LIBCXX_NAMESPACE::fdbase new_server_socket(const LIBCXX_NAMESPACE::fdbase &socket) { auto credentials= LIBCXX_NAMESPACE::gnutls::credentials::certificate::create ("testrsa1.crt", "testrsa1.key", GNUTLS_X509_FMT_PEM); LIBCXX_NAMESPACE::gnutls::dhparams dh(x::gnutls::dhparams::create()); dh->import(); credentials->set_dh_params(dh); auto sess=LIBCXX_NAMESPACE::gnutls::session::create(GNUTLS_SERVER, socket); sess->credentials_set(credentials); sess->set_default_priority(); int direction; if (!sess->handshake(direction)) throw EXCEPTION("Handshake did not complete"); return sess; }
void Gobby::CertificateManager::load_dh_params() { const std::string filename = config_filename("dh_params.pem"); GError* error = NULL; gnutls_dh_params_t dh_params = inf_cert_util_read_dh_params(filename.c_str(), &error); if(error != NULL) { if(error->domain != G_FILE_ERROR || error->code != G_FILE_ERROR_NOENT) { g_warning(_("Failed to read Diffie-Hellman " "parameters: %s"), error->message); } g_error_free(error); } if(dh_params != NULL) set_dh_params(dh_params); }
/* * Setup default SSL_CTX (and SSL * ) behavior: * verification, cipherlist, acceptable versions, ... */ static int init_ssl_ctx_behavior( struct tls_domain *d ) { int verify_mode; #if (OPENSSL_VERSION_NUMBER > 0x10001000L) /* * set dh params */ if (!d->tmp_dh_file) { LM_DBG("no DH params file for tls[%s:%d] defined, " "using default '%s'\n", ip_addr2a(&d->addr), d->port, tls_tmp_dh_file); d->tmp_dh_file = tls_tmp_dh_file; } if (d->tmp_dh_file && set_dh_params(d->ctx, d->tmp_dh_file) < 0) return -1; if (d->tls_ec_curve) { if (set_ec_params(d->ctx, d->tls_ec_curve) < 0) { return -1; } } else { LM_NOTICE("No EC curve defined\n"); } #else if (d->tmp_dh_file || tls_tmp_dh_file) LM_WARN("DH params file discarded as not supported by your openSSL version\n"); if (d->tls_ec_curve) LM_WARN("EC params file discarded as not supported by your openSSL version\n"); #endif if( d->ciphers_list != 0 ) { if( SSL_CTX_set_cipher_list(d->ctx, d->ciphers_list) == 0 ) { LM_ERR("failure to set SSL context " "cipher list '%s'\n", d->ciphers_list); return -1; } else { LM_NOTICE("cipher list set to %s\n", d->ciphers_list); } } else { LM_DBG( "cipher list null ... setting default\n"); } /* Set a bunch of options: * do not accept SSLv2 * no session resumption * choose cipher according to server's preference's*/ #if OPENSSL_VERSION_NUMBER >= 0x000907000 SSL_CTX_set_options(d->ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE); #else SSL_CTX_set_options(d->ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 ); #endif /* Set verification procedure * The verification can be made null with SSL_VERIFY_NONE, or * at least easier with SSL_VERIFY_CLIENT_ONCE instead of * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. * For extra control, instead of 0, we can specify a callback function: * int (*verify_callback)(int, X509_STORE_CTX *) * Also, depth 2 may be not enough in some scenarios ... though no need * to increase it much further */ if (d->type & TLS_DOMAIN_SRV) { /* Server mode: * SSL_VERIFY_NONE * the server will not send a client certificate request to the * client, so the client will not send a certificate. * SSL_VERIFY_PEER * the server sends a client certificate request to the client. * The certificate returned (if any) is checked. If the verification * process fails, the TLS/SSL handshake is immediately terminated * with an alert message containing the reason for the verification * failure. The behaviour can be controlled by the additional * SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. * SSL_VERIFY_FAIL_IF_NO_PEER_CERT * if the client did not return a certificate, the TLS/SSL handshake * is immediately terminated with a ``handshake failure'' alert. * This flag must be used together with SSL_VERIFY_PEER. * SSL_VERIFY_CLIENT_ONCE * only request a client certificate on the initial TLS/SSL * handshake. Do not ask for a client certificate again in case of * a renegotiation. This flag must be used together with * SSL_VERIFY_PEER. */ if( d->verify_cert ) { verify_mode = SSL_VERIFY_PEER; if( d->require_client_cert ) { LM_WARN("client verification activated. Client " "certificates are mandatory.\n"); verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; } else LM_WARN("client verification activated. Client " "certificates are NOT mandatory.\n"); } else { verify_mode = SSL_VERIFY_NONE; LM_WARN("client verification NOT activated. Weaker security.\n"); } } else { /* Client mode: * SSL_VERIFY_NONE * if not using an anonymous cipher (by default disabled), the * server will send a certificate which will be checked. The result * of the certificate verification process can be checked after the * TLS/SSL handshake using the SSL_get_verify_result(3) function. * The handshake will be continued regardless of the verification * result. * SSL_VERIFY_PEER * the server certificate is verified. If the verification process * fails, the TLS/SSL handshake is immediately terminated with an * alert message containing the reason for the verification failure. * If no server certificate is sent, because an anonymous cipher is * used, SSL_VERIFY_PEER is ignored. * SSL_VERIFY_FAIL_IF_NO_PEER_CERT * ignored * SSL_VERIFY_CLIENT_ONCE * ignored */ if( d->verify_cert ) { verify_mode = SSL_VERIFY_PEER; LM_WARN("server verification activated.\n"); } else { verify_mode = SSL_VERIFY_NONE; LM_WARN("server verification NOT activated. Weaker security.\n"); } } SSL_CTX_set_verify( d->ctx, verify_mode, verify_callback); SSL_CTX_set_verify_depth( d->ctx, VERIFY_DEPTH_S); SSL_CTX_set_session_cache_mode( d->ctx, SSL_SESS_CACHE_SERVER ); SSL_CTX_set_session_id_context( d->ctx, OS_SSL_SESS_ID, OS_SSL_SESS_ID_LEN ); return 0; }