void SSLContextTest::verifySSLCipherList(const vector<string>& ciphers) {
int i = 0;
ssl::SSLUniquePtr ssl(ctx.createSSL());
for (auto& cipher : ciphers) {
ASSERT_STREQ(cipher.c_str(), SSL_get_cipher_list(ssl.get(), i++));
}
ASSERT_EQ(nullptr, SSL_get_cipher_list(ssl.get(), i));
}
QList<QSslCipher> MumbleSSL::ciphersFromOpenSSLCipherString(QString cipherString) {
QList<QSslCipher> chosenCiphers;
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
const SSL_METHOD *meth = NULL;
int i = 0;
QByteArray csbuf = cipherString.toLatin1();
const char *ciphers = csbuf.constData();
meth = SSLv23_server_method();
if (meth == NULL) {
qWarning("MumbleSSL: unable to get SSL method");
goto out;
}
// We use const_cast to be compatible with OpenSSL 0.9.8.
ctx = SSL_CTX_new(const_cast<SSL_METHOD *>(meth));
if (ctx == NULL) {
qWarning("MumbleSSL: unable to allocate SSL_CTX");
goto out;
}
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
qWarning("MumbleSSL: error parsing OpenSSL cipher string in ciphersFromOpenSSLCipherString");
goto out;
}
ssl = SSL_new(ctx);
if (ssl == NULL) {
qWarning("MumbleSSL: unable to create SSL object in ciphersFromOpenSSLCipherString");
goto out;
}
while (1) {
const char *name = SSL_get_cipher_list(ssl, i);
if (name == NULL) {
break;
}
#if QT_VERSION >= 0x050300
QSslCipher c = QSslCipher(QString::fromLatin1(name));
if (!c.isNull()) {
chosenCiphers << c;
}
#else
foreach (const QSslCipher &c, QSslSocket::supportedCiphers()) {
if (c.name() == QString::fromLatin1(name)) {
chosenCiphers << c;
}
}
#endif
++i;
}
out:
SSL_CTX_free(ctx);
SSL_free(ssl);
return chosenCiphers;
}
int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts)
{
int rc = 1;
FUNC_ENTRY;
if (net->ctx != NULL || (rc = SSLSocket_createContext(net, opts)) == 1)
{
int i;
SSL_CTX_set_info_callback(net->ctx, SSL_CTX_info_callback);
if (opts->enableServerCertAuth)
SSL_CTX_set_verify(net->ctx, SSL_VERIFY_PEER, NULL);
net->ssl = SSL_new(net->ctx);
/* Log all ciphers available to the SSL sessions (loaded in ctx) */
for (i = 0; ;i++)
{
const char* cipher = SSL_get_cipher_list(net->ssl, i);
if (cipher == NULL) break;
Log(TRACE_MIN, 1, "SSL cipher available: %d:%s", i, cipher);
}
if ((rc = SSL_set_fd(net->ssl, net->socket)) != 1)
SSLSocket_error("SSL_set_fd", net->ssl, net->socket, rc);
}
FUNC_EXIT_RC(rc);
return rc;
}
void
show_available_tls_ciphers ()
{
SSL_CTX *ctx;
SSL *ssl;
const char *cipher_name;
int priority = 0;
ctx = SSL_CTX_new (TLSv1_method ());
if (!ctx)
msg (M_SSLERR, "Cannot create SSL_CTX object");
ssl = SSL_new (ctx);
if (!ssl)
msg (M_SSLERR, "Cannot create SSL object");
printf ("Available TLS Ciphers,\n");
printf ("listed in order of preference:\n\n");
while ((cipher_name = SSL_get_cipher_list (ssl, priority++)))
printf ("%s\n", cipher_name);
printf ("\n");
SSL_free (ssl);
SSL_CTX_free (ctx);
}
void QFrankSSL::K_VerfuegbareAlgorithmenHohlen()
{
if(K_SSLStruktur==NULL)
{
#ifndef QT_NO_DEBUG
qWarning(qPrintable(trUtf8("QFrankSSL verfügbare Algorithmen: keine gültige SSL Struktur","debug")));
#endif
emit SSLFehler(K_KeineSSLStrukturText);
return;
}
const char* Algorithmus=0;
int Prioritaet=0;
do
{
Algorithmus=SSL_get_cipher_list(K_SSLStruktur,Prioritaet);
if(Algorithmus==NULL)
break;
K_VerfuegbareAlgorithmen<<Algorithmus;
Prioritaet++;
}
while(true);
#ifndef QT_NO_DEBUG
qDebug(qPrintable(trUtf8("QFrankSSL verfügbare Algorithmen:\r\n%1","debug").arg(K_VerfuegbareAlgorithmen.join(":"))));
#endif
}
/// Get an SSL server connection handle
SSL* OsSSL::getServerConnection()
{
SSL* server = SSL_new(mCTX);
if (server)
{
# if SSL_DEBUG
UtlString ciphers;
const char* cipher;
for (int i = 0; cipher = SSL_get_cipher_list(server, i); i++)
{
ciphers.append("\n ");
ciphers.append(cipher);
}
OsSysLog::add(FAC_KERNEL, PRI_DEBUG, "OsSSL::getServerConnection returning %p%s",
server, ciphers.isNull() ? " NO CIPHERS" : ciphers.data());
// SSL_set_accept_state(server);
// SSL_set_options(server, SSL_OP_NO_SSLv2);
# endif
}
else
{
OsSysLog::add(FAC_KERNEL, PRI_ERR, "OsSSL::getServerConnection SSL_new failed.");
}
return server;
}
void print_ciphers(SSL *ssl)
{
int pri = 0;
const char *name;
while ((name = SSL_get_cipher_list(ssl, pri++)) != NULL) {
printf("%s:", name);
}
puts("");
}
void showCiphers(SSL *ssl, FILE *file)
{
for (int i=0; ; i++) {
const char *p = SSL_get_cipher_list(ssl,i);
if (p == NULL) break;
if (i != 0) fprintf(file,"\n");
fprintf(file,"%s",p);
}
fprintf(file,"\n");
}
void
get_highest_preference_tls_cipher (char *buf, int size)
{
SSL_CTX *ctx;
SSL *ssl;
const char *cipher_name;
ctx = SSL_CTX_new (TLSv1_method ());
if (!ctx)
msg (M_SSLERR, "Cannot create SSL_CTX object");
ssl = SSL_new (ctx);
if (!ssl)
msg (M_SSLERR, "Cannot create SSL object");
cipher_name = SSL_get_cipher_list (ssl, 0);
strncpynt (buf, cipher_name, size);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
void
show_available_tls_ciphers (const char *cipher_list)
{
struct tls_root_ctx tls_ctx;
SSL *ssl;
const char *cipher_name;
const char *print_name;
const tls_cipher_name_pair *pair;
int priority = 0;
tls_ctx.ctx = SSL_CTX_new (SSLv23_method ());
if (!tls_ctx.ctx)
msg (M_SSLERR, "Cannot create SSL_CTX object");
ssl = SSL_new (tls_ctx.ctx);
if (!ssl)
msg (M_SSLERR, "Cannot create SSL object");
if (cipher_list)
tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
printf ("Available TLS Ciphers,\n");
printf ("listed in order of preference:\n\n");
while ((cipher_name = SSL_get_cipher_list (ssl, priority++)))
{
pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
if (NULL == pair) {
// No translation found, print warning
printf ("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);
} else {
printf ("%s\n", pair->iana_name);
}
}
printf ("\n" SHOW_TLS_CIPHER_LIST_WARNING);
SSL_free (ssl);
SSL_CTX_free (tls_ctx.ctx);
}
@return: A list of cipher strings\n\
";
static PyObject *
ssl_Connection_get_cipher_list(ssl_ConnectionObj *self, PyObject *args)
{
int idx = 0;
const char *ret;
PyObject *lst, *item;
if (!PyArg_ParseTuple(args, ":get_cipher_list"))
return NULL;
lst = PyList_New(0);
while ((ret = SSL_get_cipher_list(self->ssl, idx)) != NULL)
{
item = PyText_FromString(ret);
PyList_Append(lst, item);
Py_DECREF(item);
idx++;
}
return lst;
}
void
show_available_tls_ciphers ()
{
SSL_CTX *ctx;
SSL *ssl;
const char *cipher_name;
const char *print_name;
const tls_cipher_name_pair *pair;
int priority = 0;
ctx = SSL_CTX_new (TLSv1_method ());
if (!ctx)
msg (M_SSLERR, "Cannot create SSL_CTX object");
ssl = SSL_new (ctx);
if (!ssl)
msg (M_SSLERR, "Cannot create SSL object");
printf ("Available TLS Ciphers,\n");
printf ("listed in order of preference:\n\n");
while ((cipher_name = SSL_get_cipher_list (ssl, priority++)))
{
pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
if (NULL == pair) {
// No translation found, print warning
printf ("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);
} else {
printf ("%s\n", pair->iana_name);
}
}
printf ("\n");
SSL_free (ssl);
SSL_CTX_free (ctx);
}
const char *
eventer_ssl_get_cipher_list(eventer_ssl_ctx_t *ctx, int prio) {
return SSL_get_cipher_list(ctx->ssl, prio);
}
static int openssl_ssl_get(lua_State*L)
{
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
int i;
int top = lua_gettop(L);
for (i = 2; i <= top; i++)
{
const char* what = luaL_checklstring(L, i, NULL);
if (strcmp(what, "fd") == 0)
{
lua_pushinteger(L, SSL_get_fd(s));
}
else if (strcmp(what, "rfd") == 0)
{
lua_pushinteger(L, SSL_get_rfd(s));
}
else if (strcmp(what, "wfd") == 0)
{
lua_pushinteger(L, SSL_get_wfd(s));
}
else if (strcmp(what, "client_CA_list") == 0)
{
STACK_OF(X509_NAME)* sn = SSL_get_client_CA_list(s);
PUSH_OBJECT(sn, "openssl.sk_x509_name");
}
else if (strcmp(what, "read_ahead") == 0)
{
lua_pushboolean(L, SSL_get_read_ahead(s));
}
else if (strcmp(what, "shared_ciphers") == 0)
{
char buf[LUAL_BUFFERSIZE] = {0};
lua_pushstring(L, SSL_get_shared_ciphers(s, buf, sizeof(buf)));
}
else if (strcmp(what, "cipher_list") == 0)
{
//TODO FIX
lua_pushstring(L, SSL_get_cipher_list(s, 0));
}
else if (strcmp(what, "verify_mode") == 0)
{
//FIX
lua_pushinteger(L, SSL_get_verify_mode(s));
}
else if (strcmp(what, "verify_depth") == 0)
{
lua_pushinteger(L, SSL_get_verify_depth(s));
}
else if (strcmp(what, "state_string") == 0)
{
lua_pushstring(L, SSL_state_string(s));
}
else if (strcmp(what, "state_string_long") == 0)
{
lua_pushstring(L, SSL_state_string_long(s));
}
else if (strcmp(what, "rstate_string") == 0)
{
lua_pushstring(L, SSL_rstate_string(s));
}
else if (strcmp(what, "rstate_string_long") == 0)
{
lua_pushstring(L, SSL_rstate_string_long(s));
}
else if (strcmp(what, "version") == 0)
{
lua_pushstring(L, SSL_get_version(s));
}
else if (strcmp(what, "iversion") == 0)
{
lua_pushinteger(L, SSL_version(s));
}
else if (strcmp(what, "default_timeout") == 0)
{
lua_pushinteger(L, SSL_get_default_timeout(s));
}
else if (strcmp(what, "certificate") == 0)
{
X509* cert = SSL_get_certificate(s);
PUSH_OBJECT(cert, "openssl.x509");
}
else if (strcmp(what, "verify_result") == 0)
{
long l = SSL_get_verify_result(s);
lua_pushinteger(L, l);
}
else if (strcmp(what, "version") == 0)
{
lua_pushstring(L, SSL_get_version(s));
}
else if (strcmp(what, "state") == 0)
{
lua_pushinteger(L, SSL_state(s));
}
else if (strcmp(what, "hostname") == 0)
{
lua_pushstring(L, SSL_get_servername(s, TLSEXT_NAMETYPE_host_name));
}
else
luaL_argerror(L, i, "can't understant");
}
return top - 1;
}
void client_test(void* args)
{
#ifdef _WIN32
WSADATA wsd;
WSAStartup(0x0002, &wsd);
#endif
SOCKET_T sockfd = 0;
int argc = 0;
char** argv = 0;
set_args(argc, argv, *static_cast<func_args*>(args));
tcp_connect(sockfd);
#ifdef NON_BLOCKING
tcp_set_nonblocking(sockfd);
#endif
SSL_METHOD* method = TLSv1_client_method();
SSL_CTX* ctx = SSL_CTX_new(method);
set_certs(ctx);
SSL* ssl = SSL_new(ctx);
SSL_set_fd(ssl, sockfd);
#ifdef NON_BLOCKING
NonBlockingSSL_Connect(ssl, ctx, sockfd);
#else
// if you get an error here see note at top of README
if (SSL_connect(ssl) != SSL_SUCCESS)
ClientError(ctx, ssl, sockfd, "SSL_connect failed");
#endif
showPeer(ssl);
const char* cipher = 0;
int index = 0;
char list[1024];
strncpy(list, "cipherlist", 11);
while ( (cipher = SSL_get_cipher_list(ssl, index++)) ) {
strncat(list, ":", 2);
strncat(list, cipher, strlen(cipher) + 1);
}
printf("%s\n", list);
printf("Using Cipher Suite: %s\n", SSL_get_cipher(ssl));
char msg[] = "hello yassl!";
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
ClientError(ctx, ssl, sockfd, "SSL_write failed");
char reply[1024];
int input = SSL_read(ssl, reply, sizeof(reply));
if (input > 0) {
reply[input] = 0;
printf("Server response: %s\n", reply);
}
#ifdef TEST_RESUME
SSL_SESSION* session = SSL_get_session(ssl);
SSL* sslResume = SSL_new(ctx);
#endif
SSL_shutdown(ssl);
SSL_free(ssl);
tcp_close(sockfd);
#ifdef TEST_RESUME
tcp_connect(sockfd);
SSL_set_fd(sslResume, sockfd);
SSL_set_session(sslResume, session);
if (SSL_connect(sslResume) != SSL_SUCCESS)
ClientError(ctx, sslResume, sockfd, "SSL_resume failed");
showPeer(sslResume);
if (SSL_write(sslResume, msg, sizeof(msg)) != sizeof(msg))
ClientError(ctx, sslResume, sockfd, "SSL_write failed");
input = SSL_read(sslResume, reply, sizeof(reply));
if (input > 0) {
reply[input] = 0;
printf("Server response: %s\n", reply);
}
SSL_shutdown(sslResume);
SSL_free(sslResume);
tcp_close(sockfd);
#endif // TEST_RESUME
SSL_CTX_free(ctx);
((func_args*)args)->return_code = 0;
}
int MAIN(int argc, char **argv)
{
int ret = 1, i;
int verbose = 0, Verbose = 0;
const char **pp;
const char *p;
int badops = 0;
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
char *ciphers = NULL;
const SSL_METHOD *meth = NULL;
STACK_OF(SSL_CIPHER) *sk;
char buf[512];
BIO *STDout = NULL;
meth = SSLv23_server_method();
apps_startup();
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
STDout = BIO_push(tmpbio, STDout);
}
#endif
if (!load_config(bio_err, NULL))
goto end;
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-v") == 0)
verbose = 1;
else if (strcmp(*argv, "-V") == 0)
verbose = Verbose = 1;
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv, "-ssl2") == 0)
meth = SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv, "-ssl3") == 0)
meth = SSLv3_client_method();
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv, "-tls1") == 0)
meth = TLSv1_client_method();
#endif
else if ((strncmp(*argv, "-h", 2) == 0) || (strcmp(*argv, "-?") == 0)) {
badops = 1;
break;
} else {
ciphers = *argv;
}
argc--;
argv++;
}
if (badops) {
for (pp = ciphers_usage; (*pp != NULL); pp++)
BIO_printf(bio_err, "%s", *pp);
goto end;
}
OpenSSL_add_ssl_algorithms();
ctx = SSL_CTX_new(meth);
if (ctx == NULL)
goto err;
if (ciphers != NULL) {
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
BIO_printf(bio_err, "Error in cipher list\n");
goto err;
}
}
ssl = SSL_new(ctx);
if (ssl == NULL)
goto err;
if (!verbose) {
for (i = 0;; i++) {
p = SSL_get_cipher_list(ssl, i);
if (p == NULL)
break;
if (i != 0)
BIO_printf(STDout, ":");
BIO_printf(STDout, "%s", p);
}
BIO_printf(STDout, "\n");
} else { /* verbose */
sk = SSL_get_ciphers(ssl);
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
SSL_CIPHER *c;
c = sk_SSL_CIPHER_value(sk, i);
if (Verbose) {
unsigned long id = c->id;
int id0 = (int)(id >> 24);
int id1 = (int)((id >> 16) & 0xffL);
int id2 = (int)((id >> 8) & 0xffL);
int id3 = (int)(id & 0xffL);
if ((id & 0xff000000L) == 0x02000000L) {
/* SSL2 cipher */
BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1,
id2, id3);
} else if ((id & 0xff000000L) == 0x03000000L) {
/* SSL3 cipher */
BIO_printf(STDout, " 0x%02X,0x%02X - ", id2,
id3);
} else {
/* whatever */
BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0,
id1, id2, id3);
}
}
BIO_puts(STDout, SSL_CIPHER_description(c, buf, sizeof buf));
}
}
ret = 0;
if (0) {
err:
SSL_load_error_strings();
ERR_print_errors(bio_err);
}
end:
if (ctx != NULL)
SSL_CTX_free(ctx);
if (ssl != NULL)
SSL_free(ssl);
if (STDout != NULL)
BIO_free_all(STDout);
apps_shutdown();
OPENSSL_EXIT(ret);
}
as_status
as_tls_context_setup(as_config_tls* tlscfg, as_tls_context* ctx, as_error* errp)
{
// Clear the destination, in case we don't make it.
ctx->ssl_ctx = NULL;
ctx->pkey = NULL;
ctx->cert_blacklist = NULL;
ctx->log_session_info = tlscfg->log_session_info;
ctx->for_login_only = tlscfg->for_login_only;
as_tls_check_init();
pthread_mutex_init(&ctx->lock, NULL);
if (tlscfg->cert_blacklist) {
ctx->cert_blacklist = cert_blacklist_read(tlscfg->cert_blacklist);
if (! ctx->cert_blacklist) {
as_tls_context_destroy(ctx);
return as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"Failed to read certificate blacklist: %s",
tlscfg->cert_blacklist);
}
}
uint16_t protocols = AS_TLS_PROTOCOL_NONE;
as_status status = protocols_parse(tlscfg, &protocols, errp);
if (status != AEROSPIKE_OK) {
as_tls_context_destroy(ctx);
return status;
}
const SSL_METHOD* method = NULL;
// If the selected protocol set is a single protocol we can use a specific method.
if (protocols == AS_TLS_PROTOCOL_TLSV1) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
method = TLS_client_method();
#else
method = TLSv1_client_method();
#endif
}
else if (protocols == AS_TLS_PROTOCOL_TLSV1_1) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
method = TLS_client_method();
#else
method = TLSv1_1_client_method();
#endif
}
else if (protocols == AS_TLS_PROTOCOL_TLSV1_2) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
method = TLS_client_method();
#else
method = TLSv1_2_client_method();
#endif
}
else {
// Multiple protocols are enabled, use a flexible method.
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
method = TLS_client_method();
#else
method = SSLv23_client_method();
#endif
}
ctx->ssl_ctx = SSL_CTX_new(method);
if (ctx->ssl_ctx == NULL) {
as_tls_context_destroy(ctx);
unsigned long errcode = ERR_get_error();
char errbuf[1024];
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
return as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"Failed to create new TLS context: %s", errbuf);
}
/* always disable SSLv2, as per RFC 6176 */
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
// Turn off non-enabled protocols.
if (! (protocols & AS_TLS_PROTOCOL_TLSV1)) {
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
}
if (! (protocols & AS_TLS_PROTOCOL_TLSV1_1)) {
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
}
if (! (protocols & AS_TLS_PROTOCOL_TLSV1_2)) {
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
}
if (tlscfg->cafile || tlscfg->capath) {
int rv = SSL_CTX_load_verify_locations(ctx->ssl_ctx, tlscfg->cafile, tlscfg->capath);
if (rv != 1) {
as_tls_context_destroy(ctx);
char errbuf[1024];
unsigned long errcode = ERR_get_error();
if (errcode != 0) {
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
return as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"Failed to load CAFile: %s", errbuf);
}
return as_error_set_message(errp, AEROSPIKE_ERR_TLS_ERROR,
"Unknown failure loading CAFile");
}
}
if (tlscfg->certfile) {
int rv = SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, tlscfg->certfile);
if (rv != 1) {
// We seem to be seeing this bug:
// https://groups.google.com/
// forum/#!topic/mailing.openssl.users/nRvRzmKnEQA
// If the rv is not 1 check the error stack; if it doesn't have an
// error assume we are OK.
//
unsigned long errcode = ERR_peek_error();
if (errcode != SSL_ERROR_NONE) {
// There *was* an error after all.
as_tls_context_destroy(ctx);
unsigned long errcode = ERR_get_error();
char errbuf[1024];
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
return as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"SSL_CTX_use_certificate_chain_file failed: %s",
errbuf);
}
}
}
if (tlscfg->keyfile) {
bool ok = false;
FILE *fh = fopen(tlscfg->keyfile, "r");
if (fh == NULL) {
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"failed to open key file %s: %s", tlscfg->keyfile,
strerror(errno));
}
else {
EVP_PKEY *pkey = PEM_read_PrivateKey(fh, NULL, password_cb,
tlscfg->keyfile_pw);
if (pkey == NULL) {
unsigned long errcode = ERR_get_error();
if (ERR_GET_REASON(errcode) == PEM_R_BAD_PASSWORD_READ) {
if (tlscfg->keyfile_pw == NULL) {
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"key file %s requires a password",
tlscfg->keyfile);
}
else {
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"password for key file %s too long",
tlscfg->keyfile);
}
}
else if (ERR_GET_REASON(errcode) == EVP_R_BAD_DECRYPT) {
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"invalid password for key file %s",
tlscfg->keyfile);
}
else {
char errbuf[1024];
ERR_error_string_n(errcode, errbuf, sizeof(errbuf));
as_error_update(errp, AEROSPIKE_ERR_TLS_ERROR,
"PEM_read_PrivateKey failed: %s", errbuf);
}
}
else {
ctx->pkey = pkey;
SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey);
ok = true;
}
fclose(fh);
}
if (!ok) {
as_tls_context_destroy(ctx);
return AEROSPIKE_ERR_TLS_ERROR;
}
}
if (tlscfg->cipher_suite) {
int rv = SSL_CTX_set_cipher_list(ctx->ssl_ctx, tlscfg->cipher_suite);
if (rv != 1) {
as_tls_context_destroy(ctx);
return as_error_set_message(errp, AEROSPIKE_ERR_TLS_ERROR,
"no compatible cipher found");
}
// It's bogus that we have to create an SSL just to get the
// cipher list, but SSL_CTX_get_ciphers doesn't appear to
// exist ...
SSL* ssl = SSL_new(ctx->ssl_ctx);
for (int prio = 0; true; ++prio) {
char const * cipherstr = SSL_get_cipher_list(ssl, prio);
if (!cipherstr) {
break;
}
as_log_info("cipher %d: %s", prio+1, cipherstr);
}
SSL_free(ssl);
}
if (tlscfg->crl_check || tlscfg->crl_check_all) {
X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
unsigned long flags = X509_V_FLAG_CRL_CHECK;
if (tlscfg->crl_check_all) {
flags |= X509_V_FLAG_CRL_CHECK_ALL;
}
X509_VERIFY_PARAM_set_flags(param, flags);
SSL_CTX_set1_param(ctx->ssl_ctx, param);
X509_VERIFY_PARAM_free(param);
}
SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, verify_callback);
manage_sigpipe();
return AEROSPIKE_OK;
}
int MAIN(int argc, char **argv)
{
int ret=1,i;
int verbose=0;
char **pp;
const char *p;
int badops=0;
SSL_CTX *ctx=NULL;
SSL *ssl=NULL;
char *ciphers=NULL;
SSL_METHOD *meth=NULL;
STACK_OF(SSL_CIPHER) *sk;
char buf[512];
BIO *STDout=NULL;
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_server_method();
#elif !defined(OPENSSL_NO_SSL3)
meth=SSLv3_server_method();
#elif !defined(OPENSSL_NO_SSL2)
meth=SSLv2_server_method();
#endif
apps_startup();
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
STDout = BIO_push(tmpbio, STDout);
}
#endif
argc--;
argv++;
while (argc >= 1)
{
if (strcmp(*argv,"-v") == 0)
verbose=1;
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv,"-tls1") == 0)
meth=TLSv1_client_method();
#endif
else if ((strncmp(*argv,"-h",2) == 0) ||
(strcmp(*argv,"-?") == 0))
{
badops=1;
break;
}
else
{
ciphers= *argv;
}
argc--;
argv++;
}
if (badops)
{
for (pp=ciphers_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,"%s",*pp);
goto end;
}
OpenSSL_add_ssl_algorithms();
ctx=SSL_CTX_new(meth);
if (ctx == NULL) goto err;
if (ciphers != NULL) {
if(!SSL_CTX_set_cipher_list(ctx,ciphers)) {
BIO_printf(bio_err, "Error in cipher list\n");
goto err;
}
}
ssl=SSL_new(ctx);
if (ssl == NULL) goto err;
if (!verbose)
{
for (i=0; ; i++)
{
p=SSL_get_cipher_list(ssl,i);
if (p == NULL) break;
if (i != 0) BIO_printf(STDout,":");
BIO_printf(STDout,"%s",p);
}
BIO_printf(STDout,"\n");
}
else
{
sk=SSL_get_ciphers(ssl);
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
BIO_puts(STDout,SSL_CIPHER_description(
sk_SSL_CIPHER_value(sk,i),
buf,sizeof buf));
}
}
ret=0;
if (0)
{
err:
SSL_load_error_strings();
ERR_print_errors(bio_err);
}
end:
if (ctx != NULL) SSL_CTX_free(ctx);
if (ssl != NULL) SSL_free(ssl);
if (STDout != NULL) BIO_free_all(STDout);
apps_shutdown();
OPENSSL_EXIT(ret);
}
// Returns the names of the cipher suites which could be enabled for use
// on this connection.
const char* SSLSocket::getSupportedCipherSuites()
{
return SSL_get_cipher_list(_ssl, 0);
}