LIBCXX_NAMESPACE::fdbase new_server_socket(const LIBCXX_NAMESPACE::fdbase
&socket)
{
auto credentials=
LIBCXX_NAMESPACE::gnutls::credentials::certificate::create
("testrsa1.crt", "testrsa1.key", GNUTLS_X509_FMT_PEM);
LIBCXX_NAMESPACE::gnutls::dhparams dh(x::gnutls::dhparams::create());
dh->import();
credentials->set_dh_params(dh);
auto sess=LIBCXX_NAMESPACE::gnutls::session::create(GNUTLS_SERVER,
socket);
sess->credentials_set(credentials);
sess->set_default_priority();
int direction;
if (!sess->handshake(direction))
throw EXCEPTION("Handshake did not complete");
return sess;
}
void Gobby::CertificateManager::load_dh_params()
{
const std::string filename = config_filename("dh_params.pem");
GError* error = NULL;
gnutls_dh_params_t dh_params =
inf_cert_util_read_dh_params(filename.c_str(), &error);
if(error != NULL)
{
if(error->domain != G_FILE_ERROR ||
error->code != G_FILE_ERROR_NOENT)
{
g_warning(_("Failed to read Diffie-Hellman "
"parameters: %s"),
error->message);
}
g_error_free(error);
}
if(dh_params != NULL)
set_dh_params(dh_params);
}
/*
* Setup default SSL_CTX (and SSL * ) behavior:
* verification, cipherlist, acceptable versions, ...
*/
static int
init_ssl_ctx_behavior( struct tls_domain *d ) {
int verify_mode;
#if (OPENSSL_VERSION_NUMBER > 0x10001000L)
/*
* set dh params
*/
if (!d->tmp_dh_file) {
LM_DBG("no DH params file for tls[%s:%d] defined, "
"using default '%s'\n", ip_addr2a(&d->addr), d->port,
tls_tmp_dh_file);
d->tmp_dh_file = tls_tmp_dh_file;
}
if (d->tmp_dh_file && set_dh_params(d->ctx, d->tmp_dh_file) < 0)
return -1;
if (d->tls_ec_curve) {
if (set_ec_params(d->ctx, d->tls_ec_curve) < 0) {
return -1;
}
}
else {
LM_NOTICE("No EC curve defined\n");
}
#else
if (d->tmp_dh_file || tls_tmp_dh_file)
LM_WARN("DH params file discarded as not supported by your openSSL version\n");
if (d->tls_ec_curve)
LM_WARN("EC params file discarded as not supported by your openSSL version\n");
#endif
if( d->ciphers_list != 0 ) {
if( SSL_CTX_set_cipher_list(d->ctx, d->ciphers_list) == 0 ) {
LM_ERR("failure to set SSL context "
"cipher list '%s'\n", d->ciphers_list);
return -1;
} else {
LM_NOTICE("cipher list set to %s\n", d->ciphers_list);
}
} else {
LM_DBG( "cipher list null ... setting default\n");
}
/* Set a bunch of options:
* do not accept SSLv2
* no session resumption
* choose cipher according to server's preference's*/
#if OPENSSL_VERSION_NUMBER >= 0x000907000
SSL_CTX_set_options(d->ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_CIPHER_SERVER_PREFERENCE);
#else
SSL_CTX_set_options(d->ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 );
#endif
/* Set verification procedure
* The verification can be made null with SSL_VERIFY_NONE, or
* at least easier with SSL_VERIFY_CLIENT_ONCE instead of
* SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
* For extra control, instead of 0, we can specify a callback function:
* int (*verify_callback)(int, X509_STORE_CTX *)
* Also, depth 2 may be not enough in some scenarios ... though no need
* to increase it much further */
if (d->type & TLS_DOMAIN_SRV) {
/* Server mode:
* SSL_VERIFY_NONE
* the server will not send a client certificate request to the
* client, so the client will not send a certificate.
* SSL_VERIFY_PEER
* the server sends a client certificate request to the client.
* The certificate returned (if any) is checked. If the verification
* process fails, the TLS/SSL handshake is immediately terminated
* with an alert message containing the reason for the verification
* failure. The behaviour can be controlled by the additional
* SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags.
* SSL_VERIFY_FAIL_IF_NO_PEER_CERT
* if the client did not return a certificate, the TLS/SSL handshake
* is immediately terminated with a ``handshake failure'' alert.
* This flag must be used together with SSL_VERIFY_PEER.
* SSL_VERIFY_CLIENT_ONCE
* only request a client certificate on the initial TLS/SSL
* handshake. Do not ask for a client certificate again in case of
* a renegotiation. This flag must be used together with
* SSL_VERIFY_PEER.
*/
if( d->verify_cert ) {
verify_mode = SSL_VERIFY_PEER;
if( d->require_client_cert ) {
LM_WARN("client verification activated. Client "
"certificates are mandatory.\n");
verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
} else
LM_WARN("client verification activated. Client "
"certificates are NOT mandatory.\n");
} else {
verify_mode = SSL_VERIFY_NONE;
LM_WARN("client verification NOT activated. Weaker security.\n");
}
} else {
/* Client mode:
* SSL_VERIFY_NONE
* if not using an anonymous cipher (by default disabled), the
* server will send a certificate which will be checked. The result
* of the certificate verification process can be checked after the
* TLS/SSL handshake using the SSL_get_verify_result(3) function.
* The handshake will be continued regardless of the verification
* result.
* SSL_VERIFY_PEER
* the server certificate is verified. If the verification process
* fails, the TLS/SSL handshake is immediately terminated with an
* alert message containing the reason for the verification failure.
* If no server certificate is sent, because an anonymous cipher is
* used, SSL_VERIFY_PEER is ignored.
* SSL_VERIFY_FAIL_IF_NO_PEER_CERT
* ignored
* SSL_VERIFY_CLIENT_ONCE
* ignored
*/
if( d->verify_cert ) {
verify_mode = SSL_VERIFY_PEER;
LM_WARN("server verification activated.\n");
} else {
verify_mode = SSL_VERIFY_NONE;
LM_WARN("server verification NOT activated. Weaker security.\n");
}
}
SSL_CTX_set_verify( d->ctx, verify_mode, verify_callback);
SSL_CTX_set_verify_depth( d->ctx, VERIFY_DEPTH_S);
SSL_CTX_set_session_cache_mode( d->ctx, SSL_SESS_CACHE_SERVER );
SSL_CTX_set_session_id_context( d->ctx, OS_SSL_SESS_ID,
OS_SSL_SESS_ID_LEN );
return 0;
}
