/**
* Initializes a ssl connection for server use.
* @param pemfilename Filename for the key/cert file
* @return An ssl connection, or NULL if an error occured.
*/
ssl_server_connection *init_ssl_server(char *pemfile, char *clientpemfile) {
ASSERT(pemfile);
if (!ssl_initialized)
start_ssl();
ssl_server_connection *ssl_server = new_ssl_server_connection(pemfile, clientpemfile);
if (!(ssl_server->method = SSLv23_server_method())) {
LogError("Cannot initialize the SSL method -- %s\n", SSLERROR);
goto sslerror;
}
if (!(ssl_server->ctx = SSL_CTX_new(ssl_server->method))) {
LogError("Cannot initialize SSL server certificate handler -- %s\n", SSLERROR);
goto sslerror;
}
if (SSL_CTX_use_certificate_chain_file(ssl_server->ctx, pemfile) != 1) {
LogError("Cannot initialize SSL server certificate -- %s\n", SSLERROR);
goto sslerror;
}
if (SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile, SSL_FILETYPE_PEM) != 1) {
LogError("Cannot initialize SSL server private key -- %s\n", SSLERROR);
goto sslerror;
}
if (SSL_CTX_check_private_key(ssl_server->ctx) != 1) {
LogError("The private key doesn't match the certificate public key -- %s\n", SSLERROR);
goto sslerror;
}
if (SSL_CTX_set_cipher_list(ssl_server->ctx, CIPHER_LIST) != 1) {
LogError("Error setting cipher list '%s' (no valid ciphers)\n", CIPHER_LIST);
goto sslerror;
}
SSL_CTX_set_options(ssl_server->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); // Disable SSLv2 and SSLv3 for security reasons
SSL_CTX_set_session_cache_mode(ssl_server->ctx, SSL_SESS_CACHE_OFF); // Disable session cache
/*
* We need this to force transmission of client certs
*/
if (!verify_init(ssl_server)) {
LogError("Verification engine was not properly initialized -- %s\n", SSLERROR);
goto sslerror;
}
if (ssl_server->clientpemfile) {
STACK_OF(X509_NAME) *stack = SSL_CTX_get_client_CA_list(ssl_server->ctx);
LogInfo("Found %d client certificates\n", sk_X509_NAME_num(stack));
}
return ssl_server;
sslerror:
delete_ssl_server_socket(ssl_server);
return NULL;
}
/**
* Initializes a ssl connection for server use.
* @param pemfilename Filename for the key/cert file
* @return An ssl connection, or NULL if an error occured.
*/
ssl_server_connection *init_ssl_server(char *pemfile, char *clientpemfile) {
SSL_METHOD *server_method = NULL;
ssl_server_connection *ssl_server;
ASSERT(pemfile);
if (!ssl_initialized)
start_ssl();
ssl_server = new_ssl_server_connection(pemfile, clientpemfile);
#ifdef OPENSSL_FIPS
if (FIPS_mode())
server_method = TLSv1_server_method();
else
#endif
server_method = SSLv23_server_method();
if (!(ssl_server->method = server_method)) {
LogError("%s: Cannot initialize the SSL method -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (!(ssl_server->ctx = SSL_CTX_new(ssl_server->method))) {
LogError("%s: Cannot initialize SSL server certificate handler -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (SSL_CTX_use_certificate_chain_file(ssl_server->ctx, pemfile) != 1) {
LogError("%s: Cannot initialize SSL server certificate -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile, SSL_FILETYPE_PEM) != 1) {
LogError("%s: Cannot initialize SSL server private key -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (SSL_CTX_check_private_key(ssl_server->ctx) != 1) {
LogError("%s: The private key doesn't match the certificate public key -- %s\n", prog, SSLERROR);
goto sslerror;
}
/* Disable session cache */
SSL_CTX_set_session_cache_mode(ssl_server->ctx, SSL_SESS_CACHE_OFF);
/*
* We need this to force transmission of client certs
*/
if (!verify_init(ssl_server)) {
LogError("%s: Verification engine was not properly initialized -- %s\n", prog, SSLERROR);
goto sslerror;
}
if (ssl_server->clientpemfile) {
STACK_OF(X509_NAME) *stack = SSL_CTX_get_client_CA_list(ssl_server->ctx);
LogInfo("%s: Found %d client certificates\n", prog, sk_X509_NAME_num(stack));
}
return ssl_server;
sslerror:
delete_ssl_server_socket(ssl_server);
return NULL;
}
