static int apps_startup() { #ifdef SIGPIPE signal(SIGPIPE, SIG_IGN); #endif CRYPTO_malloc_init(); ERR_load_crypto_strings(); ERR_load_SSL_strings(); OPENSSL_load_builtin_modules(); #ifndef OPENSSL_NO_ENGINE ENGINE_load_builtin_engines(); #endif if (!app_load_modules(NULL)) { ERR_print_errors(bio_err); BIO_printf(bio_err, "Error loading default configuration\n"); return 0; } OpenSSL_add_all_algorithms(); OpenSSL_add_ssl_algorithms(); setup_ui_method(); /*SSL_library_init();*/ return 1; }
int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings) { int ret; const char *filename; const char *appname; unsigned long flags; if (openssl_configured) return 1; filename = settings ? settings->filename : NULL; appname = settings ? settings->appname : NULL; flags = settings ? settings->flags : DEFAULT_CONF_MFLAGS; #ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: openssl_config_int(%s, %s, %lu)\n", filename, appname, flags); #endif OPENSSL_load_builtin_modules(); #ifndef OPENSSL_NO_ENGINE /* Need to load ENGINEs */ ENGINE_load_builtin_engines(); #endif ERR_clear_error(); #ifndef OPENSSL_SYS_UEFI ret = CONF_modules_load_file(filename, appname, flags); #endif openssl_configured = 1; return ret; }
void OPENSSL_config(const char *config_name) { if (openssl_configured) return; OPENSSL_load_builtin_modules(); #ifndef OPENSSL_NO_ENGINE /* Need to load ENGINEs */ ENGINE_load_builtin_engines(); #endif /* Add others here? */ ERR_clear_error(); if (CONF_modules_load_file(NULL, config_name, CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) { BIO *bio_err; ERR_load_crypto_strings(); if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) { BIO_printf(bio_err,"Auto configuration failed\n"); ERR_print_errors(bio_err); BIO_free(bio_err); } fprintf(stderr, "OpenSSL could not auto-configure.\n"); exit(1); } return; }
void OPENSSL_config(const char *config_name) { if (openssl_configured) return; OPENSSL_load_builtin_modules(); #ifndef OPENSSL_NO_ENGINE /* Need to load ENGINEs */ ENGINE_load_builtin_engines(); #endif ERR_clear_error(); CONF_modules_load_file(NULL, config_name, CONF_MFLAGS_DEFAULT_SECTION | CONF_MFLAGS_IGNORE_MISSING_FILE); }
int load_config(BIO *err, CONF *cnf) { if (!cnf) cnf = config; if (!cnf) return 1; OPENSSL_load_builtin_modules(); if (CONF_modules_load(cnf, NULL, 0) <= 0) { BIO_printf(err, "Error configuring OpenSSL\n"); ERR_print_errors(err); return 0; } return 1; }
static void apps_startup() { #ifdef SIGPIPE signal(SIGPIPE, SIG_IGN); #endif CRYPTO_malloc_init(); ERR_load_crypto_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); OpenSSL_add_ssl_algorithms(); OPENSSL_load_builtin_modules(); setup_ui_method(); /*SSL_library_init();*/ #ifndef OPENSSL_NO_ENGINE ENGINE_load_builtin_engines(); #endif }
static CONF * LoadOpenSSLConf(const gchar *fname) // IN { CONF *config; const char *mask; gboolean ret = FALSE; gchar *err = NULL; config = NCONF_new(NULL); if (!config) { Error("Failed to allocate the OpenSSL config.\n"); goto exit; } if (!NCONF_load(config, fname, NULL)) { Error("Failed to load the configuration file %s: %s.\n", fname, GetSSLError(&err)); goto exit; } OPENSSL_load_builtin_modules(); if (!CONF_modules_load(config, NULL, 0)) { Error("Error configuring OpenSSL modules: %s.\n", GetSSLError(&err)); goto exit; } mask = NCONF_get_string(config, "req", "string_mask"); if (mask) { ASN1_STRING_set_default_mask_asc(mask); } ret = TRUE; exit: if (!ret) { NCONF_free(config); config = NULL; } g_free(err); return config; }
static int ssl_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) { /* We must register the library in full, to ensure our configuration * code can successfully test the SSL environment. */ CRYPTO_malloc_init(); #ifdef HAVE_OPENSSL ERR_load_crypto_strings(); #endif SSL_load_error_strings(); SSL_library_init(); #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_load_builtin_engines(); #endif #ifdef HAVE_OPENSSL OpenSSL_add_all_algorithms(); #if OPENSSL_VERSION_NUMBER >= 0x00907001 OPENSSL_load_builtin_modules(); #endif #endif /* * Let us cleanup the ssl library when the module is unloaded */ apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, apr_pool_cleanup_null); /* Register us to handle mod_log_config %c/%x variables */ ssl_var_log_config_register(pconf); /* Register to handle mod_status status page generation */ ssl_scache_status_register(pconf); return OK; }
static int ssl_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) { /* We must register the library in full, to ensure our configuration * code can successfully test the SSL environment. */ CRYPTO_malloc_init(); ERR_load_crypto_strings(); SSL_load_error_strings(); SSL_library_init(); #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_load_builtin_engines(); #endif OpenSSL_add_all_algorithms(); OPENSSL_load_builtin_modules(); /* * Let us cleanup the ssl library when the module is unloaded */ apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, apr_pool_cleanup_null); /* Register us to handle mod_log_config %c/%x variables */ ssl_var_log_config_register(pconf); /* Register to handle mod_status status page generation */ ssl_scache_status_register(pconf); /* Register mutex type names so they can be configured with Mutex */ ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0); #ifdef HAVE_OCSP_STAPLING ap_mutex_register(pconf, SSL_STAPLING_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0); #endif return OK; }
static int ssl_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp) { modssl_running_statically = modssl_is_prelinked(); /* Some OpenSSL internals are allocated per-thread, make sure they * are associated to the/our same thread-id until cleaned up. */ #if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ssl_util_thread_id_setup(pconf); #endif /* We must register the library in full, to ensure our configuration * code can successfully test the SSL environment. */ #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) CRYPTO_malloc_init(); #else OPENSSL_malloc_init(); #endif ERR_load_crypto_strings(); SSL_load_error_strings(); SSL_library_init(); #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_load_builtin_engines(); #endif OpenSSL_add_all_algorithms(); OPENSSL_load_builtin_modules(); if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) { (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV", "SRVName otherName form"); } /* Start w/o errors (e.g. OBJ_txt2nid() above) */ ERR_clear_error(); /* * Let us cleanup the ssl library when the module is unloaded */ apr_pool_cleanup_register(pconf, NULL, ssl_cleanup_pre_config, apr_pool_cleanup_null); /* Register us to handle mod_log_config %c/%x variables */ ssl_var_log_config_register(pconf); /* Register to handle mod_status status page generation */ ssl_scache_status_register(pconf); /* Register mutex type names so they can be configured with Mutex */ ap_mutex_register(pconf, SSL_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0); #ifdef HAVE_OCSP_STAPLING ap_mutex_register(pconf, SSL_STAPLING_CACHE_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0); ap_mutex_register(pconf, SSL_STAPLING_REFRESH_MUTEX_TYPE, NULL, APR_LOCK_DEFAULT, 0); #endif return OK; }
bool ssl_init (void) { SSL_METHOD const *meth; long ssl_options = 0; #if OPENSSL_VERSION_NUMBER >= 0x00907000 if (ssl_true_initialized == 0) { OPENSSL_config (NULL); ssl_true_initialized = 1; } #endif if (ssl_ctx) /* The SSL has already been initialized. */ return true; /* Init the PRNG. If that fails, bail out. */ init_prng (); if (RAND_status () != 1) { logprintf (LOG_NOTQUIET, _("Could not seed PRNG; consider using --random-file.\n")); goto error; } #if OPENSSL_VERSION_NUMBER >= 0x00907000 OPENSSL_load_builtin_modules(); ENGINE_load_builtin_engines(); CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE); #endif SSL_library_init (); SSL_load_error_strings (); SSLeay_add_all_algorithms (); SSLeay_add_ssl_algorithms (); switch (opt.secure_protocol) { #ifndef OPENSSL_NO_SSL2 case secure_protocol_sslv2: meth = SSLv2_client_method (); break; #endif #ifndef OPENSSL_NO_SSL3 case secure_protocol_sslv3: meth = SSLv3_client_method (); break; #endif case secure_protocol_auto: case secure_protocol_pfs: meth = SSLv23_client_method (); ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; break; case secure_protocol_tlsv1: meth = TLSv1_client_method (); break; #if OPENSSL_VERSION_NUMBER >= 0x10001000 case secure_protocol_tlsv1_1: meth = TLSv1_1_client_method (); break; case secure_protocol_tlsv1_2: meth = TLSv1_2_client_method (); break; #else case secure_protocol_tlsv1_1: logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n")); goto error; case secure_protocol_tlsv1_2: logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n")); goto error; #endif default: logprintf (LOG_NOTQUIET, _("OpenSSL: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol); logprintf (LOG_NOTQUIET, _("Please report this issue to [email protected]\n")); abort (); } /* The type cast below accommodates older OpenSSL versions (0.9.8) where SSL_CTX_new() is declared without a "const" argument. */ ssl_ctx = SSL_CTX_new ((SSL_METHOD *)meth); if (!ssl_ctx) goto error; if (ssl_options) SSL_CTX_set_options (ssl_ctx, ssl_options); /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more) */ if (opt.secure_protocol == secure_protocol_pfs) SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:!aNULL@STRENGTH"); SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); if (opt.crl_file) { X509_STORE *store = SSL_CTX_get_cert_store (ssl_ctx); X509_LOOKUP *lookup; if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ())) || (!X509_load_crl_file (lookup, opt.crl_file, X509_FILETYPE_PEM))) goto error; X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the certificate is invalid. We verify the certificate separately in ssl_check_certificate, which provides much better diagnostics than examining the error stack after a failed SSL_connect. */ SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL); /* Use the private key from the cert file unless otherwise specified. */ if (opt.cert_file && !opt.private_key) { opt.private_key = opt.cert_file; opt.private_key_type = opt.cert_type; } if (opt.cert_file) if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file, key_type_to_ssl_type (opt.cert_type)) != 1) goto error; if (opt.private_key) if (SSL_CTX_use_PrivateKey_file (ssl_ctx, opt.private_key, key_type_to_ssl_type (opt.private_key_type)) != 1) goto error; /* Since fd_write unconditionally assumes partial writes (and handles them correctly), allow them in OpenSSL. */ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); /* The OpenSSL library can handle renegotiations automatically, so tell it to do so. */ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY); return true; error: if (ssl_ctx) SSL_CTX_free (ssl_ctx); print_errors (); return false; }