/** * Initializes a ssl connection for server use. * @param pemfilename Filename for the key/cert file * @return An ssl connection, or NULL if an error occured. */ ssl_server_connection *init_ssl_server(char *pemfile, char *clientpemfile) { ASSERT(pemfile); if (!ssl_initialized) start_ssl(); ssl_server_connection *ssl_server = new_ssl_server_connection(pemfile, clientpemfile); if (!(ssl_server->method = SSLv23_server_method())) { LogError("Cannot initialize the SSL method -- %s\n", SSLERROR); goto sslerror; } if (!(ssl_server->ctx = SSL_CTX_new(ssl_server->method))) { LogError("Cannot initialize SSL server certificate handler -- %s\n", SSLERROR); goto sslerror; } if (SSL_CTX_use_certificate_chain_file(ssl_server->ctx, pemfile) != 1) { LogError("Cannot initialize SSL server certificate -- %s\n", SSLERROR); goto sslerror; } if (SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile, SSL_FILETYPE_PEM) != 1) { LogError("Cannot initialize SSL server private key -- %s\n", SSLERROR); goto sslerror; } if (SSL_CTX_check_private_key(ssl_server->ctx) != 1) { LogError("The private key doesn't match the certificate public key -- %s\n", SSLERROR); goto sslerror; } if (SSL_CTX_set_cipher_list(ssl_server->ctx, CIPHER_LIST) != 1) { LogError("Error setting cipher list '%s' (no valid ciphers)\n", CIPHER_LIST); goto sslerror; } SSL_CTX_set_options(ssl_server->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); // Disable SSLv2 and SSLv3 for security reasons SSL_CTX_set_session_cache_mode(ssl_server->ctx, SSL_SESS_CACHE_OFF); // Disable session cache /* * We need this to force transmission of client certs */ if (!verify_init(ssl_server)) { LogError("Verification engine was not properly initialized -- %s\n", SSLERROR); goto sslerror; } if (ssl_server->clientpemfile) { STACK_OF(X509_NAME) *stack = SSL_CTX_get_client_CA_list(ssl_server->ctx); LogInfo("Found %d client certificates\n", sk_X509_NAME_num(stack)); } return ssl_server; sslerror: delete_ssl_server_socket(ssl_server); return NULL; }
/** * Initializes a ssl connection for server use. * @param pemfilename Filename for the key/cert file * @return An ssl connection, or NULL if an error occured. */ ssl_server_connection *init_ssl_server(char *pemfile, char *clientpemfile) { SSL_METHOD *server_method = NULL; ssl_server_connection *ssl_server; ASSERT(pemfile); if (!ssl_initialized) start_ssl(); ssl_server = new_ssl_server_connection(pemfile, clientpemfile); #ifdef OPENSSL_FIPS if (FIPS_mode()) server_method = TLSv1_server_method(); else #endif server_method = SSLv23_server_method(); if (!(ssl_server->method = server_method)) { LogError("%s: Cannot initialize the SSL method -- %s\n", prog, SSLERROR); goto sslerror; } if (!(ssl_server->ctx = SSL_CTX_new(ssl_server->method))) { LogError("%s: Cannot initialize SSL server certificate handler -- %s\n", prog, SSLERROR); goto sslerror; } if (SSL_CTX_use_certificate_chain_file(ssl_server->ctx, pemfile) != 1) { LogError("%s: Cannot initialize SSL server certificate -- %s\n", prog, SSLERROR); goto sslerror; } if (SSL_CTX_use_PrivateKey_file(ssl_server->ctx, pemfile, SSL_FILETYPE_PEM) != 1) { LogError("%s: Cannot initialize SSL server private key -- %s\n", prog, SSLERROR); goto sslerror; } if (SSL_CTX_check_private_key(ssl_server->ctx) != 1) { LogError("%s: The private key doesn't match the certificate public key -- %s\n", prog, SSLERROR); goto sslerror; } /* Disable session cache */ SSL_CTX_set_session_cache_mode(ssl_server->ctx, SSL_SESS_CACHE_OFF); /* * We need this to force transmission of client certs */ if (!verify_init(ssl_server)) { LogError("%s: Verification engine was not properly initialized -- %s\n", prog, SSLERROR); goto sslerror; } if (ssl_server->clientpemfile) { STACK_OF(X509_NAME) *stack = SSL_CTX_get_client_CA_list(ssl_server->ctx); LogInfo("%s: Found %d client certificates\n", prog, sk_X509_NAME_num(stack)); } return ssl_server; sslerror: delete_ssl_server_socket(ssl_server); return NULL; }