bool SSLClient::init()
{
initLib();
if (!initSSL())
return false;
#ifdef _DEBUG
#if OPENSSL_VERSION_NUMBER < 0x00907000L
SSL_CTX_set_info_callback(pCTX, (void (*)())ssl_info_callback);
#else
SSL_CTX_set_info_callback(pCTX, ssl_info_callback);
#endif
#endif
return initBIO();
}
// memory is only valid for duration of callback; must be copied if queueing
// is required
DtlsSocketContext::DtlsSocketContext() {
started = false;
mSocket = NULL;
receiver = NULL;
DtlsSocketContext::Init();
ELOG_DEBUG("Creating Dtls factory, Openssl v %s", OPENSSL_VERSION_TEXT);
mContext = SSL_CTX_new(DTLSv1_method());
assert(mContext);
int r = SSL_CTX_use_certificate(mContext, mCert);
assert(r == 1);
r = SSL_CTX_use_PrivateKey(mContext, privkey);
assert(r == 1);
SSL_CTX_set_cipher_list(mContext, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
SSL_CTX_set_info_callback(mContext, SSLInfoCallback);
SSL_CTX_set_verify(mContext, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
SSLVerifyCallback);
// SSL_CTX_set_session_cache_mode(mContext, SSL_SESS_CACHE_OFF);
// SSL_CTX_set_options(mContext, SSL_OP_NO_TICKET);
// Set SRTP profiles
r = SSL_CTX_set_tlsext_use_srtp(mContext, DefaultSrtpProfile);
assert(r == 0);
SSL_CTX_set_verify_depth(mContext, 2);
SSL_CTX_set_read_ahead(mContext, 1);
ELOG_DEBUG("DtlsSocketContext %p created", this);
}
int
tls_configure_ssl(struct tls *ctx)
{
SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
if (ctx->config->ciphers != NULL) {
if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
ctx->config->ciphers) != 1) {
tls_set_errorx(ctx, "failed to set ciphers");
goto err;
}
}
SSL_CTX_set_info_callback(ctx->ssl_ctx, tls_info_callback);
return (0);
err:
return (-1);
}
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
SSL_CTX *ctx;
#ifdef WIN32
int i, r;
#endif
SSLeay_add_ssl_algorithms ();
SSL_load_error_strings ();
ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300);
/* used in SSL_connect(), SSL_accept() */
SSL_CTX_set_info_callback (ctx, info_cb_func);
#ifdef WIN32
/* under win32, OpenSSL needs to be seeded with some randomness */
for (i = 0; i < 128; i++)
{
r = rand ();
RAND_seed ((unsigned char *)&r, sizeof (r));
}
#endif
return(ctx);
}
int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts)
{
int rc = 1;
FUNC_ENTRY;
if (net->ctx != NULL || (rc = SSLSocket_createContext(net, opts)) == 1)
{
int i;
SSL_CTX_set_info_callback(net->ctx, SSL_CTX_info_callback);
if (opts->enableServerCertAuth)
SSL_CTX_set_verify(net->ctx, SSL_VERIFY_PEER, NULL);
net->ssl = SSL_new(net->ctx);
/* Log all ciphers available to the SSL sessions (loaded in ctx) */
for (i = 0; ;i++)
{
const char* cipher = SSL_get_cipher_list(net->ssl, i);
if (cipher == NULL) break;
Log(TRACE_MIN, 1, "SSL cipher available: %d:%s", i, cipher);
}
if ((rc = SSL_set_fd(net->ssl, net->socket)) != 1)
SSLSocket_error("SSL_set_fd", net->ssl, net->socket, rc);
}
FUNC_EXIT_RC(rc);
return rc;
}
SSL_CTX *ssl_init() {
SSL_CTX *ctx = NULL;
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
ssl_data_index = SSL_get_ex_new_index(0,0,0,0,0);
if ((locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t)))) {
for (int i = 0; i < CRYPTO_num_locks(); i++) {
pthread_mutex_init(&locks[i], NULL);
}
CRYPTO_set_locking_callback(ssl_lock);
CRYPTO_set_id_callback(ssl_id);
if ((ctx = SSL_CTX_new(SSLv23_client_method()))) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_verify_depth(ctx, 0);
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
SSL_CTX_sess_set_new_cb(ctx, new_session_callback);
SSL_CTX_set_info_callback(ctx, ssl_info_callback);
}
}
return ctx;
}
/* Initialize the library */
static void tls_init(int verify)
{
if(_tlsctx)
{
TLSERROR("Library is already initialized!");
return;
}
SSL_load_error_strings();
SSL_library_init();
_tlsctx = SSL_CTX_new(TLSv1_method());
if(!_tlsctx) TLSERROR("Couldn't create TLS object.\n");
else
{
OPENSSLCHECK(SSL_CTX_set_quiet_shutdown(_tlsctx, 1));
OPENSSLCHECK(SSL_CTX_set_info_callback(_tlsctx, NULL));
OPENSSLCHECK(SSL_CTX_load_verify_locations(ctx, CAfile, CApath));
OPENSSLCHECK(SSL_CTX_set_default_verify_paths());
if(verify == GGZ_TLS_VERIFY_PEER) SSL_CTX_set_verify(_tlsctx, SSL_VERIFY_PEER, tls_verify);
else SSL_CTX_set_verify(_tlsctx, SSL_VERIFY_NONE, NULL);
}
openssllist = ggz_list_create(NULL, NULL, NULL, GGZ_LIST_ALLOW_DUPS);
}
void ConnectionManager(ServerGame& aGame, Ogre::String aAddress, int32 aPort)
{
LOG(INFO) << "Init SRP";
boost::asio::ssl::context sslCtx(boost::asio::ssl::context::tlsv1_server);
SSL_CTX* ctx = sslCtx.native_handle();
SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
SSL_CTX_SRP_CTX_init(ctx);
if (SSL_CTX_set_cipher_list(ctx, "SRP") != 1)
{
LOG(ERROR) << "Can not set SRP ciphers";
return;
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_srp_username_callback(ctx, SSLSRPServerParamCallback);
AddUser("test", "test");
LOG(INFO) << "Listening to " << aAddress << ":" << aPort;
boost::asio::io_service IOService;
boost::asio::ip::tcp::acceptor gate(IOService,
boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), aPort));
while (true)
{
SSLStreamPtr sslStream(new SSLStream(IOService, sslCtx));
gate.accept(sslStream->lowest_layer());
boost::thread thrd(boost::bind(ClientConnection, boost::ref(aGame), sslStream));
}
}
context::context(void)
: _impl( SSL_CTX_new( SSLv23_method()))
{
SSL_CTX_set_verify(_impl, SSL_VERIFY_NONE, nullptr);
SSL_CTX_set_default_passwd_cb( _impl , &pem_password );
SSL_CTX_set_default_passwd_cb_userdata( _impl , this );
SSL_CTX_set_info_callback(_impl,ssl_info_callback);
}
/*
** Create an SSL application context if not already done
*/
PUBLIC BOOL HTSSL_init (void)
{
char rnd_filename[HT_MAX_PATH];
/*
** Initialise OpenSSL 0.9.5 random number generator.
** The random generator of OpenSSL had to be initialised on platforms
** that do not support /dev/random, like Compaq True64 Unix.
** This is done in the default way, and means that the user of the
** libwww-ssl library needs to have a .rnd file in his/her home-directory.
*/
RAND_file_name(rnd_filename, sizeof(rnd_filename));
RAND_load_file(rnd_filename, -1);
if (!app_ctx) {
SSL_METHOD * meth = NULL;
SSLeay_add_ssl_algorithms();
/* Seems to provide English error messages */
SSL_load_error_strings();
/* select the protocol method */
switch (ssl_prot_method) {
case HTSSL_V2:
meth = SSLv2_client_method();
break;
case HTSSL_V3:
meth = SSLv3_client_method();
break;
case HTSSL_V23:
meth = SSLv23_client_method();
break;
default:
case HTTLS_V1:
meth = TLSv1_client_method();
break;
}
/* set up the application context */
if ((app_ctx = SSL_CTX_new(meth)) == NULL) {
HTTRACE(PROT_TRACE, "HTSSLContext Could not create context\n");
return NO;
}
HTTRACE(PROT_TRACE, "HTSSLContext Created context %p" _ app_ctx);
/* See the SSL states in our own callback */
#ifdef HTDEBUG
SSL_CTX_set_info_callback(app_ctx, apps_ssl_info_callback);
#endif
/* Set the certificate verification callback */
SSL_CTX_set_verify(app_ctx, SSL_VERIFY_PEER, verify_callback);
/* Not sure what this does */
SSL_CTX_set_session_cache_mode(app_ctx, SSL_SESS_CACHE_CLIENT);
}
return YES;
}
ape_ssl_t *ape_ssl_init_ctx(const char *cert, const char *key)
{
ape_ssl_t *ssl = NULL;
SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
if (ctx == NULL) {
printf("Failed to init SSL ctx\n");
return NULL;
}
ssl = malloc(sizeof(*ssl));
ssl->ctx = ctx;
ssl->con = NULL;
SSL_CTX_set_info_callback(ssl->ctx, ape_ssl_info_callback);
SSL_CTX_set_options(ssl->ctx, SSL_OP_ALL);
SSL_CTX_set_default_read_ahead(ssl->ctx, 1);
/* see APE_socket_write() ape_socket.c */
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
/* TODO: what for? */
// SSL_CTX_set_read_ahead(ssl->ctx, 1);
if (SSL_CTX_set_cipher_list(ssl->ctx, CIPHER_LIST) <= 0) {
printf("Failed to set cipher\n");
SSL_CTX_free(ctx);
free(ssl);
return NULL;
}
if (SSL_CTX_use_certificate_chain_file(ssl->ctx, cert) == 0) {
printf("Failed to load cert\n");
SSL_CTX_free(ctx);
free(ssl);
return NULL;
}
if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (key != NULL ? key : cert),
SSL_FILETYPE_PEM)
== 0) {
printf("Failed to load private key\n");
SSL_CTX_free(ctx);
free(ssl);
return NULL;
}
if (SSL_CTX_check_private_key(ssl->ctx) == 0) {
printf("Private key does not match the certificate public key\n");
SSL_CTX_free(ctx);
free(ssl);
return NULL;
}
printf("[SSL] New context\n");
return ssl;
}
static SSL_CTX *dtls_setup_sslclient (void)
{
SSL_METHOD *meth = NULL;
SSL_CTX *ctx = NULL;
extern char *pass;
if (!dtls_bio_err)
{
SSL_library_init ();
ERR_clear_error ();
SSL_load_error_strings ();
OpenSSL_add_all_algorithms ();
dtls_bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
}
meth = DTLSv1_client_method (); // Datagam TLS v1 client - requires openSSL > v0.9.8
ctx = SSL_CTX_new (meth); // New SSL CTX object as Framework to establish new SSL connections
if (!SSL_CTX_use_certificate_chain_file (ctx, DTLSC_CERT))
{
dtls_destroy_ctx (ctx);
dtls_report_berr ("Error loading the file \"%s\" - %s\n", DTLSC_CERT, strerror (errno));
}
pass = PASSWORD;
/* Enable this if u hve generated your certificates with password. If certs are generated with '-nodes' option, this is not required */
// SSL_CTX_set_default_passwd_cb (ctx, dtls_password_cb);
// fprintf (stderr, "%s: %s(): Am now here @ %d\n", __FILE__, __func__, __LINE__);
if (!SSL_CTX_use_PrivateKey_file (ctx, DTLSC_KEY_CERT, SSL_FILETYPE_PEM))
{
dtls_destroy_ctx (ctx);
dtls_report_berr ("Error loading the private key from the file \"%s\" - %s\n", DTLSC_KEY_CERT, \
strerror (errno));
}
if (!SSL_CTX_load_verify_locations (ctx, DTLSC_ROOT_CACERT, 0))
{
dtls_destroy_ctx (ctx);
dtls_report_berr ("Error loading the CA file - %s\n", strerror (errno));
}
SSL_CTX_set_verify_depth (ctx, 2);
SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
#ifdef DEBUG
SSL_CTX_set_info_callback (ctx, &dtls_info_callback);
#endif
SSL_CTX_set_read_ahead (ctx, 1); // Required for DTLS - please refer apps/s_client.c source file
return ctx;
}
static void ssl_init_ctx_callbacks(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
modssl_ctx_t *mctx)
{
SSL_CTX *ctx = mctx->ssl_ctx;
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
}
void
tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
ASSERT(NULL != ctx);
/* process SSL options including minimum TLS version we will accept from peer */
{
long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
const int tls_ver_min =
(ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
int tls_ver_max =
(ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
if (tls_ver_max <= TLS_VER_UNSPEC)
tls_ver_max = tls_version_max();
if (tls_ver_min > TLS_VER_1_0 || tls_ver_max < TLS_VER_1_0)
sslopt |= SSL_OP_NO_TLSv1;
#ifdef SSL_OP_NO_TLSv1_1
if (tls_ver_min > TLS_VER_1_1 || tls_ver_max < TLS_VER_1_1)
sslopt |= SSL_OP_NO_TLSv1_1;
#endif
#ifdef SSL_OP_NO_TLSv1_2
if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
sslopt |= SSL_OP_NO_TLSv1_2;
#endif
#ifdef SSL_OP_NO_COMPRESSION
/* Disable compression - flag not available in OpenSSL 0.9.8 */
sslopt |= SSL_OP_NO_COMPRESSION;
#endif
SSL_CTX_set_options (ctx->ctx, sslopt);
}
SSL_CTX_set_session_cache_mode (ctx->ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_default_passwd_cb (ctx->ctx, pem_password_callback);
/* Require peer certificate verification */
#if P2MP_SERVER
if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
{
msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
"--client-cert-not-required may accept clients which do not present "
"a certificate");
}
else
#endif
SSL_CTX_set_verify (ctx->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
SSL_CTX_set_info_callback (ctx->ctx, info_callback);
}
int TlsInit( char* cacertPath )
{
e_TlsError vl_Error;
char a_DefaultCertPath[] = DEFAULT_CERT_PATH;
char *p_CertToUse;
DEBUG_LOG_PRINT_LEV2(("TlsInit : Entry"));
SSL_load_error_strings();
SSL_library_init();
gp_SSL_CTX = SSL_CTX_new(TLSv1_method());
if( NULL == gp_SSL_CTX )
{
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_new returned NULL!\n"));
return FALSE;
}
if ( SSL_CTX_set_cipher_list(gp_SSL_CTX, DEFAULT_CIPHER_LIST ) != 1 )
{
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_set_cipher_list returned NULL!\n"));
SSL_CTX_free(gp_SSL_CTX);
return FALSE; // ERROR selecting SUPL cipher list
}
SSL_CTX_set_info_callback(gp_SSL_CTX, Tls_openssl_info_callback);
#ifdef AGPS_DISABLE_TLS_CA_CERT_VERIFY
/* In this mode, even if a CA cert is not found, a secure connection is established */
SSL_CTX_set_verify( gp_SSL_CTX , SSL_VERIFY_NONE , NULL );
#else
/* If a CA cert is not found matching the server certificate, the handshake is shutdown */
SSL_CTX_set_verify( gp_SSL_CTX , SSL_VERIFY_PEER , Tls_openssl_certificate_verify_callback );
#endif
p_CertToUse = ( cacertPath == NULL ) ? a_DefaultCertPath : cacertPath;
DEBUG_LOG_PRINT_LEV2(("TlsInit : Certificate %s\n" , p_CertToUse));
if( SSL_CTX_load_verify_locations(gp_SSL_CTX, p_CertToUse ,NULL) != 1 )
{
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_load_verify_locations failed!\n"));
return FALSE;
}
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_get_options : %ld" , SSL_CTX_get_options( gp_SSL_CTX ) ));
SSL_CTX_set_options( gp_SSL_CTX,SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3) ;
DEBUG_LOG_PRINT_LEV2(("SSL_CTX_get_options : %ld" , SSL_CTX_get_options( gp_SSL_CTX ) ));
DEBUG_LOG_PRINT_LEV2(("TlsInit : Exit"));
return TRUE;
}
static void ssl_init_ctx_callbacks(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
modssl_ctx_t *mctx)
{
SSL_CTX *ctx = mctx->ssl_ctx;
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
if (s->loglevel >= APLOG_DEBUG) {
/* this callback only logs if LogLevel >= info */
SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
}
}
static void init()
{
if (gSSL_CTX) return;
SSL_load_error_strings();
SSL_library_init();
gSSL_CTX = SSL_CTX_new(TLSv1_method());
#if OPENSSL_VERSION_NUMBER >= 0x00905000L
SSL_CTX_set_cipher_list(gSSL_CTX, "ADH:@STRENGTH");
#else
SSL_CTX_set_cipher_list(gSSL_CTX, "ADH");
#endif
SSL_CTX_set_info_callback(gSSL_CTX, (void (*)())ssl_info_callback);
DH *dh = get_dh512();
SSL_CTX_set_tmp_dh(gSSL_CTX, dh);
DH_free(dh);
}
void bb_socket_ssl(struct bb_acceptor *acceptor) {
if (!blastbeat.ssl_initialized) {
OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
blastbeat.ssl_initialized = 1;
blastbeat.ssl_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
}
acceptor->ctx = SSL_CTX_new(SSLv23_server_method());
if (!acceptor->ctx) {
fprintf(stderr, "unable to initialize SSL context: SSL_CTX_new()");
exit(1);
}
long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
// disable compression (if possibile)
#ifdef SSL_OP_NO_COMPRESSION
ssloptions |= SSL_OP_NO_COMPRESSION;
#endif
SSL_CTX_set_options(acceptor->ctx, ssloptions);
// release/reuse buffers as soon as possibile
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(acceptor->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
if (SSL_CTX_set_cipher_list(acceptor->ctx, "HIGH") == 0) {
fprintf(stderr,"unable to set SSL ciphers: SSL_CTX_set_cipher_list()");
exit(1);
}
SSL_CTX_set_options(acceptor->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_info_callback(acceptor->ctx, bb_ssl_info_cb);
#ifdef OPENSSL_NPN_UNSUPPORTED
SSL_CTX_set_next_protos_advertised_cb(acceptor->ctx, bb_ssl_npn, NULL);
#endif
SSL_CTX_set_session_cache_mode(acceptor->ctx, SSL_SESS_CACHE_SERVER);
acceptor->read = bb_ssl_read;
acceptor->write = bb_ssl_write;
}
// --------------------
int main() {
char client_key_file[1024];
sprintf(client_key_file, "%s/%s", dirname(__FILE__), "client-key.pem");
// Initialize SSL
SSL_library_init();
SSL_load_error_strings();
BIO* bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
SSL_CTX* ssl_ctx = SSL_CTX_new(SSLv23_client_method());
int rc = SSL_CTX_use_PrivateKey_file(ssl_ctx, client_key_file, SSL_FILETYPE_PEM);
if(!rc) {
EXIT("Could not load client key file.\n");
}
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_ssl_verify_callback); // our callback always returns true, so no validation
SSL_CTX_set_info_callback(ssl_ctx, dummy_ssl_info_callback); // for dibugging
SSL_CTX_set_msg_callback(ssl_ctx, dummy_ssl_msg_callback);
uv_loop_t* loop = uv_loop_new();
// Client context
Client c;
c.loop = loop;
c.connect_req.data = &c;
c.socket.data = &c;
c.ssl = NULL;
c.ssl_ctx = ssl_ctx;
sprintf(c.host, "%s", "test.localhost");
sprintf(c.port, "%s", "443");
sprintf(c.page, "%s", "/chunked.php");
// Resolve host
struct addrinfo hints;
hints.ai_family = PF_INET;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
hints.ai_flags = 0;
uv_getaddrinfo_t resolver;
resolver.data = &c;
int r = uv_getaddrinfo(loop, &resolver, on_resolved_callback, c.host, c.port, &hints);
uv_run(loop, UV_RUN_DEFAULT);
return 0;
}
/**
* @brief Configure generic SSL parameters
* @param d domain
* @return 0
*/
static int set_ssl_options(tls_domain_t* d)
{
int i;
int procs_no;
long options;
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
long ssl_version;
STACK_OF(SSL_COMP)* comp_methods;
#endif
procs_no=get_max_procs();
options=SSL_OP_ALL; /* all the bug workarrounds by default */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
options|=SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_CIPHER_SERVER_PREFERENCE;
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
ssl_version=SSLeay();
if ((ssl_version >= 0x0090800L) && (ssl_version < 0x0090803fL)){
/* if 0.9.8 <= openssl version < 0.9.8c and compression support is
* enabled disable SSL_OP_TLS_BLOCK_PADDING_BUG (set by SSL_OP_ALL),
* see openssl #1204 http://rt.openssl.org/Ticket/Display.html?id=1204
*/
comp_methods=SSL_COMP_get_compression_methods();
if (comp_methods && (sk_SSL_COMP_num(comp_methods) > 0)){
options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
LOG(L_WARN, "tls: set_ssl_options: openssl "
"SSL_OP_TLS_BLOCK_PADDING bug workaround enabled "
"(openssl version %lx)\n", ssl_version);
}else{
LOG(L_INFO, "tls: set_ssl_options: detected openssl version (%lx) "
" has the SSL_OP_TLS_BLOCK_PADDING bug, but compression "
" is disabled so no workaround is needed\n", ssl_version);
}
}
# endif
#endif
for(i = 0; i < procs_no; i++) {
SSL_CTX_set_options(d->ctx[i], options);
if(sr_tls_renegotiation==0)
SSL_CTX_set_info_callback(d->ctx[i], sr_ssl_ctx_info_callback);
}
return 0;
}
/* initialize a new connection; @todo cleanup + free on failure */
int krx_ssl_conn_init(krx_ssl* k) {
printf("------------ start initialize ssl_con -----------\n");
if(k->conn_initialized) {
printf("Error: already initialize the ssl connection.\n");
return -1;
}
k->ssl = SSL_new(k->ctx);
if(k->ssl == NULL) {
printf("Error: cannot create the SSL object.\n");
ERR_print_errors_fp(stderr);
return -2;
}
k->in = BIO_new(&krx_bio);
if(k->in == NULL) {
printf("Error: cannot create the in BIO.\n");
SSL_free(k->ssl);
return -3;
}
k->out = BIO_new(&krx_bio);
if(k->out == NULL) {
BIO_free(k->in);
SSL_free(k->ssl);
return -4;
}
k->in->ptr = k;
k->out->ptr = k;
SSL_set_bio(k->ssl, k->in, k->out);
SSL_set_accept_state(k->ssl); /* set to accept state so it we act like we're a server */
SSL_CTX_set_info_callback(k->ctx, krx_ssl_info_callback);
k->conn_initialized = true;
printf("------------ end initialize ssl_con -----------\n");
return 0;
}
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
SSL_CTX *ctx;
SSLeay_add_ssl_algorithms ();
SSL_load_error_strings ();
ctx =
SSL_CTX_new (server ? SSLv3_server_method () :
SSLv3_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300);
/* used in SSL_connect(), SSL_accept() */
SSL_CTX_set_info_callback (ctx, info_cb_func);
return (ctx);
}
int
tls_configure_ssl(struct tls *ctx)
{
SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
if (ctx->config->ciphers != NULL) {
if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
ctx->config->ciphers) != 1) {
tls_set_errorx(ctx, "failed to set ciphers");
goto err;
}
}
SSL_CTX_set_info_callback(ctx->ssl_ctx, tls_info_callback);
#ifdef X509_V_FLAG_NO_CHECK_TIME
if (ctx->config->verify_time == 0) {
X509_VERIFY_PARAM *vfp = SSL_CTX_get0_param(ctx->ssl_ctx);
X509_VERIFY_PARAM_set_flags(vfp, X509_V_FLAG_NO_CHECK_TIME);
}
#endif
return (0);
err:
return (-1);
}
int SslContext::init(int iMethod)
{
if (m_pCtx != NULL)
return 0;
SSL_METHOD *meth;
if (initSSL())
return LS_FAIL;
m_iMethod = iMethod;
m_iEnableSpdy = 0;
meth = (SSL_METHOD *)SSLv23_method();
m_pCtx = SSL_CTX_new(meth);
if (m_pCtx)
{
#ifdef SSL_OP_NO_COMPRESSION
/* OpenSSL >= 1.0 only */
SSL_CTX_set_options(m_pCtx, SSL_OP_NO_COMPRESSION);
#endif
setOptions(SSL_OP_SINGLE_DH_USE | SSL_OP_ALL);
//setOptions( SSL_OP_NO_SSLv2 );
updateProtocol(iMethod);
setOptions(SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_mode(m_pCtx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
#ifdef SSL_MODE_RELEASE_BUFFERS
| SSL_MODE_RELEASE_BUFFERS
#endif
);
if (m_iRenegProtect)
{
setOptions(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
SSL_CTX_set_info_callback(m_pCtx, SslConnection_ssl_info_cb);
}
//initECDH();
return 0;
}
else
{
//TODO: log ssl error
return LS_FAIL;
}
}
/*
* Attempt to negotiate SSL connection.
*/
static int
open_server_SSL(Port *port)
{
Assert(!port->ssl);
Assert(!port->peer);
if (!(port->ssl = SSL_new(SSL_context)) ||
!my_SSL_set_fd(port->ssl, port->sock) ||
SSL_accept(port->ssl) <= 0)
{
ereport(COMMERROR,
(errcode(ERRCODE_PROTOCOL_VIOLATION),
errmsg("could not initialize SSL connection: %s",
SSLerrmessage())));
close_SSL(port);
return -1;
}
port->count = 0;
/* get client certificate, if available. */
port->peer = SSL_get_peer_certificate(port->ssl);
if (port->peer == NULL)
{
strncpy(port->peer_dn, "(anonymous)", sizeof(port->peer_dn));
strncpy(port->peer_cn, "(anonymous)", sizeof(port->peer_cn));
}
else
{
X509_NAME_oneline(X509_get_subject_name(port->peer),
port->peer_dn, sizeof(port->peer_dn));
port->peer_dn[sizeof(port->peer_dn) - 1] = '\0';
X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
NID_commonName, port->peer_cn, sizeof(port->peer_cn));
port->peer_cn[sizeof(port->peer_cn) - 1] = '\0';
}
ereport(DEBUG2,
(errmsg("SSL connection from \"%s\"", port->peer_cn)));
/* set up debugging/info callback */
SSL_CTX_set_info_callback(SSL_context, info_cb);
return 0;
}
SSL_CTX *bb_new_ssl_ctx() {
SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
if (!ctx) {
fprintf(stderr, "unable to initialize SSL context: SSL_CTX_new()");
return NULL;
}
long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
// disable compression (if possibile)
#ifdef SSL_OP_NO_COMPRESSION
ssloptions |= SSL_OP_NO_COMPRESSION;
#endif
SSL_CTX_set_options(ctx, ssloptions);
// release/reuse buffers as soon as possibile
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
if (SSL_CTX_set_cipher_list(ctx, "HIGH") == 0) {
fprintf(stderr,"unable to set SSL ciphers: SSL_CTX_set_cipher_list()");
SSL_CTX_free(ctx);
return NULL;
}
SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_info_callback(ctx, bb_ssl_info_cb);
#ifdef OPENSSL_NPN_UNSUPPORTED
SSL_CTX_set_next_protos_advertised_cb(ctx, bb_ssl_npn, NULL);
#endif
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_CTX_set_tlsext_servername_callback(ctx, bb_ssl_servername);
#else
#warning TLS SNI support not available !!!
#endif
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
return ctx;
}
void * tls_init(void)
{
SSL_CTX *ssl;
SSL_load_error_strings();
SSL_library_init();
/* TODO: if /dev/urandom is available, PRNG is seeded automatically.
* If this is not the case, random data should be added here. */
#ifdef PKCS12_FUNCS
PKCS12_PBE_add();
#endif /* PKCS12_FUNCS */
ssl = SSL_CTX_new(TLSv1_method());
if (ssl == NULL)
return NULL;
SSL_CTX_set_info_callback(ssl, ssl_info_cb);
return ssl;
}
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
SSL_CTX *ctx;
#ifdef WIN32
int i, r;
#endif
SSLeay_add_ssl_algorithms ();
SSL_load_error_strings ();
ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ());
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
SSL_CTX_set_timeout (ctx, 300);
SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
|SSL_OP_NO_COMPRESSION
|SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE
|SSL_OP_NO_TICKET
|SSL_OP_CIPHER_SERVER_PREFERENCE);
#if OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
#endif
/* used in SSL_connect(), SSL_accept() */
SSL_CTX_set_info_callback (ctx, info_cb_func);
#ifdef WIN32
/* under win32, OpenSSL needs to be seeded with some randomness */
for (i = 0; i < 128; i++)
{
r = rand ();
RAND_seed ((unsigned char *)&r, sizeof (r));
}
#endif
return(ctx);
}
static void tls_init_options(void)
{
static int passes;
# ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
SSL_CTX_set_options(tls_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
# endif
# ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
# endif
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv3);
# ifdef SSL_OP_NO_TLSv1
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1);
# endif
# ifdef SSL_OP_NO_TLSv1_1
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_1);
# endif
# ifdef SSL_OP_NO_TLSv1_2
SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2);
# endif
# ifdef SSL_OP_NO_TLSv1_3
SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_3);
# endif
if (tlsciphersuite != NULL) {
if (SSL_CTX_set_cipher_list(tls_ctx, tlsciphersuite) != 1) {
logfile(LOG_ERR, MSG_TLS_CIPHER_FAILED, tlsciphersuite);
_EXIT(EXIT_FAILURE);
}
}
SSL_CTX_set_info_callback(tls_ctx, ssl_info_cb);
if (passes == 0) {
SSL_CTX_set_tlsext_servername_callback(tls_ctx, ssl_servername_cb);
passes++;
}
SSL_CTX_set_verify_depth(tls_ctx, MAX_CERTIFICATE_DEPTH);
}
void
tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
ASSERT(NULL != ctx);
SSL_CTX_set_session_cache_mode (ctx->ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_options (ctx->ctx, SSL_OP_SINGLE_DH_USE);
SSL_CTX_set_default_passwd_cb (ctx->ctx, pem_password_callback);
/* Require peer certificate verification */
#if P2MP_SERVER
if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
{
msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
"--client-cert-not-required may accept clients which do not present "
"a certificate");
}
else
#endif
SSL_CTX_set_verify (ctx->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
SSL_CTX_set_info_callback (ctx->ctx, info_callback);
}