath, keyPath, crlPath, verifyCert, randomFile, | trustStore, certPath, keyPath, crlPath, verifyCert, randomFile, |
cipherSuite); | cipherSuite); |
} | } |
|
|
|
SSLContext::SSLContext( |
|
const String& trustStore, |
|
const String& certPath, |
|
const String& keyPath, |
|
const String& crlPath, |
|
SSLCertificateVerifyFunction* verifyCert, |
|
const String& randomFile, |
|
const String& cipherSuite, |
|
const Boolean& sslCompatibility) |
|
{ |
|
#ifndef PEGASUS_ENABLE_SSL_CRL_VERIFICATION |
|
if (crlPath.size() > 0) |
|
{ |
|
MessageLoaderParms parms( |
|
"Common.Exception.SSL_CRL_NOT_ENABLED_EXCEPTION", |
|
"SSL CRL verification is not enabled."); |
|
throw Exception(parms); |
|
} |
|
#endif |
|
_rep = new SSLContextRep( |
|
trustStore, certPath, keyPath, crlPath, verifyCert, randomFile, |
|
cipherSuite,sslCompatibility); |
|
} |
#endif | #endif |
| |
#ifdef PEGASUS_USE_DEPRECATED_INTERFACES | #ifdef PEGASUS_USE_DEPRECATED_INTERFACES |