void h2o_socket_ssl_handshake(h2o_socket_t *sock, SSL_CTX *ssl_ctx, const char *server_name, h2o_socket_cb handshake_cb) { sock->ssl = h2o_mem_alloc(sizeof(*sock->ssl)); memset(sock->ssl, 0, offsetof(struct st_h2o_socket_ssl_t, output.pool)); /* setup the buffers; sock->input should be empty, sock->ssl->input.encrypted should contain the initial input, if any */ h2o_buffer_init(&sock->ssl->input.encrypted, &h2o_socket_buffer_prototype); if (sock->input->size != 0) { h2o_buffer_t *tmp = sock->input; sock->input = sock->ssl->input.encrypted; sock->ssl->input.encrypted = tmp; } h2o_mem_init_pool(&sock->ssl->output.pool); create_ssl(sock, ssl_ctx); sock->ssl->handshake.cb = handshake_cb; if (server_name == NULL) { /* is server */ if (SSL_CTX_sess_get_get_cb(ssl_ctx) != NULL) sock->ssl->handshake.server.async_resumption.state = ASYNC_RESUMPTION_STATE_RECORD; if (sock->ssl->input.encrypted->size != 0) proceed_handshake(sock, 0); else h2o_socket_read_start(sock, proceed_handshake); } else { sock->ssl->handshake.client.server_name = h2o_strdup(NULL, server_name, SIZE_MAX).base; SSL_set_tlsext_host_name(sock->ssl->ssl, sock->ssl->handshake.client.server_name); proceed_handshake(sock, 0); } }
int swClient_ssl_handshake(swClient *cli) { if (!cli->socket->ssl) { if (swSSL_create(cli->socket, cli->ssl_context, SW_SSL_CLIENT) < 0) { return SW_ERR; } #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (cli->ssl_option.tls_host_name) { SSL_set_tlsext_host_name(cli->socket->ssl, cli->ssl_option.tls_host_name); } #endif } if (swSSL_connect(cli->socket) < 0) { return SW_ERR; } if (cli->socket->ssl_state == SW_SSL_STATE_READY && cli->ssl_option.verify_peer) { if (swClient_ssl_verify(cli, cli->ssl_option.allow_self_signed) < 0) { return SW_ERR; } } return SW_OK; }
/* OpenSSL < 1.0.0 does not have SSL_set_tlsext_host_name() */ long HsOpenSSL_SSL_set_tlsext_host_name(SSL* ssl, char* host_name) { #if defined(SSL_set_tlsext_host_name) return SSL_set_tlsext_host_name(ssl, host_name); #else return 0; #endif }
/* Initiate an SSL handshake on this stream and encrypt all subsequent data */ int stream_enable_ssl(PTSTREAM *pts) { #ifdef USE_SSL SSL *ssl; SSL_CTX *ctx; int ret; /* Initialise the connection */ SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); ctx = SSL_CTX_new (SSLv3_client_method()); ssl = SSL_new (ctx); if (args_info.verbose_flag) { message("Set SNI hostname to %s\n", args_info.proxyhost_arg); } ret = SSL_set_tlsext_host_name(ssl, args_info.proxyhost_arg); if (!ret) { message("TLS SNI error, giving up: SSL_set_tlsext_host_name failed\n"); exit(1); } SSL_set_rfd (ssl, stream_get_incoming_fd(pts)); SSL_set_wfd (ssl, stream_get_outgoing_fd(pts)); SSL_connect (ssl); /* Store ssl and ctx parameters */ pts->ssl = ssl; pts->ctx = ctx; #else message("Warning: stream_open(): SSL stream requested but no SSL support available; using unencrypted connection"); #endif /* USE_SSL */ return 1; }
bool ssl_connect_wget (int fd, const char *hostname) { SSL *conn; struct scwt_context scwt_ctx; struct openssl_transport_context *ctx; DEBUGP (("Initiating SSL handshake.\n")); assert (ssl_ctx != NULL); conn = SSL_new (ssl_ctx); if (!conn) goto error; #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) /* If the SSL library was build with support for ServerNameIndication then use it whenever we have a hostname. If not, don't, ever. */ if (! is_valid_ip_address (hostname)) { if (! SSL_set_tlsext_host_name (conn, hostname)) { DEBUGP (("Failed to set TLS server-name indication.")); goto error; } } #endif #ifndef FD_TO_SOCKET # define FD_TO_SOCKET(X) (X) #endif if (!SSL_set_fd (conn, FD_TO_SOCKET (fd))) goto error; SSL_set_connect_state (conn); scwt_ctx.ssl = conn; if (run_with_timeout(opt.read_timeout, ssl_connect_with_timeout_callback, &scwt_ctx)) { DEBUGP (("SSL handshake timed out.\n")); goto timeout; } if (scwt_ctx.result <= 0 || conn->state != SSL_ST_OK) goto error; ctx = xnew0 (struct openssl_transport_context); ctx->conn = conn; /* Register FD with Wget's transport layer, i.e. arrange that our functions are used for reading, writing, and polling. */ fd_register_transport (fd, &openssl_transport, ctx); DEBUGP (("Handshake successful; connected socket %d to SSL handle 0x%0*lx\n", fd, PTR_FORMAT (conn))); return true; error: DEBUGP (("SSL handshake failed.\n")); print_errors (); timeout: if (conn) SSL_free (conn); return false; }
/* Configure per-SSL callbacks and other properties. */ static void configure_handshake_ssl(SSL *server, SSL *client, const SSL_TEST_EXTRA_CONF *extra) { if (extra->client.servername != SSL_TEST_SERVERNAME_NONE) SSL_set_tlsext_host_name(client, ssl_servername_name(extra->client.servername)); }
int np_net_ssl_init_with_hostname (int sd, char *host_name) { if (!initialized) { /* Initialize SSL context */ SSLeay_add_ssl_algorithms (); SSL_load_error_strings (); OpenSSL_add_all_algorithms (); initialized = 1; } if ((c = SSL_CTX_new (SSLv23_client_method ())) == NULL) { printf ("%s\n", _("CRITICAL - Cannot create SSL context.")); return STATE_CRITICAL; } if ((s = SSL_new (c)) != NULL){ #ifdef SSL_set_tlsext_host_name if (host_name != NULL) SSL_set_tlsext_host_name(s, host_name); #endif SSL_set_fd (s, sd); if (SSL_connect(s) == 1){ return OK; } else { printf ("%s\n", _("CRITICAL - Cannot make SSL connection ")); # ifdef USE_OPENSSL /* XXX look into ERR_error_string */ ERR_print_errors_fp (stdout); # endif /* USE_OPENSSL */ } } else { printf ("%s\n", _("CRITICAL - Cannot initiate SSL handshake.")); } return STATE_CRITICAL; }
CSSLSession* CSSLSession::Renew(const CSSLContext& sslCtx, LPCSTR lpszHostName) { ASSERT(!IsValid()); m_ssl = SSL_new(sslCtx.GetDefaultContext()); m_bioSend = BIO_new(BIO_s_mem()); m_bioRecv = BIO_new(BIO_s_mem()); SSL_set_bio(m_ssl, m_bioRecv, m_bioSend); if(sslCtx.GetSessionMode() == SSL_SM_SERVER) SSL_accept(m_ssl); else { USES_CONVERSION; if(lpszHostName && lpszHostName[0] != 0 && !::IsIPAddress(A2CT(lpszHostName))) SSL_set_tlsext_host_name(m_ssl, lpszHostName); SSL_connect(m_ssl); } m_pitSend = m_itPool.PickFreeItem(); m_pitRecv = m_itPool.PickFreeItem(); m_bufSend.buf = (char*)m_pitSend->Ptr(); m_bufRecv.buf = (char*)m_pitRecv->Ptr(); m_enStatus = SSL_HSS_PROC; return this; }
status_t BSecureSocket::_SetupCommon(const char* host) { // Do this only after BSocket::Connect has checked wether we're already // connected. We don't want to kill an existing SSL session, as that would // likely crash the protocol loop for it. if (fPrivate->fSSL != NULL) { SSL_free(fPrivate->fSSL); } fPrivate->fSSL = SSL_new(BSecureSocket::Private::Context()); if (fPrivate->fSSL == NULL) { BSocket::Disconnect(); return B_NO_MEMORY; } BIO_set_fd(fPrivate->fBIO, fSocket, BIO_NOCLOSE); SSL_set_bio(fPrivate->fSSL, fPrivate->fBIO, fPrivate->fBIO); SSL_set_ex_data(fPrivate->fSSL, Private::sDataIndex, this); if (host != NULL) { BString hostString = host; if (hostString != "") SSL_set_tlsext_host_name(fPrivate->fSSL, host); } return B_OK; }
int openssl_connect(git_stream *stream) { int ret; BIO *bio; openssl_stream *st = (openssl_stream *) stream; if ((ret = git_stream_connect(st->io)) < 0) return ret; st->connected = true; bio = BIO_new(&git_stream_bio_method); GITERR_CHECK_ALLOC(bio); bio->ptr = st->io; SSL_set_bio(st->ssl, bio, bio); /* specify the host in case SNI is needed */ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME SSL_set_tlsext_host_name(st->ssl, st->host); #endif if ((ret = SSL_connect(st->ssl)) <= 0) return ssl_set_error(st->ssl, ret); return verify_server_cert(st->ssl, st->host); }
/* Configure per-SSL callbacks and other properties. */ static void configure_handshake_ssl(SSL *server, SSL *client, const SSL_TEST_CTX *test_ctx) { if (test_ctx->servername != SSL_TEST_SERVERNAME_NONE) SSL_set_tlsext_host_name(client, ssl_servername_name(test_ctx->servername)); }
static int server_setup_sni(void) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL))) goto end; /* set SNI at server side */ SSL_set_tlsext_host_name(serverssl, host); if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; if (!TEST_ptr_null(SSL_get_servername(serverssl, TLSEXT_NAMETYPE_host_name))) { /* SNI should have been cleared during handshake */ goto end; } testresult = 1; end: SSL_free(serverssl); SSL_free(clientssl); SSL_CTX_free(sctx); SSL_CTX_free(cctx); return testresult; }
static int init_ssl_socket( pn_ssl_t *ssl ) { if (ssl->ssl) return 0; if (!ssl->domain) return -1; ssl->ssl = SSL_new(ssl->domain->ctx); if (!ssl->ssl) { _log_error( "SSL socket setup failure.\n" ); return -1; } // store backpointer to pn_ssl_t in SSL object: SSL_set_ex_data(ssl->ssl, ssl_ex_data_index, ssl); #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (ssl->peer_hostname && ssl->domain->mode == PN_SSL_MODE_CLIENT) { SSL_set_tlsext_host_name(ssl->ssl, ssl->peer_hostname); } #endif // restore session, if available if (ssl->session_id) { pn_ssl_session_t *ssn = ssn_cache_find( ssl->domain, ssl->session_id ); if (ssn) { _log( ssl, "Restoring previous session id=%s\n", ssn->id ); int rc = SSL_set_session( ssl->ssl, ssn->session ); if (rc != 1) { _log( ssl, "Session restore failed, id=%s\n", ssn->id ); } LL_REMOVE( ssl->domain, ssn_cache, ssn ); ssl_session_free( ssn ); } } // now layer a BIO over the SSL socket ssl->bio_ssl = BIO_new(BIO_f_ssl()); if (!ssl->bio_ssl) { _log_error( "BIO setup failure.\n" ); return -1; } (void)BIO_set_ssl(ssl->bio_ssl, ssl->ssl, BIO_NOCLOSE); // create the "lower" BIO "pipe", and attach it below the SSL layer if (!BIO_new_bio_pair(&ssl->bio_ssl_io, 0, &ssl->bio_net_io, 0)) { _log_error( "BIO setup failure.\n" ); return -1; } SSL_set_bio(ssl->ssl, ssl->bio_ssl_io, ssl->bio_ssl_io); if (ssl->domain->mode == PN_SSL_MODE_SERVER) { SSL_set_accept_state(ssl->ssl); BIO_set_ssl_mode(ssl->bio_ssl, 0); // server mode _log( ssl, "Server SSL socket created.\n" ); } else { // client mode SSL_set_connect_state(ssl->ssl); BIO_set_ssl_mode(ssl->bio_ssl, 1); // client mode _log( ssl, "Client SSL socket created.\n" ); } return 0; }
int ssl_open(http_t *client, char *msg) { char buf[256]; const char *sn; X509 *cert; if (!client->ssl_enabled) return tcp_init(&client->tcp, msg); tcp_set_port(&client->tcp, HTTPS_DEFAULT_PORT); DO(tcp_init(&client->tcp, msg)); logit(LOG_INFO, "%s, initiating HTTPS ...", msg); client->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); if (!client->ssl_ctx) return RC_HTTPS_OUT_OF_MEMORY; /* POODLE, only allow TLSv1.x or later */ SSL_CTX_set_options(client->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION); SSL_CTX_set_verify(client->ssl_ctx, SSL_VERIFY_PEER, verify_callback); SSL_CTX_set_verify_depth(client->ssl_ctx, 150); /* Try to figure out location of trusted CA certs on system */ if (ssl_set_ca_location(client)) return RC_HTTPS_NO_TRUSTED_CA_STORE; client->ssl = SSL_new(client->ssl_ctx); if (!client->ssl) return RC_HTTPS_OUT_OF_MEMORY; /* SSL SNI support: tell the servername we want to speak to */ http_get_remote_name(client, &sn); if (!SSL_set_tlsext_host_name(client->ssl, sn)) return RC_HTTPS_SNI_ERROR; SSL_set_fd(client->ssl, client->tcp.ip.socket); if (-1 == SSL_connect(client->ssl)) return RC_HTTPS_FAILED_CONNECT; logit(LOG_INFO, "SSL connection using %s", SSL_get_cipher(client->ssl)); cert = SSL_get_peer_certificate(client->ssl); if (!cert) return RC_HTTPS_FAILED_GETTING_CERT; if (SSL_get_verify_result(client->ssl) == X509_V_OK) logit(LOG_DEBUG, "Certificate OK"); X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); logit(LOG_INFO, "SSL server cert subject: %s", buf); X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); logit(LOG_INFO, "SSL server cert issuer: %s", buf); X509_free(cert); return 0; }
bool KSSLSocket::setHostName(const char *hostname) { #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME SSL_set_tlsext_host_name(ssl,hostname); return true; #else return false; #endif }
void h2o_socket_ssl_handshake(h2o_socket_t *sock, SSL_CTX *ssl_ctx, const char *server_name, h2o_socket_cb handshake_cb) { sock->ssl = h2o_mem_alloc(sizeof(*sock->ssl)); memset(sock->ssl, 0, offsetof(struct st_h2o_socket_ssl_t, output.pool)); /* setup the buffers; sock->input should be empty, sock->ssl->input.encrypted should contain the initial input, if any */ h2o_buffer_init(&sock->ssl->input.encrypted, &h2o_socket_buffer_prototype); if (sock->input->size != 0) { h2o_buffer_t *tmp = sock->input; sock->input = sock->ssl->input.encrypted; sock->ssl->input.encrypted = tmp; } h2o_mem_init_pool(&sock->ssl->output.pool); create_ssl(sock, ssl_ctx); sock->ssl->handshake.cb = handshake_cb; if (server_name == NULL) { /* is server */ if (SSL_CTX_sess_get_get_cb(ssl_ctx) != NULL) sock->ssl->handshake.server.async_resumption.state = ASYNC_RESUMPTION_STATE_RECORD; if (sock->ssl->input.encrypted->size != 0) proceed_handshake(sock, 0); else h2o_socket_read_start(sock, proceed_handshake); } else { h2o_cache_t *session_cache = h2o_socket_ssl_get_session_cache(ssl_ctx); if (session_cache != NULL) { struct sockaddr_storage sa; int32_t port; if (h2o_socket_getpeername(sock, (struct sockaddr *)&sa) != 0 && (port = h2o_socket_getport((struct sockaddr *)&sa)) != -1) { /* session cache is available */ h2o_iovec_t session_cache_key; session_cache_key.base = h2o_mem_alloc(strlen(server_name) + sizeof(":" H2O_UINT16_LONGEST_STR)); session_cache_key.len = sprintf(session_cache_key.base, "%s:%" PRIu16, server_name, (uint16_t)port); sock->ssl->handshake.client.session_cache = session_cache; sock->ssl->handshake.client.session_cache_key = session_cache_key; sock->ssl->handshake.client.session_cache_key_hash = h2o_cache_calchash(session_cache_key.base, session_cache_key.len); /* fetch from session cache */ h2o_cache_ref_t *cacheref = h2o_cache_fetch(session_cache, h2o_now(h2o_socket_get_loop(sock)), sock->ssl->handshake.client.session_cache_key, sock->ssl->handshake.client.session_cache_key_hash); if (cacheref != NULL) { SSL_set_session(sock->ssl->ssl, (SSL_SESSION *)cacheref->value.base); h2o_cache_release(session_cache, cacheref); } } } sock->ssl->handshake.client.server_name = h2o_strdup(NULL, server_name, SIZE_MAX).base; SSL_set_tlsext_host_name(sock->ssl->ssl, sock->ssl->handshake.client.server_name); proceed_handshake(sock, 0); } }
apr_status_t serf_ssl_set_hostname(serf_ssl_context_t *context, const char * hostname) { #ifdef SSL_set_tlsext_host_name if (SSL_set_tlsext_host_name(context->ssl, hostname) != 1) { ERR_clear_error(); } #endif return APR_SUCCESS; }
static inline int tls_setup(shout_tls_t *tls) { SSL_METHOD *meth; SSL_library_init(); SSL_load_error_strings(); SSLeay_add_all_algorithms(); SSLeay_add_ssl_algorithms(); meth = TLSv1_client_method(); if (!meth) goto error; tls->ssl_ctx = SSL_CTX_new(meth); if (!tls->ssl_ctx) goto error; SSL_CTX_set_default_verify_paths(tls->ssl_ctx); SSL_CTX_load_verify_locations(tls->ssl_ctx, tls->ca_file, tls->ca_directory); SSL_CTX_set_verify(tls->ssl_ctx, SSL_VERIFY_NONE, NULL); if (tls->client_certificate) { if (SSL_CTX_use_certificate_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1) goto error; if (SSL_CTX_use_PrivateKey_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1) goto error; } if (SSL_CTX_set_cipher_list(tls->ssl_ctx, tls->allowed_ciphers) <= 0) goto error; SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_AUTO_RETRY); tls->ssl = SSL_new(tls->ssl_ctx); if (!tls->ssl) goto error; if (!SSL_set_fd(tls->ssl, tls->socket)) goto error; SSL_set_tlsext_host_name(tls->ssl, tls->host); SSL_set_connect_state(tls->ssl); tls->ssl_ret = SSL_connect(tls->ssl); return SHOUTERR_SUCCESS; error: if (tls->ssl) SSL_free(tls->ssl); if (tls->ssl_ctx) SSL_CTX_free(tls->ssl_ctx); return SHOUTERR_UNSUPPORTED; }
const char *dbapi_lookup(const char *key) { long res = 1; SSL_CTX* ctx = NULL; BIO *web = NULL, *out = NULL; SSL *ssl = NULL; const SSL_METHOD* method; char *token, *tmpout, *buf; int hlen=0, len=0, maxlen=2048; (void)SSL_library_init(); SSL_load_error_strings(); OPENSSL_config(NULL); method = SSLv23_method(); if(method==NULL) return NULL; ctx = SSL_CTX_new(method); if(ctx==NULL) return NULL; SSL_CTX_set_verify_depth(ctx, 4); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1| SSL_OP_NO_COMPRESSION); web = BIO_new_ssl_connect(ctx); if(web==NULL) return NULL; res = BIO_set_conn_hostname(web, DB_API_SERVER); if(res!=1) return NULL; BIO_get_ssl(web, &ssl); if(ssl==NULL) return NULL; res = SSL_set_cipher_list(ssl, SECURE_CIPHER_LIST); if(res!=1) return NULL; res = SSL_set_tlsext_host_name(ssl, DB_API_HOST); if(res!=1) return NULL; out = BIO_new_fp(stdout, BIO_NOCLOSE); if(NULL==out) return NULL; res = BIO_do_connect(web); if(res!=1) return NULL; res = BIO_do_handshake(web); if(res!=1) return NULL; len=(60+strlen(key)+strlen(DB_API_HOST)+strlen(DB_API_AUTH)); char *request=malloc(sizeof(char)*(len+1)); snprintf(request,len, "GET %s HTTP/1.1\nHost: %s\nx-api-key: %s\nConnection: close\n\n", key, DB_API_HOST, DB_API_AUTH); request[len]='\0'; BIO_puts(web, request); BIO_puts(out, "\n"); buf = malloc(sizeof(char)*maxlen); do { char buff[1536] = {}; len=BIO_read(web, buff, sizeof(buff)); hlen+=len; if(hlen<maxlen&&len>0) strncat(buf,buff,len); } while (len>0 || BIO_should_retry(web)); buf[maxlen]='\0'; tmpout = malloc(sizeof(char)*(HASH_MAXLENGTH+1)); token = strtok(buf, "\n"); while (token) { snprintf(tmpout,HASH_MAXLENGTH,"%s",token); token = strtok(NULL, "\n"); } tmpout[strlen(tmpout)]='\0'; free(buf); free(request); if(out) BIO_free(out); if(web != NULL) BIO_free_all(web); if(NULL != ctx) SSL_CTX_free(ctx); return tmpout; }
/* SSL SNI support: tell the servername we want to speak to */ static int set_server_name(SSL *ssl, const char *sn) { int rc = 0; #if defined(CONFIG_OPENSSL) /* api returns 1 for success */ rc = !SSL_set_tlsext_host_name(ssl, sn); #endif return rc; }
CAMLprim value ocaml_ssl_set_client_SNI_hostname(value socket, value vhostname) { CAMLparam2(socket, vhostname); SSL *ssl = SSL_val(socket); char *hostname = String_val(vhostname); caml_enter_blocking_section(); SSL_set_tlsext_host_name(ssl, hostname); caml_leave_blocking_section(); CAMLreturn(Val_unit); }
status ssl_connect(connection *c, char *host) { int r; SSL_set_fd(c->ssl, c->fd); SSL_set_tlsext_host_name(c->ssl, host); if ((r = SSL_connect(c->ssl)) != 1) { switch (SSL_get_error(c->ssl, r)) { case SSL_ERROR_WANT_READ: return RETRY; case SSL_ERROR_WANT_WRITE: return RETRY; default: return ERROR; } } return OK; }
void SecureSocketImpl::connectSSL(bool performHandshake) { poco_assert (!_pSSL); poco_assert (_pSocket->initialized()); BIO* pBIO = BIO_new(BIO_s_socket()); if (!pBIO) throw SSLException("Cannot create SSL BIO object"); BIO_set_fd(pBIO, static_cast<int>(_pSocket->sockfd()), BIO_NOCLOSE); _pSSL = SSL_new(_pContext->sslContext()); if (!_pSSL) { BIO_free(pBIO); throw SSLException("Cannot create SSL object"); } SSL_set_bio(_pSSL, pBIO, pBIO); #if OPENSSL_VERSION_NUMBER >= 0x0908060L && !defined(OPENSSL_NO_TLSEXT) if (!_peerHostName.empty()) { SSL_set_tlsext_host_name(_pSSL, _peerHostName.c_str()); } #endif if (_pSession) { SSL_set_session(_pSSL, _pSession->sslSession()); } try { if (performHandshake && _pSocket->getBlocking()) { int ret = SSL_connect(_pSSL); handleError(ret); verifyPeerCertificate(); } else { SSL_set_connect_state(_pSSL); _needHandshake = true; } } catch (...) { SSL_free(_pSSL); _pSSL = 0; throw; } }
void np_net_ssl_cleanup (){ if(s){ #ifdef SSL_set_tlsext_host_name SSL_set_tlsext_host_name(s, NULL); #endif SSL_shutdown (s); SSL_free (s); if(c) { SSL_CTX_free (c); c=NULL; } s=NULL; } }
static gboolean ssl_connected(gpointer data, gint source, b_input_condition cond) { struct scd *conn = data; if (conn->verify) { /* Right now we don't have any verification functionality for OpenSSL. */ conn->func(conn->data, 1, NULL, cond); if (source >= 0) { closesocket(source); } ssl_conn_free(conn); return FALSE; } if (source == -1) { goto ssl_connected_failure; } if (!initialized) { ssl_init(); } if (ssl_ctx == NULL) { goto ssl_connected_failure; } conn->ssl = SSL_new(ssl_ctx); if (conn->ssl == NULL) { goto ssl_connected_failure; } /* We can do at least the handshake with non-blocking I/O */ sock_make_nonblocking(conn->fd); SSL_set_fd(conn->ssl, conn->fd); if (conn->hostname && !g_ascii_isdigit(conn->hostname[0])) { SSL_set_tlsext_host_name(conn->ssl, conn->hostname); } return ssl_handshake(data, source, cond); ssl_connected_failure: conn->func(conn->data, 0, NULL, cond); ssl_disconnect(conn); return FALSE; }
static int client_setup_sni_after_state(void) { SSL_CTX *ctx; SSL *con = NULL; BIO *rbio; BIO *wbio; char *hostname = NULL; int ret = 0; /* use TLS_method to blur 'side' */ ctx = SSL_CTX_new(TLS_method()); if (!TEST_ptr(ctx)) goto end; con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; rbio = BIO_new(BIO_s_mem()); wbio = BIO_new(BIO_s_mem()); if (!TEST_ptr(rbio)|| !TEST_ptr(wbio)) { BIO_free(rbio); BIO_free(wbio); goto end; } SSL_set_bio(con, rbio, wbio); SSL_set_connect_state(con); /* set SNI after 'client side' is set */ SSL_set_tlsext_host_name(con, host); if (!TEST_int_le(SSL_connect(con), 0)) /* This shouldn't succeed because we don't have a server! */ goto end; if (!TEST_true(get_sni_from_client_hello(wbio, &hostname))) /* no SNI in client hello */ goto end; if (!TEST_str_eq(hostname, host)) /* incorrect SNI value */ goto end; ret = 1; end: OPENSSL_free(hostname); SSL_free(con); SSL_CTX_free(ctx); return ret; }
int tls_connect(rdpTls* tls, BIO* underlying) { int options = 0; /** * SSL_OP_NO_COMPRESSION: * * The Microsoft RDP server does not advertise support * for TLS compression, but alternative servers may support it. * This was observed between early versions of the FreeRDP server * and the FreeRDP client, and caused major performance issues, * which is why we're disabling it. */ #ifdef SSL_OP_NO_COMPRESSION options |= SSL_OP_NO_COMPRESSION; #endif /** * SSL_OP_TLS_BLOCK_PADDING_BUG: * * The Microsoft RDP server does *not* support TLS padding. * It absolutely needs to be disabled otherwise it won't work. */ options |= SSL_OP_TLS_BLOCK_PADDING_BUG; /** * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: * * Just like TLS padding, the Microsoft RDP server does not * support empty fragments. This needs to be disabled. */ options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; /** * disable SSLv2 and SSLv3 */ options |= SSL_OP_NO_SSLv2; options |= SSL_OP_NO_SSLv3; if (!tls_prepare(tls, underlying, SSLv23_client_method(), options, TRUE)) return FALSE; #ifndef OPENSSL_NO_TLSEXT SSL_set_tlsext_host_name(tls->ssl, tls->hostname); #endif return tls_do_handshake(tls, TRUE); }
int pn_ssl_set_peer_hostname( pn_ssl_t *ssl, const char *hostname ) { if (!ssl) return -1; if (ssl->peer_hostname) free((void *)ssl->peer_hostname); ssl->peer_hostname = NULL; if (hostname) { ssl->peer_hostname = pn_strdup(hostname); if (!ssl->peer_hostname) return -2; #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (ssl->ssl && ssl->domain && ssl->domain->mode == PN_SSL_MODE_CLIENT) { SSL_set_tlsext_host_name(ssl->ssl, ssl->peer_hostname); } #endif } return 0; }
static VALUE ossl_ssl_setup(VALUE self) { VALUE io, v_ctx, cb; SSL_CTX *ctx; SSL *ssl; rb_io_t *fptr; Data_Get_Struct(self, SSL, ssl); if(!ssl){ #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME VALUE hostname = rb_iv_get(self, "@hostname"); #endif v_ctx = ossl_ssl_get_ctx(self); Data_Get_Struct(v_ctx, SSL_CTX, ctx); ssl = SSL_new(ctx); if (!ssl) { ossl_raise(eSSLError, "SSL_new:"); } DATA_PTR(self) = ssl; #ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME if (!NIL_P(hostname)) { if (SSL_set_tlsext_host_name(ssl, StringValuePtr(hostname)) != 1) ossl_raise(eSSLError, "SSL_set_tlsext_host_name:"); } #endif io = ossl_ssl_get_io(self); GetOpenFile(io, fptr); rb_io_check_readable(fptr); rb_io_check_writable(fptr); SSL_set_fd(ssl, TO_SOCKET(FPTR_TO_FD(fptr))); SSL_set_ex_data(ssl, ossl_ssl_ex_ptr_idx, (void*)self); cb = ossl_sslctx_get_verify_cb(v_ctx); SSL_set_ex_data(ssl, ossl_ssl_ex_vcb_idx, (void*)cb); cb = ossl_sslctx_get_client_cert_cb(v_ctx); SSL_set_ex_data(ssl, ossl_ssl_ex_client_cert_cb_idx, (void*)cb); cb = ossl_sslctx_get_tmp_dh_cb(v_ctx); SSL_set_ex_data(ssl, ossl_ssl_ex_tmp_dh_callback_idx, (void*)cb); } return Qtrue; }
void SSLStream::serverNameIndication(const std::string &hostname) { // Older versions of OpenSSL don't support this (I'm looking at you, // Leopard); just ignore it then #ifdef SSL_set_tlsext_host_name std::lock_guard<std::mutex> lock(m_mutex); if (!SSL_set_tlsext_host_name(m_ssl.get(), hostname.c_str())) { if (!hasOpenSSLError()) return; std::string message = getOpenSSLErrorMessage(); MORDOR_LOG_ERROR(g_log) << this << " SSL_set_tlsext_host_name(" << m_ssl.get() << ", " << hostname.c_str() << "): " << message; MORDOR_THROW_EXCEPTION(OpenSSLException(message)) // << boost::errinfo_api_function("SSL_set_tlsext_host_name"); ; } #endif }