bool SSLTCPSocket::initSSL(char* certPath, char* keyPath) { SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); serverContext = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_set_options(serverContext, SSL_OP_SINGLE_DH_USE); if (!SSL_CTX_use_certificate_file(serverContext, certPath, SSL_FILETYPE_PEM)) { return false; } if (!SSL_CTX_use_PrivateKey_file(serverContext, keyPath, SSL_FILETYPE_PEM)) { return false; } clientContext = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_options(clientContext, SSL_OP_SINGLE_DH_USE); return true; }
int SslContext::setCertificateFile(const char *pFile, int type, int chained) { int ret; if (!pFile) return 0; ::stat(pFile, &m_stCert); if (init(m_iMethod)) return 0; if (chained) return SSL_CTX_use_certificate_chain_file(m_pCtx, pFile); else { ret = loadCertFile(m_pCtx, pFile, type); if (ret == -1) return SSL_CTX_use_certificate_file(m_pCtx, pFile, translateType(type)); return ret; } }
static int vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file, enum enum_ssl_init_error* error) { DBUG_ENTER("vio_set_cert_stuff"); DBUG_PRINT("enter", ("ctx: 0x%lx cert_file: %s key_file: %s", (long) ctx, cert_file, key_file)); if (!cert_file && key_file) cert_file= key_file; if (!key_file && cert_file) key_file= cert_file; if (cert_file && SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) { *error= SSL_INITERR_CERT; DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file)); DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
void PosixSslServerSocket::loadCertificates( const std::string & certificateFile, const std::string & keyFile ) { SSL_CTX * sslContext; int rc; sslContext = SSL_CTX_new(SSLv3_server_method()); rc = SSL_CTX_load_verify_locations(sslContext,certificateFile.c_str(),keyFile.c_str()); if( rc <= 0 ) ERR_print_errors_fp(stdout); rc = SSL_CTX_set_default_verify_paths(sslContext); if( rc <= 0 ) ERR_print_errors_fp(stdout); rc = SSL_CTX_use_certificate_file(sslContext,certificateFile.c_str(),SSL_FILETYPE_PEM); if( rc <= 0 ) ERR_print_errors_fp(stdout); rc = SSL_CTX_use_PrivateKey_file(sslContext,keyFile.c_str(),SSL_FILETYPE_PEM); if( rc <= 0 ) ERR_print_errors_fp(stdout); setSslContext(sslContext); }
struct cert* loadCert(const char* cert, const char* key) { const SSL_METHOD* method = SSLv23_method(); SSL_CTX* ctx = SSL_CTX_new(method); SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); if (SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM) < 0) { return NULL; } if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) < 0) { return NULL; } if (!SSL_CTX_check_private_key(ctx)) { return NULL; } struct cert* oc = xmalloc(sizeof(struct cert)); oc->isDummy = 0; oc->ctx = ctx; oc->certf = cert; oc->key = key; return oc; }
ssl_client * ssl_start_client(int fd, struct sockaddr * remote_addr){ ssl_ensure_initialized(); SSL_CTX * ctx = SSL_CTX_new(DTLSv1_client_method()); SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5:!RC4"); if (!SSL_CTX_use_certificate_file(ctx, "certs/client-cert.pem", SSL_FILETYPE_PEM)) printf("\nERROR: no certificate found!"); if (!SSL_CTX_use_PrivateKey_file(ctx, "certs/client-key.pem", SSL_FILETYPE_PEM)) printf("\nERROR: no private key found!"); if (!SSL_CTX_check_private_key (ctx)) printf("\nERROR: invalid private key!"); SSL_CTX_set_verify_depth (ctx, 2); SSL_CTX_set_read_ahead(ctx, 1); SSL * ssl = SSL_new(ctx); // Create BIO, connect and set to already connected. BIO * bio = BIO_new_dgram(fd, BIO_CLOSE); BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, remote_addr); SSL_set_bio(ssl, bio, bio); int ret = SSL_connect(ssl); if(ret < 0){ handle_ssl_error(ssl, ret); } { struct timeval timeout; timeout.tv_sec = 3; timeout.tv_usec = 0; BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); } ssl_client * cli = alloc0(sizeof(ssl_client)); cli->ssl = ssl; cli->ctx = ctx; return cli; }
SSL_CTX *setup_tls() { SSL_CTX *tlsctx; SSL_library_init(); SSL_load_error_strings(); tlsctx = SSL_CTX_new(TLSv1_server_method()); if (tlsctx == NULL){ #ifdef DEBUG fprintf(stderr, "wss: SSL error: %s\n", ERR_error_string(ERR_get_error(), NULL)); #endif return NULL; } #ifdef DEBUG fprintf(stderr, "%s: tlsctx (%p)\n", __func__, tlsctx); #endif SSL_CTX_set_options(tlsctx, SSL_OP_SINGLE_DH_USE); if (!SSL_CTX_use_certificate_file(tlsctx, TLS_CERT, SSL_FILETYPE_PEM)){ #ifdef DEBUG fprintf(stderr, "%s: SSL error: %s\n", __func__, ERR_error_string(ERR_get_error(), NULL)); #endif SSL_CTX_free(tlsctx); return NULL; } if (!SSL_CTX_use_PrivateKey_file(tlsctx, TLS_KEY, SSL_FILETYPE_PEM)) { #ifdef DEBUG fprintf(stderr, "%s: SSL error: %s\n", __func__, ERR_error_string(ERR_get_error(), NULL)); #endif SSL_CTX_free(tlsctx); return NULL; } //SSL_CTX_set_session_cache_mode(tlsctx, SSL_SESS_CACHE_OFF); return tlsctx; }
bool SecureSocket::loadCertificates(String& filename) { if (filename.empty()) { showError("ssl certificate is not specified"); return false; } else { std::ifstream file(filename.c_str()); bool exist = file.good(); file.close(); if (!exist) { String errorMsg("ssl certificate doesn't exist: "); errorMsg.append(filename); showError(errorMsg.c_str()); return false; } } int r = 0; r = SSL_CTX_use_certificate_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM); if (r <= 0) { showError("could not use ssl certificate"); return false; } r = SSL_CTX_use_PrivateKey_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM); if (r <= 0) { showError("could not use ssl private key"); return false; } r = SSL_CTX_check_private_key(m_ssl->m_context); if (!r) { showError("could not verify ssl private key"); return false; } return true; }
int init_ssl(void) { SSL_METHOD *method; SSL_library_init(); SSL_load_error_strings(); method = TLSv1_server_method(); if(method == NULL) { syslog(LOG_ERR, "TLSv1_server_method() failed"); syslogsslerr(); return -1; } ssl_ctx = SSL_CTX_new(method); if(ssl_ctx == NULL) { syslog(LOG_ERR, "SSL_CTX_new() failed"); syslogsslerr(); return -1; } /* set the local certificate */ if(!SSL_CTX_use_certificate_file(ssl_ctx, HTTPS_CERTFILE, SSL_FILETYPE_PEM)) { syslog(LOG_ERR, "SSL_CTX_use_certificate_file(%s) failed", HTTPS_CERTFILE); syslogsslerr(); return -1; } /* set the private key */ if(!SSL_CTX_use_PrivateKey_file(ssl_ctx, HTTPS_KEYFILE, SSL_FILETYPE_PEM)) { syslog(LOG_ERR, "SSL_CTX_use_PrivateKey_file(%s) failed", HTTPS_KEYFILE); syslogsslerr(); return -1; } /* verify private key */ if(!SSL_CTX_check_private_key(ssl_ctx)) { syslog(LOG_ERR, "SSL_CTX_check_private_key() failed"); syslogsslerr(); return -1; } /*SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_callback);*/ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, verify_callback); /*SSL_CTX_set_verify_depth(depth);*/ syslog(LOG_INFO, "using %s", SSLeay_version(SSLEAY_VERSION)); return 0; }
void Network::loadCertificates() { int out; std::cout << "Loading Certificate:"; if ((out = SSL_CTX_use_certificate_file(sslContext, "/home/cameron/.heatSync/server.crt", SSL_FILETYPE_PEM)) != 1) { //todo: fix directory std::cerr << "(" << __FILE__ << ":" << __LINE__ << ") SSL: " << ERR_error_string(out, NULL) << std::endl; return; } std::cout << "."; if ((out = SSL_CTX_use_PrivateKey_file(sslContext, "/home/cameron/.heatSync/server.key", SSL_FILETYPE_PEM)) != 1) { std::cerr << "(" << __FILE__ << ":" << __LINE__ << ") SSL: " << ERR_error_string(out, NULL) << std::endl; return; } std::cout << "."; if (!(out = SSL_CTX_check_private_key(sslContext))) { std::cerr << "(" << __FILE__ << ":" << __LINE__ << ") SSL: " << ERR_error_string(out, NULL) << std::endl; return; } std::cout << "."; std::cout << "Success" << std::endl; }
JNIEXPORT void JNICALL Java_com_wizzardo_epoll_EpollSSL_loadCertificates(JNIEnv *env, jclass clazz, jlong sslContextPointer, jstring certFile, jstring keyFile){ SSL_CTX *ctx = (SSL_CTX *) sslContextPointer; const char *CertFile = ((*env)->GetStringUTFChars(env, certFile, NULL)); const char *KeyFile = ((*env)->GetStringUTFChars(env, keyFile, NULL)); /* set the local certificate from CertFile */ if (SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); throwException(env, strerror(errno)); } /* set the private key from KeyFile (may be the same as CertFile) */ if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); throwException(env, strerror(errno)); } /* verify private key */ if (!SSL_CTX_check_private_key(ctx)) { // fprintf(stderr, "Private key does not match the public certificate\n"); throwException(env, strerror(errno)); } }
static int setup_ssl(const char *cert_file, const char *key_file) { SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); accept_ctx.ssl_ctx = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_set_options(accept_ctx.ssl_ctx, SSL_OP_NO_SSLv2); /* load certificate and private key */ if (SSL_CTX_use_certificate_file(accept_ctx.ssl_ctx, cert_file, SSL_FILETYPE_PEM) != 1) { fprintf(stderr, "an error occurred while trying to load server certificate file:%s\n", cert_file); return -1; } if (SSL_CTX_use_PrivateKey_file(accept_ctx.ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) { fprintf(stderr, "an error occurred while trying to load private key file:%s\n", key_file); return -1; } return 0; }
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile) { /* set the local certificate from CertFile */ if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 ) { ERR_print_errors_fp(stderr); abort(); } /* set the private key from KeyFile (may be the same as CertFile) */ if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 ) { ERR_print_errors_fp(stderr); abort(); } /* verify private key */ if ( !SSL_CTX_check_private_key(ctx) ) { fprintf(stderr, "Private key does not match the public certificate\n"); abort(); } }
int ssl_init(void) { if (!prng_init()) { Debug((DEBUG_NOTICE, "PRNG seeded")); } if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG)) (void)fprintf(stderr, "ssl_init(): SSL_load_error_strings()\n" ); SSL_load_error_strings(); if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG)) (void)fprintf(stderr, "ssl_init(): OpenSSL_add_ssl_algorythms()\n"); OpenSSL_add_ssl_algorithms(); if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG)) (void)fprintf(stderr, "ssl_init(): SSL_CTX_new()\n"); ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) { Debug((DEBUG_ERROR, "CTX_new: %s", ERR_error_string(ERR_get_error(), NULL))); return 0; } if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG)) (void)fprintf(stderr, "ssl_init(): SSL_CTX_use_certificate_file()\n"); if (SSL_CTX_use_certificate_file(ctx, IRCD_CRT, SSL_FILETYPE_PEM) <= 0) { (void)disable_ssl(1); return 0; } if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG)) (void)fprintf(stderr, "ssl_init(): SSL_CTX_use_PrivateKey_file()\n"); if (SSL_CTX_use_PrivateKey_file(ctx, IRCD_KEY, SSL_FILETYPE_PEM) <= 0) { (void)disable_ssl(1); return 0; } if ((bootopt & BOOT_TTY) && (bootopt & BOOT_DEBUG)) (void)fprintf(stderr, "ssl_init(): SSL_CTX_check_private_key()\n"); if (!SSL_CTX_check_private_key(ctx)) { (void)disable_ssl(1); return 0; } return 1; }
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile) { /* set the local certificate from CertFile */ if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 ) { //ERR_print_errors_fp(stderr); printf("The certificate is tampered ! Aborting now.\n"); exit(0); //abort(); } /* set the private key from KeyFile (may be the same as CertFile) */ if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 ) { //ERR_print_errors_fp(stderr); printf("The key is tampered ! Aborting now.\n"); exit(0); } /* verify private key */ if ( !SSL_CTX_check_private_key(ctx) ) { fprintf(stderr, "Private key does not match the public certificate\n"); exit(0); } if (!SSL_CTX_load_verify_locations(ctx,"/home/shagun/ca/certs/cacert.pem",NULL)) { //ERR_print_errors(bio_err); ERR_print_errors_fp(stderr); exit(1); } /* Set to require peer (client) certificate verification */ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); /* Set the verification depth to 1 */ SSL_CTX_set_verify_depth(ctx,1); }
/* cr_load_certs : loads private key and certificates from files * if cert_file and key_file are NULL , the function will generate * a dynamic certificate and private key */ void cr_load_certs(SSL_CTX *ssl,u_char *cert_file,u_char *key_file) { X509 *cert = NULL; EVP_PKEY *pkey = NULL; if(cert_file == NULL || key_file == NULL) { /* generate a public certificate and a private key */ cr_make_cert(&cert,&pkey,2048,0,365); SSL_CTX_use_certificate(ssl, cert); SSL_CTX_use_PrivateKey(ssl, pkey); #ifdef CR_MK_CERT RSA_print_fp(stdout,pkey->pkey.rsa,0); X509_print_fp(stdout,cert); PEM_write_PrivateKey(stdout,pkey,NULL,NULL,0,NULL, NULL); PEM_write_X509(stdout,cert); #endif } else { if (SSL_CTX_use_certificate_file(ssl, (const char*)cert_file, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); exit(3); } if (SSL_CTX_use_RSAPrivateKey_file(ssl, (const char*)key_file, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); exit(4); } } if (!SSL_CTX_check_private_key(ssl)) { perrx("Private key does not match the certificate public key\n"); exit(5); } }
void ssl_setup(SSL_CTX* ctx, char *ca_file, char* cert_file, char* key_file) { if (SSL_CTX_load_verify_locations(ctx, ca_file, NULL) != 1) { ERR_print_errors_fp(stderr); } /* set the local certificate from CertFile */ if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) != 1) { ERR_print_errors_fp(stderr); assert(0); } /* set the private key from KeyFile (may be the same as CertFile) */ if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) != 1) { ERR_print_errors_fp(stderr); assert(0); } /* verify private key */ if (SSL_CTX_check_private_key(ctx) != 1) { ERR_print_errors_fp(stderr); assert(0); } //SSL_VERIFY_PEER SSL_CTX_set_verify(ctx, 0, NULL); SSL_CTX_set_verify_depth(ctx, 4); if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) { ERR_print_errors_fp(stderr); assert(0); } EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); if (!ecdh) { ERR_print_errors_fp(stderr); assert(0); } if (SSL_CTX_set_tmp_ecdh (ctx, ecdh) != 1) { ERR_print_errors_fp(stderr); assert(0); } EC_KEY_free(ecdh); }
static int ns_use_cert(SSL_CTX *ctx, const char *pem_file) { if (ctx == NULL) { return -1; } else if (pem_file == NULL || pem_file[0] == '\0') { return 0; } else if (SSL_CTX_use_certificate_file(ctx, pem_file, 1) == 0 || SSL_CTX_use_PrivateKey_file(ctx, pem_file, 1) == 0) { return -2; #ifndef NS_DISABLE_PFS } else { BIO *bio = NULL; DH *dh = NULL; /* Try to read DH parameters from the cert/key file. */ bio = BIO_new_file(pem_file, "r"); if (bio != NULL) { dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); } /* * If there are no DH params in the file, fall back to hard-coded ones. * Not ideal, but better than nothing. */ if (dh == NULL) { bio = BIO_new_mem_buf((void *) ns_s_default_dh_params, -1); dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); } if (dh != NULL) { SSL_CTX_set_tmp_dh(ctx, dh); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); DH_free(dh); } SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_use_certificate_chain_file(ctx, pem_file); return 0; #endif } }
static bool load_certificates( const char *cert_file, const char *key_file ) { assert( ctx != NULL ); assert( cert_file != NULL ); assert( key_file != NULL ); debug( "Loading certificate ( ctx = %p, cert_file = %s, key_file = %s ).", ctx, cert_file, key_file ); unsigned long error_no = 0; char error_str[ 256 ]; memset( error_str, '\0', sizeof( error_str ) ); int ret = SSL_CTX_use_certificate_file( ctx, cert_file, SSL_FILETYPE_PEM ); if ( ret != 1 ) { error_no = ERR_get_error(); ERR_error_string_n( error_no, error_str, sizeof( error_str ) ); error( "Failed to load a certificate file ( file = %s, error = %s [%ul] ).", cert_file, error_str, error_no ); return false; } ret = SSL_CTX_use_PrivateKey_file( ctx, key_file, SSL_FILETYPE_PEM ); if ( ret != 1 ) { error_no = ERR_get_error(); ERR_error_string_n( error_no, error_str, sizeof( error_str ) ); error( "Failed to load a private key file ( file = %s, error = %s [%ul] ).", key_file, error_str, error_no ); return false; } ret = SSL_CTX_check_private_key( ctx ); if ( ret != 1 ) { error_no = ERR_get_error(); ERR_error_string_n( error_no, error_str, sizeof( error_str ) ); error( "Failed to check private key ( error = %s [%ul] ).", error_str, error_no ); return false; } return true; }
static int init_ssl_ctx(POOL_CONNECTION *cp, enum ssl_conn_type conntype) { int error = 0; char *cacert = NULL, *cacert_dir = NULL; /* initialize SSL members */ cp->ssl_ctx = SSL_CTX_new(TLSv1_method()); SSL_RETURN_ERROR_IF( (! cp->ssl_ctx), "SSL_CTX_new" ); if ( conntype == ssl_conn_serverclient) { error = SSL_CTX_use_certificate_file(cp->ssl_ctx, pool_config->ssl_cert, SSL_FILETYPE_PEM); SSL_RETURN_ERROR_IF( (error <= 0), "Loading SSL certificate"); error = SSL_CTX_use_PrivateKey_file(cp->ssl_ctx, pool_config->ssl_key, SSL_FILETYPE_PEM); SSL_RETURN_ERROR_IF( (error <= 0), "Loading SSL private key"); } else { /* set extra verification if ssl_ca_cert or ssl_ca_cert_dir are set */ if (strlen(pool_config->ssl_ca_cert)) cacert = pool_config->ssl_ca_cert; if (strlen(pool_config->ssl_ca_cert_dir)) cacert_dir = pool_config->ssl_ca_cert_dir; if ( cacert || cacert_dir ) { error = (!SSL_CTX_load_verify_locations(cp->ssl_ctx, cacert, cacert_dir)); SSL_RETURN_ERROR_IF(error, "SSL verification setup"); SSL_CTX_set_verify(cp->ssl_ctx, SSL_VERIFY_PEER, NULL); } } cp->ssl = SSL_new(cp->ssl_ctx); SSL_RETURN_ERROR_IF( (! cp->ssl), "SSL_new"); return 0; }
//PASS SSL_CTX* , CERTFILE, AND KEYFILE void load_Certs(SSL_CTX* ctx, char* Cert, char* Key) { // Set Certificate if ( SSL_CTX_use_certificate_file(ctx, Cert, SSL_FILETYPE_PEM) <= 0 ) { ERR_print_errors_fp(stderr); abort(); } //Set Private key from keyfile -NOTE Possible same as certfile if ( SSL_CTX_use_PrivateKey_file(ctx, Key, SSL_FILETYPE_PEM) <= 0 ) { ERR_print_errors_fp(stderr); abort(); } //Verifiy private key ?? needed? if ( !SSL_CTX_check_private_key(ctx) ) { fprintf(stderr, "Private key does not match the public certificate\n"); abort(); } }
int swSSL_init(char *cert_file, char *key_file) { SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); ssl_context = SSL_CTX_new(SSLv23_method()); if (ssl_context == NULL) { ERR_print_errors_fp(stderr); return SW_ERR; } /* * set the local certificate from CertFile */ if (SSL_CTX_use_certificate_file(ssl_context, cert_file, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); return SW_ERR; } /* * set the private key from KeyFile (may be the same as CertFile) */ if (SSL_CTX_use_PrivateKey_file(ssl_context, key_file, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); return SW_ERR; } /* * verify private key */ if (!SSL_CTX_check_private_key(ssl_context)) { swWarn("Private key does not match the public certificate"); return SW_ERR; } return SW_OK; }
int TPC_Logging_Acceptor::open (const ACE_SOCK_Acceptor::PEER_ADDR &local_addr, ACE_Reactor *reactor, int flags, int use_select, int reuse_addr) { if (PARENT::open (local_addr, reactor, flags, use_select, reuse_addr) != 0) return -1; OpenSSL_add_ssl_algorithms (); ssl_ctx_ = SSL_CTX_new (SSLv3_server_method ()); if (ssl_ctx_ == 0) return -1; if (SSL_CTX_use_certificate_file (ssl_ctx_, TPC_CERTIFICATE_FILENAME, SSL_FILETYPE_PEM) <= 0 || SSL_CTX_use_PrivateKey_file (ssl_ctx_, TPC_KEY_FILENAME, SSL_FILETYPE_PEM) <= 0 || !SSL_CTX_check_private_key (ssl_ctx_)) return -1; ssl_ = SSL_new (ssl_ctx_); return ssl_ == 0 ? -1 : 0; }
static SSL_CTX *get_ssl_ctx(char *ca_dir, char *cert, char *key) { SSL_CTX *ssl_ctx; const SSL_METHOD *method; lagopus_msg_info("ca_dir:[%s], cert:[%s], key:[%s]\n", ca_dir, cert, key); method = TLSv1_method(); ssl_ctx = SSL_CTX_new(method); if (ssl_ctx == NULL) { lagopus_msg_warning("no memory.\n"); return NULL; } /* add client cert. */ if (SSL_CTX_use_certificate_file(ssl_ctx, cert, SSL_FILETYPE_PEM) != 1) { lagopus_msg_warning("SSL_CTX_use_certificate_file(%s) fail.\n", cert); SSL_CTX_free(ssl_ctx); return NULL; } /* add client private key. */ if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key, SSL_FILETYPE_PEM) != 1) { lagopus_msg_warning("SSL_CTX_use_PrivateKey_file(%s) fail.\n", key); SSL_CTX_free(ssl_ctx); return NULL; } /* loading ca cert */ if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, ca_dir) != 1) { lagopus_msg_warning("SSL_CTX_load_verify_locations(%s) fail.\n", ca_dir); SSL_CTX_free(ssl_ctx); return NULL; } SSL_CTX_set_verify_depth(ssl_ctx, 1);/* XXX depth is configurable? */ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); return ssl_ctx; }
/** setup SSL context */ static SSL_CTX* setup_ctx(struct config_file* cfg) { char* s_cert=NULL, *c_key=NULL, *c_cert=NULL; SSL_CTX* ctx; if(cfg->remote_control_use_cert) { s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); c_key = fname_after_chroot(cfg->control_key_file, cfg, 1); c_cert = fname_after_chroot(cfg->control_cert_file, cfg, 1); if(!s_cert || !c_key || !c_cert) fatal_exit("out of memory"); } ctx = SSL_CTX_new(SSLv23_client_method()); if(!ctx) ssl_err("could not allocate SSL_CTX pointer"); if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) ssl_err("could not set SSL_OP_NO_SSLv2"); if(cfg->remote_control_use_cert) { if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) ssl_err("could not set SSL_OP_NO_SSLv3"); if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) ssl_err("Error setting up SSL_CTX client key and cert"); if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1) ssl_err("Error setting up SSL_CTX verify, server cert"); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); free(s_cert); free(c_key); free(c_cert); } else { /* Use ciphers that don't require authentication */ if(!SSL_CTX_set_cipher_list(ctx, "aNULL")) ssl_err("Error setting NULL cipher!"); } return ctx; }
void init_ssl() { /* SSL preliminaries. We keep the certificate and key with the context. */ SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); if (!ctx) { irclog(L_ERROR, "Error creating SSL CTX"); #if 0 ERR_print_errors_fp (stderr); #endif exit (2); } if (SSL_CTX_use_certificate_file (ctx, CERTF, SSL_FILETYPE_PEM) <= 0) { irclog(L_ERROR, "Failed to load SSL certificate %s, SSL disabled", CERTF); no_ssl = -1; return; } if (SSL_CTX_use_PrivateKey_file (ctx, KEYF, SSL_FILETYPE_PEM) <= 0) { irclog(L_ERROR, "Failed to load SSL private key %s, SSL disabled", KEYF); no_ssl = -1; return; } #if 0 if (!SSL_CTX_check_private_key (ctx)) { fprintf (stderr, "Private key does not match the certificate public key\n"); exit (5); } #endif }
int kn_sock_ssllisten(handle_t h, kn_sockaddr *addr, const char *certificate, const char *privatekey ){ if(h->type != KN_SOCKET && ((kn_socket*)h)->type != SOCK_STREAM) return 0; kn_stream_socket *ss = (kn_stream_socket*)h; if(h->status != SOCKET_NONE) return -1; /* 以 SSL V2 和 V3 标准兼容方式产生一个 SSL_CTX ,即 SSL Content Text */ SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method()); /* 也可以用 SSLv2_server_method() 或 SSLv3_server_method() 单独表示 V2 或 V3标准 */ if (ctx == NULL) { ERR_print_errors_fp(stdout); return -1; } /* 载入用户的数字证书, 此证书用来发送给客户端。 证书里包含有公钥 */ if (SSL_CTX_use_certificate_file(ctx,certificate, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stdout); SSL_CTX_free(ctx); return -1; } /* 载入用户私钥 */ if (SSL_CTX_use_PrivateKey_file(ctx, privatekey, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stdout); SSL_CTX_free(ctx); return -1; } /* 检查用户私钥是否正确 */ if (!SSL_CTX_check_private_key(ctx)) { ERR_print_errors_fp(stdout); SSL_CTX_free(ctx); return -1; } kn_set_noblock(((handle_t)ss)->fd,0); ss->ctx = ctx; return stream_socket_listen(ss,addr); }
int ssl_init_server(char *certfile, char *privkeyfile, int type){ const SSL_METHOD *meth; /* Create an SSL_METHOD structure * (choose an SSL/TLS protocol version) */ meth = SSLv3_method(); /* Create an SSL_CTX structure */ ctx = SSL_CTX_new(meth); if (ctx == NULL){ ERR_print_errors_fp( stderr); return -1; } /* Load the server certificate into the SSL_CTX structure */ TRACE(L_VERBOSE, "server-ssl: load the server certificate"); if (SSL_CTX_use_certificate_file(ctx, certfile, type) <= 0) { ERR_print_errors_fp( stderr); return -1; } /* Load the private-key corresponding to the server certificate */ TRACE(L_VERBOSE, "server-ssl: load the private-key"); if (SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, type) <= 0) { ERR_print_errors_fp( stderr); return -1; } TRACE(L_VERBOSE, "server-ssl: check if the server certificate "\ "and private-key matches"); /* Check if the server certificate and private-key matches */ if (!SSL_CTX_check_private_key(ctx)) { ERROR(L_VERBOSE,"Private key does not match the "\ "certificate public key"); return -1; } return 0; }
int evt_ctx_set_crt_key(evt_ctx_t *tls, char *crtf, char *key) { //SSL_CTX_set_verify(tls->ctx, SSL_VERIFY_NONE, uv__tls_verify_peer); SSL_CTX_set_verify(tls->ctx, SSL_VERIFY_NONE, NULL); int r = SSL_CTX_use_certificate_file(tls->ctx, crtf, SSL_FILETYPE_PEM); if(r != 1) { return -1; } tls->cert_set = 1; r = SSL_CTX_use_PrivateKey_file(tls->ctx, key, SSL_FILETYPE_PEM); if(r != 1) { return -1; } r = SSL_CTX_check_private_key(tls->ctx); if(r != 1) { return -1; } tls->key_set = 1; return 0; }
MSC_SOCKET_ERR msc_secure_socket_ctx_load_cert(const char *cert_file, const char *key_file) { if (SSL_CTX_use_certificate_file(g_ssl_ctx, cert_file, SSL_FILETYPE_PEM) <= 0) { fprintf(stderr, "Unable to load server certificate from file\n"); ERR_print_errors_fp(stderr); return MSC_FALSE; } if (SSL_CTX_use_PrivateKey_file(g_ssl_ctx, key_file, SSL_FILETYPE_PEM) <= 0) { fprintf(stderr, "Unable to load server key from file\n"); ERR_print_errors_fp(stderr); return MSC_FALSE; } if (!SSL_CTX_check_private_key(g_ssl_ctx)) { fprintf(stderr, "Server private key does not match server certificate\n"); ERR_print_errors_fp(stderr); return MSC_FALSE; } return MSC_TRUE; }