Beispiel #1
0
void
augd::createsslctxs(sslctxs& sslctxs, const options& options, char* frobpass)
{
    const char* contexts = options.get("ssl.contexts", 0);

    if (contexts) {

        istringstream is(contexts);
        string name;
        while (is >> name)
            sslctxs.insert(make_pair(name, createsslctx(name, options,
                                                        frobpass)));
    }
}
Beispiel #2
0
sslctxptr
augd::createsslctx(const string& name, const options& options,
                   char* frobpass)
{
    string s("ssl.context.");
    s += name;

    // Read ssl options from configuration.

    const char* certfile(options.get(s + ".certfile", 0));
    const char* keyfile(options.get(s + ".keyfile", 0));
    const char* cadir(options.get(s + ".cadir", 0));
    const char* cafile(options.get(s + ".cafile", 0));
    const char* crlfile(options.get(s + ".crlfile", 0));
    const char* ciphers(options.get(s + ".ciphers", 0));
    int depth(atoi(options.get(s + ".depth", "1")));
    int verify(atoi(options.get(s + ".verify", "1")));

    sslctxptr ptr(new (tlx) sslctx());
    SSL_CTX* ctx(ptr->get());

    // Load keys and certificates.

    if (certfile) {

        if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_ASN1)) {

            ERR_clear_error();

            if (!SSL_CTX_use_certificate_chain_file(ctx, certfile))
                throw ssl_error(__FILE__, __LINE__, ERR_get_error());
        }

        if (!keyfile)
            keyfile = certfile;
    }

    SSL_CTX_set_default_passwd_cb(ctx, passwdcb_);
    SSL_CTX_set_default_passwd_cb_userdata(ctx, frobpass);

    if (keyfile) {

        if (!SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_ASN1)) {

            ERR_clear_error();

            if (!SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM))
                throw ssl_error(__FILE__, __LINE__, ERR_get_error());
        }
    }

    // Load trusted CAs.

    if ((cafile || cadir)
        && !SSL_CTX_load_verify_locations(ctx, cafile, cadir))
        throw ssl_error(__FILE__, __LINE__, ERR_get_error());

    if (ciphers && !SSL_CTX_set_cipher_list(ctx, ciphers))
        throw ssl_error(__FILE__, __LINE__, ERR_get_error());

    SSL_CTX_set_info_callback(ctx, infocb_);
    SSL_CTX_set_verify(ctx, tomode_(verify), verifycb_);

    SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
    SSL_CTX_set_verify_depth(ctx, verify);

    if (crlfile) {

        X509_STORE* store(SSL_CTX_get_cert_store(ctx));
        X509_LOOKUP* lookup;

        if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
            throw ssl_error(__FILE__, __LINE__, ERR_get_error());

        if (!X509_load_crl_file(lookup, crlfile, X509_FILETYPE_PEM))
            throw ssl_error(__FILE__, __LINE__, ERR_get_error());

        X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK
                             | X509_V_FLAG_CRL_CHECK_ALL);
    }

    return ptr;
}