const SSL_METHOD * hb_ssl_method_id_to_ptr( int n ) { const SSL_METHOD * p; switch( n ) { #if OPENSSL_VERSION_NUMBER < 0x10000000L case HB_SSL_CTX_NEW_METHOD_SSLV2: p = SSLv2_method(); break; case HB_SSL_CTX_NEW_METHOD_SSLV2_SERVER: p = SSLv2_server_method(); break; case HB_SSL_CTX_NEW_METHOD_SSLV2_CLIENT: p = SSLv2_client_method(); break; #endif case HB_SSL_CTX_NEW_METHOD_SSLV3: p = SSLv3_method(); break; case HB_SSL_CTX_NEW_METHOD_SSLV3_SERVER: p = SSLv3_server_method(); break; case HB_SSL_CTX_NEW_METHOD_SSLV3_CLIENT: p = SSLv3_client_method(); break; case HB_SSL_CTX_NEW_METHOD_TLSV1: p = TLSv1_method(); break; case HB_SSL_CTX_NEW_METHOD_TLSV1_SERVER: p = TLSv1_server_method(); break; case HB_SSL_CTX_NEW_METHOD_TLSV1_CLIENT: p = TLSv1_client_method(); break; case HB_SSL_CTX_NEW_METHOD_SSLV23: p = SSLv23_method(); break; case HB_SSL_CTX_NEW_METHOD_SSLV23_SERVER: p = SSLv23_server_method(); break; case HB_SSL_CTX_NEW_METHOD_SSLV23_CLIENT: p = SSLv23_client_method(); break; default: p = SSLv23_method(); } return p; }
void ContextImpl::setProtocol(Protocol protocol) { bool v2 = false; switch(protocol) { case SSLv2: // SSLv2_method is not available everywhere (check OPENSSL_NO_SSL2) SSL_CTX_set_ssl_version(_ctx, SSLv23_method() ); v2 = true; break; case SSLv3or2: SSL_CTX_set_ssl_version( _ctx, SSLv23_method() ); v2 = true; break; default: case SSLv3: SSL_CTX_set_ssl_version( _ctx, SSLv3_method() ); break; case TLSv1: SSL_CTX_set_ssl_version( _ctx, TLSv1_method() ); break; } _protocol = protocol; const char* ciphers = v2 ? "ALL:!aNULL:!eNULL" : "ALL:!aNULL:!eNULL:!SSLv2"; SSL_CTX_set_cipher_list(_ctx, ciphers); }
bool SecureSocket::DoReinitialize() { SOCKET newSocket = ::socket(m_af, m_type, m_protocol); if (INVALID_SOCKET == newSocket) { return false; } #ifdef _MSC_VER SSL_METHOD* method = SSLv23_method(); #else SSL_METHOD* method = SSLv23_method(); #endif SSL_CTX* context = SSL_CTX_new(method); SSL* ssl = SSL_new(m_context); BIO* bio = BIO_new_socket(static_cast<int>(newSocket), BIO_NOCLOSE); SSL_set_bio(ssl, bio, bio); SetSocket(newSocket); SSL_free(m_ssl); SSL_CTX_free(m_context); m_method = method; m_context = context; m_ssl = ssl; m_bio = bio; return true; }
static const SSL_METHOD *swSSL_get_method(int method) { switch (method) { #ifndef OPENSSL_NO_SSL3_METHOD case SW_SSLv3_METHOD: return SSLv3_method(); case SW_SSLv3_SERVER_METHOD: return SSLv3_server_method(); case SW_SSLv3_CLIENT_METHOD: return SSLv3_client_method(); #endif case SW_SSLv23_SERVER_METHOD: return SSLv23_server_method(); case SW_SSLv23_CLIENT_METHOD: return SSLv23_client_method(); case SW_TLSv1_METHOD: return TLSv1_method(); case SW_TLSv1_SERVER_METHOD: return TLSv1_server_method(); case SW_TLSv1_CLIENT_METHOD: return TLSv1_client_method(); #ifdef TLS1_1_VERSION case SW_TLSv1_1_METHOD: return TLSv1_1_method(); case SW_TLSv1_1_SERVER_METHOD: return TLSv1_1_server_method(); case SW_TLSv1_1_CLIENT_METHOD: return TLSv1_1_client_method(); #endif #ifdef TLS1_2_VERSION case SW_TLSv1_2_METHOD: return TLSv1_2_method(); case SW_TLSv1_2_SERVER_METHOD: return TLSv1_2_server_method(); case SW_TLSv1_2_CLIENT_METHOD: return TLSv1_2_client_method(); #endif case SW_DTLSv1_METHOD: return DTLSv1_method(); case SW_DTLSv1_SERVER_METHOD: return DTLSv1_server_method(); case SW_DTLSv1_CLIENT_METHOD: return DTLSv1_client_method(); case SW_SSLv23_METHOD: default: return SSLv23_method(); } return SSLv23_method(); }
/** * Find the protocol. */ static LSEC_SSL_METHOD* str2method(const char *method) { if (!strcmp(method, "any")) return SSLv23_method(); if (!strcmp(method, "sslv23")) return SSLv23_method(); // deprecated #ifndef OPENSSL_NO_SSL3 if (!strcmp(method, "sslv3")) return SSLv3_method(); #endif if (!strcmp(method, "tlsv1")) return TLSv1_method(); #if (OPENSSL_VERSION_NUMBER >= 0x1000100fL) if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method(); if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method(); #endif return NULL; }
static int load_ssl_certificates(struct hub_info* hub, struct hub_config* config) { if (config->tls_enable) { hub->ssl_method = SSLv23_method(); /* TLSv1_method() */ hub->ssl_ctx = SSL_CTX_new(hub->ssl_method); /* Disable SSLv2 */ SSL_CTX_set_options(hub->ssl_ctx, SSL_OP_NO_SSLv2); if (SSL_CTX_use_certificate_file(hub->ssl_ctx, config->tls_certificate, SSL_FILETYPE_PEM) < 0) { LOG_ERROR("SSL_CTX_use_certificate_file: %s", ERR_error_string(ERR_get_error(), NULL)); } if (SSL_CTX_use_PrivateKey_file(hub->ssl_ctx, config->tls_private_key, SSL_FILETYPE_PEM) < 0) { LOG_ERROR("SSL_CTX_use_PrivateKey_file: %s", ERR_error_string(ERR_get_error(), NULL)); } if (SSL_CTX_check_private_key(hub->ssl_ctx) != 1) { LOG_FATAL("SSL_CTX_check_private_key: Private key does not match the certificate public key: %s", ERR_error_string(ERR_get_error(), NULL)); return 0; } LOG_INFO("Enabling TLS, using certificate: %s, private key: %s", config->tls_certificate, config->tls_private_key); } return 1; }
/* * initialize ssl methods */ static void init_ssl_methods(void) { LM_DBG("entered\n"); #ifndef OPENSSL_NO_SSL2 ssl_methods[TLS_USE_SSLv2_cli - 1] = (SSL_METHOD*)SSLv2_client_method(); ssl_methods[TLS_USE_SSLv2_srv - 1] = (SSL_METHOD*)SSLv2_server_method(); ssl_methods[TLS_USE_SSLv2 - 1] = (SSL_METHOD*)SSLv2_method(); #endif ssl_methods[TLS_USE_SSLv3_cli - 1] = (SSL_METHOD*)SSLv3_client_method(); ssl_methods[TLS_USE_SSLv3_srv - 1] = (SSL_METHOD*)SSLv3_server_method(); ssl_methods[TLS_USE_SSLv3 - 1] = (SSL_METHOD*)SSLv3_method(); ssl_methods[TLS_USE_TLSv1_cli - 1] = (SSL_METHOD*)TLSv1_client_method(); ssl_methods[TLS_USE_TLSv1_srv - 1] = (SSL_METHOD*)TLSv1_server_method(); ssl_methods[TLS_USE_TLSv1 - 1] = (SSL_METHOD*)TLSv1_method(); ssl_methods[TLS_USE_SSLv23_cli - 1] = (SSL_METHOD*)SSLv23_client_method(); ssl_methods[TLS_USE_SSLv23_srv - 1] = (SSL_METHOD*)SSLv23_server_method(); ssl_methods[TLS_USE_SSLv23 - 1] = (SSL_METHOD*)SSLv23_method(); #if OPENSSL_VERSION_NUMBER >= 0x10001000L ssl_methods[TLS_USE_TLSv1_2_cli - 1] = (SSL_METHOD*)TLSv1_2_client_method(); ssl_methods[TLS_USE_TLSv1_2_srv - 1] = (SSL_METHOD*)TLSv1_2_server_method(); ssl_methods[TLS_USE_TLSv1_2 - 1] = (SSL_METHOD*)TLSv1_2_method(); #endif }
status_t SSLConnection::Connect(const char* server, uint32 port) { if (fSSL != NULL) Disconnect(); if (gInitSSL.InitCheck() != B_OK) return B_ERROR; status_t status = SocketConnection::Connect(server, port); if (status != B_OK) return status; fCTX = SSL_CTX_new(SSLv23_method()); fSSL = SSL_new(fCTX); fBIO = BIO_new_socket(fSocket, BIO_NOCLOSE); SSL_set_bio(fSSL, fBIO, fBIO); if (SSL_connect(fSSL) <= 0) { TRACE("SSLConnection can't connect\n"); SocketConnection::Disconnect(); return B_ERROR; } TRACE("SSLConnection connected\n"); return B_OK; }
int CSSLContext::AddContext(int iVerifyMode, LPCTSTR lpszPemCertFile, LPCTSTR lpszPemKeyFile, LPCTSTR lpszKeyPasswod, LPCTSTR lpszCAPemCertFileOrPath) { int iIndex = -1; SSL_CTX* sslCtx = SSL_CTX_new(SSLv23_method()); SSL_CTX_set_quiet_shutdown(sslCtx, 1); SSL_CTX_set_verify(sslCtx, iVerifyMode, nullptr); SSL_CTX_set_cipher_list(sslCtx, "ALL:!aNULL:!eNULL"); if(m_enSessionMode == SSL_SM_SERVER) { static volatile ULONG s_session_id_context = 0; ULONG session_id_context = ::InterlockedIncrement(&s_session_id_context); SSL_CTX_set_session_id_context(sslCtx, (BYTE*)&session_id_context, sizeof(session_id_context)); } if(!LoadCertAndKey(sslCtx, iVerifyMode, lpszPemCertFile, lpszPemKeyFile, lpszKeyPasswod, lpszCAPemCertFileOrPath)) SSL_CTX_free(sslCtx); else { iIndex = (int)m_lsSslCtxs.size(); m_lsSslCtxs.push_back(sslCtx); } return iIndex; }
int main(int argc, char *argv[]) { BIO *bio_err = NULL; SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); /* error write context */ bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); const SSL_METHOD *meth = SSLv23_method(); SSL_CTX *ctx = SSL_CTX_new(meth); /***/ BIO_free(bio_err); ERR_free_strings(); ERR_remove_state(0); ENGINE_cleanup(); CONF_modules_free(); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); return 0; }
SSL_CTX * initialize_ctx(char ask_compression) { const SSL_METHOD *meth = NULL; SSL_CTX *ctx = NULL; if (!bio_err) { SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); /* error write context */ bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); } /* create context */ meth = SSLv23_method(); ctx = SSL_CTX_new(meth); #ifdef SSL_OP_NO_COMPRESSION if (!ask_compression) SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); #endif return ctx; }
bool SecureSocket::Initialize(SOCKET s, const char* ceritificateFileName, const char* password) { m_method = SSLv23_method(); m_context = SSL_CTX_new(m_method); int status = SSL_CTX_use_certificate_file(m_context, ceritificateFileName, SSL_FILETYPE_PEM); if (!status) { return false; } SSL_CTX_set_default_passwd_cb_userdata(m_context, const_cast<char*>(password)); SSL_CTX_set_default_passwd_cb(m_context, Password); status = SSL_CTX_use_PrivateKey_file(m_context, ceritificateFileName, SSL_FILETYPE_PEM); if(!status) { return false; } m_ssl = SSL_new(m_context); m_bio = BIO_new_socket(static_cast<int>(s), BIO_NOCLOSE); SSL_set_bio(m_ssl, m_bio, m_bio); m_socket = s; m_isAccepting = true; u_long opt = 1; ::ioctlsocket(s, FIONBIO, &opt); return true; }
int ipfix_ssl_setup_server_ctx( SSL_CTX **ssl_ctx, SSL_METHOD *method, ipfix_ssl_opts_t *ssl_details ) { SSL_CTX *ctx; if ( ipfix_ssl_setup_ctx( &ctx, method?method:SSLv23_method(), ssl_details ) <0 ) { return -1; } SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ipfix_ssl_verify_callback ); SSL_CTX_set_verify_depth( ctx, 4 ); SSL_CTX_set_options( ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); if (!dh512 || !dh1024) { init_dhparams(); } SSL_CTX_set_tmp_dh_callback( ctx, ipfix_ssl_tmp_dh_callback ); if (SSL_CTX_set_cipher_list( ctx, CIPHER_LIST) != 1) { mlogf( 0, "[ipfix] error setting cipher list (no valid ciphers)"); goto err; } *ssl_ctx = ctx; return 0; err: SSL_CTX_free( ctx ); return -1; }
int ipfix_ssl_setup_client_ctx( SSL_CTX **ssl_ctx, SSL_METHOD *method, ipfix_ssl_opts_t *ssl_details ) { SSL_CTX *ctx; if ( ipfix_ssl_setup_ctx( &ctx, method?method:SSLv23_method(), ssl_details ) <0 ) return -1; SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, ipfix_ssl_verify_callback); SSL_CTX_set_verify_depth( ctx, 4); SSL_CTX_set_options( ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); if (SSL_CTX_set_cipher_list( ctx, CIPHER_LIST) != 1) { mlogf( 0, "[ipfix] Error setting cipher list (no valid ciphers)"); goto err; } *ssl_ctx = ctx; return 0; err: SSL_CTX_free( ctx ); return -1; }
int evt_ctx_init(evt_ctx_t *tls) { tls_begin(); //Currently we support only TLS, No DTLS tls->ctx = SSL_CTX_new(SSLv23_method()); if(!tls->ctx) { return ENOMEM; } long options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; SSL_CTX_set_options(tls->ctx, options); SSL_CTX_set_mode(tls->ctx, SSL_MODE_AUTO_RETRY | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_RELEASE_BUFFERS ); tls->cert_set = 0; tls->key_set = 0; tls->ssl_err_ = 0; tls->writer = NULL; QUEUE_INIT(&(tls->live_con)); return 0; }
/* sqSetupSSL: Common SSL setup tasks */ sqInt sqSetupSSL(sqSSL *ssl, int server) { /* Fixme. Needs to use specified version */ if(ssl->loglevel) printf("sqSetupSSL: setting method\n"); ssl->method = SSLv23_method(); if(ssl->loglevel) printf("sqSetupSSL: Creating context\n"); ssl->ctx = SSL_CTX_new(ssl->method); if(!ssl->ctx) ERR_print_errors_fp(stdout); if(ssl->loglevel) printf("sqSetupSSL: setting cipher list\n"); SSL_CTX_set_cipher_list(ssl->ctx, "!ADH:HIGH:MEDIUM:@STRENGTH"); /* if a cert is provided, use it */ if(ssl->certName) { if(ssl->loglevel) printf("sqSetupSSL: Using cert file %s\n", ssl->certName); if(SSL_CTX_use_certificate_file(ssl->ctx, ssl->certName, SSL_FILETYPE_PEM)<=0) ERR_print_errors_fp(stderr); if(SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->certName, SSL_FILETYPE_PEM)<=0) ERR_print_errors_fp(stderr); } /* Set up trusted CA */ if(ssl->loglevel) printf("sqSetupSSL: No root CA given; using default verify paths\n"); if(SSL_CTX_set_default_verify_paths(ssl->ctx) <=0) ERR_print_errors_fp(stderr); if(ssl->loglevel) printf("sqSetupSSL: Creating SSL\n"); ssl->ssl = SSL_new(ssl->ctx); if(ssl->loglevel) printf("sqSetupSSL: setting bios\n"); SSL_set_bio(ssl->ssl, ssl->bioRead, ssl->bioWrite); return 1; }
static int ssl_setup(gitno_socket *socket, const char *host, int flags) { int ret; SSL_library_init(); SSL_load_error_strings(); socket->ssl.ctx = SSL_CTX_new(SSLv23_method()); if (socket->ssl.ctx == NULL) return ssl_set_error(&socket->ssl, 0); SSL_CTX_set_mode(socket->ssl.ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(socket->ssl.ctx, SSL_VERIFY_NONE, NULL); if (!SSL_CTX_set_default_verify_paths(socket->ssl.ctx)) return ssl_set_error(&socket->ssl, 0); socket->ssl.ssl = SSL_new(socket->ssl.ctx); if (socket->ssl.ssl == NULL) return ssl_set_error(&socket->ssl, 0); if((ret = SSL_set_fd(socket->ssl.ssl, socket->socket)) == 0) return ssl_set_error(&socket->ssl, ret); if ((ret = SSL_connect(socket->ssl.ssl)) <= 0) return ssl_set_error(&socket->ssl, ret); if (GITNO_CONNECT_SSL_NO_CHECK_CERT & flags) return 0; return verify_server_cert(&socket->ssl, host); }
int ssl_ctx_init() { config.dstsslctx = SSL_CTX_new(SSLv23_method()); if (!config.dstsslctx) { return 1; } SSL_CTX_set_options(config.dstsslctx, SSL_OP_ALL); #ifdef SSL_OP_TLS_ROLLBACK_BUG SSL_CTX_set_options(config.dstsslctx, SSL_OP_TLS_ROLLBACK_BUG); #endif /* SSL_OP_TLS_ROLLBACK_BUG */ #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_CTX_set_options(config.dstsslctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); #endif /* SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION */ #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_CTX_set_options(config.dstsslctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); #endif /* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */ #ifdef SSL_OP_NO_TICKET SSL_CTX_set_options(config.dstsslctx, SSL_OP_NO_TICKET); #endif /* SSL_OP_NO_TICKET */ #ifdef DISABLE_SSLV2_CLIENT SSL_CTX_set_options(config.dstsslctx, SSL_OP_NO_SSLv2); #endif /* DISABLE_SSLV2_CLIENT */ SSL_CTX_set_verify(config.dstsslctx, SSL_VERIFY_NONE, NULL); return 0; }
TLSInfo init_tls(char* keyfile, char* password) { TLSInfo tls = (TLSInfo)reserve(sizeof(struct tls_struct) + strlen(password) + 1); if (!tls) return tls; tls->pass_len = strlen(password) + 1; memcpy(tls->password,password,tls->pass_len); SSL_library_init(); SSL_load_error_strings(); tls->err = BIO_new_fp(stderr,BIO_NOCLOSE); tls->method = SSLv23_method(); tls->ctx = SSL_CTX_new(tls->method); if (!SSL_CTX_load_verify_locations(tls->ctx,"server.pem",NULL)) { error("Failed to use certificate chain file certs.pem"); return NULL; } if (!SSL_CTX_use_certificate_file(tls->ctx,keyfile,SSL_FILETYPE_PEM)) { error("Failed to use certificate chain file %c\n",keyfile); return NULL; } SSL_CTX_set_default_passwd_cb(tls->ctx,password_callback); SSL_CTX_set_default_passwd_cb_userdata(tls->ctx,tls); if(!SSL_CTX_use_PrivateKey_file(tls->ctx,keyfile,SSL_FILETYPE_PEM)) { error("Failed to use private key file %c\n",keyfile); return NULL; } return tls; }
SSL_CTX *init_ssl_ctx(){ //Allow ssl3, tls1, 1.1 or 1.2 const SSL_METHOD* method = SSLv23_method(); if(method == NULL){goto err;} ctx = SSL_CTX_new(method); if(ctx == NULL){goto err;} //Disable ssl2, ssl3 and forbid compression, ssl2 should already be disabled //but there's no harm in making sure const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(ctx, flags);//can't fail //make sure that we actually verify the certificate //this uses the default verification prodecure (thus the NULL) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); //Load the CA certificates file if(SSL_CTX_load_verify_locations(ctx, certificates_location, NULL) == 0){ goto err; } if(SSL_CTX_set_cipher_list(ctx, prefered_ciphers) == 0){ goto err; } return ctx; err: print_errors();//this might not actually print anything //There's no function to explicitly free an SSL_METHOD, I'm assuming they're //probably static anyway and we just get a pointer. SSL_CTX_free(ctx); return NULL; }
SSL_CTX * evssl_init(void) { SSL_CTX *server_ctx; server_ctx = SSL_CTX_new(SSLv23_method()); /* Load the certificate file. This is not needed now */ /*! SSL_CTX_use_certificate_chain_file(server_ctx, "cert") ||*/ if ((serv_opts.key_path != NULL && serv_opts.cert_path != NULL) && (!SSL_CTX_use_certificate_chain_file(server_ctx, serv_opts.cert_path) || !SSL_CTX_use_PrivateKey_file(server_ctx, serv_opts.key_path, SSL_FILETYPE_PEM))) { log_info("Couldn't read 'pkey' or 'cert' file. To generate a key"); log_info("and self-signed certificate, run:"); log_info(" openssl genrsa -out pkey 2048"); log_info(" openssl req -new -key pkey -out cert.req"); log_info(" openssl x509 -req -days 365 -in cert.req -signkey pkey -out cert"); return NULL; } //SSL_CTX_set_cert_verify_callback(server_ctx, server_verify_cert, NULL); SSL_CTX_set_verify(server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, server_preverify_cert); return server_ctx; }
static SSL_CTX * get_ssl_ctx(void) { if (the_ssl_ctx) return the_ssl_ctx; return (the_ssl_ctx = SSL_CTX_new(SSLv23_method())); }
bool SSLSocketServer::SSL_Init(){ int nLockCt = CRYPTO_num_locks(); InitializeCryptoLocks(nLockCt); #ifdef _DEBUG CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options (V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl (CRYPTO_MEM_CHECK_ON); #endif CRYPTO_set_locking_callback (&ssl_lock_callback); CRYPTO_set_dynlock_create_callback (&ssl_lock_dyn_create_callback); CRYPTO_set_dynlock_lock_callback (&ssl_lock_dyn_callback); CRYPTO_set_dynlock_destroy_callback (&ssl_lock_dyn_destroy_callback); SSL_load_error_strings (); SSL_library_init (); // Initialize and verify SSL context. {{ const SSL_METHOD* meth = SSLv23_method(); m_pssl_ctx = SSL_CTX_new(meth); SSL_CTX_set_verify(m_pssl_ctx, SSL_VERIFY_NONE, nullptr); // }} ::InitializeCriticalSection(&m_lock_connect_ex); return true; }
// SSL握手前的环境准备 SSL_CTX *get_ssl_ctx(const char *cert_file, const char *key_file){ if(NULL == ev_ssl){ return NULL; } if (ev_ssl->ctx != NULL){ return ev_ssl->ctx; } ev_ssl->ctx = SSL_CTX_new(SSLv23_method()); if (NULL == ev_ssl->ctx){ return NULL; } if (SSL_CTX_use_certificate_file(ev_ssl->ctx, cert_file, SSL_FILETYPE_PEM) < 0) { SSL_CTX_free(ev_ssl->ctx); return NULL; } if (SSL_CTX_use_PrivateKey_file(ev_ssl->ctx, key_file, SSL_FILETYPE_PEM) < 0) { SSL_CTX_free(ev_ssl->ctx); return NULL; } if (!SSL_CTX_check_private_key(ev_ssl->ctx)){ return NULL; } return ev_ssl->ctx; }
/** * Find the protocol. */ static SSL_METHOD* str2method(const char *method) { if (!strcmp(method, "sslv3")) return SSLv3_method(); if (!strcmp(method, "tlsv1")) return TLSv1_method(); if (!strcmp(method, "sslv23")) return SSLv23_method(); return NULL; }
SSL_CTX* EdSSLContext::buildCtx(int ver) { SSL_CTX *pctx; const SSL_METHOD *method; switch (ver) { case SSL_VER_TLSV1: method = TLSv1_method(); break; case SSL_VER_TLSV11: method = TLSv1_1_method(); break; case SSL_VER_V23: method = SSLv23_method(); break; case SSL_VER_V3: method = SSLv3_method(); break; case SSL_VER_DTLSV1: method = DTLSv1_method(); break; default: method = NULL; break; } if (method == NULL) return NULL; pctx = SSL_CTX_new(method); return pctx; }
apisock *api_connect_ssl(){ apisock *ret; SSL *ssl; int sock; sock=connect_socket(API_HOST, API_PORT_SSL); if (sock==-1) return NULL; if (!globalctx){ SSL_library_init(); OpenSSL_add_all_algorithms(); OpenSSL_add_all_ciphers(); SSL_load_error_strings(); globalctx=SSL_CTX_new(SSLv23_method()); if (!globalctx) return NULL; } ssl=SSL_new(globalctx); if (!ssl){ close(sock); return NULL; } SSL_set_fd(ssl, sock); if (SSL_connect(ssl)!=1){ SSL_free(ssl); close(sock); return NULL; } ret=(apisock *)malloc(sizeof(apisock)); ret->sock=sock; ret->ssl=ssl; return ret; }
status_t BSecureSocket::Connect(const BNetworkAddress& peer, bigtime_t timeout) { if (fPrivate == NULL) { fPrivate = (BSecureSocket::Private*)calloc(1, sizeof(BSecureSocket::Private)); if (fPrivate == NULL) return B_NO_MEMORY; } status_t status = BSocket::Connect(peer, timeout); if (status != B_OK) return status; fPrivate->fCTX = SSL_CTX_new(SSLv23_method()); fPrivate->fSSL = SSL_new(fPrivate->fCTX); fPrivate->fBIO = BIO_new_socket(fSocket, BIO_NOCLOSE); SSL_set_bio(fPrivate->fSSL, fPrivate->fBIO, fPrivate->fBIO); if (SSL_connect(fPrivate->fSSL) <= 0) { TRACE("SSLConnection can't connect\n"); BSocket::Disconnect(); // TODO: translate ssl to Haiku error return B_ERROR; } return B_OK; }
int git_openssl_stream_global_init(void) { #ifdef GIT_OPENSSL long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Older OpenSSL and MacOS OpenSSL doesn't have this */ #ifdef SSL_OP_NO_COMPRESSION ssl_opts |= SSL_OP_NO_COMPRESSION; #endif SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); /* * Load SSLv{2,3} and TLSv1 so that we can talk with servers * which use the SSL hellos, which are often used for * compatibility. We then disable SSL so we only allow OpenSSL * to speak TLSv1 to perform the encryption itself. */ git__ssl_ctx = SSL_CTX_new(SSLv23_method()); SSL_CTX_set_options(git__ssl_ctx, ssl_opts); SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL); if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; return -1; } #endif git__on_shutdown(shutdown_ssl); return 0; }
static int ssl_setup(git_transport *t, const char *host) { int ret; SSL_library_init(); SSL_load_error_strings(); t->ssl.ctx = SSL_CTX_new(SSLv23_method()); if (t->ssl.ctx == NULL) return ssl_set_error(&t->ssl, 0); SSL_CTX_set_mode(t->ssl.ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_PEER, NULL); if (!SSL_CTX_set_default_verify_paths(t->ssl.ctx)) return ssl_set_error(&t->ssl, 0); t->ssl.ssl = SSL_new(t->ssl.ctx); if (t->ssl.ssl == NULL) return ssl_set_error(&t->ssl, 0); if((ret = SSL_set_fd(t->ssl.ssl, t->socket)) == 0) return ssl_set_error(&t->ssl, ret); if ((ret = SSL_connect(t->ssl.ssl)) <= 0) return ssl_set_error(&t->ssl, ret); if (t->check_cert && verify_server_cert(t, host) < 0) return -1; return 0; }