Exemple #1
0
bool SSLClient::init()
{
    initLib();
    if (!initSSL())
        return false;
#ifdef _DEBUG
#if OPENSSL_VERSION_NUMBER < 0x00907000L        
    SSL_CTX_set_info_callback(pCTX, (void (*)())ssl_info_callback);
#else
    SSL_CTX_set_info_callback(pCTX, ssl_info_callback);
#endif
#endif
    return initBIO();
}
Exemple #2
0
  // memory is only valid for duration of callback; must be copied if queueing
  // is required
  DtlsSocketContext::DtlsSocketContext() {
      started = false;
      mSocket = NULL;
      receiver = NULL;
      DtlsSocketContext::Init();

      ELOG_DEBUG("Creating Dtls factory, Openssl v %s", OPENSSL_VERSION_TEXT);

      mContext = SSL_CTX_new(DTLSv1_method());
      assert(mContext);

      int r = SSL_CTX_use_certificate(mContext, mCert);
      assert(r == 1);

      r = SSL_CTX_use_PrivateKey(mContext, privkey);
      assert(r == 1);

      SSL_CTX_set_cipher_list(mContext, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");

      SSL_CTX_set_info_callback(mContext, SSLInfoCallback);

      SSL_CTX_set_verify(mContext, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
        SSLVerifyCallback);

      // SSL_CTX_set_session_cache_mode(mContext, SSL_SESS_CACHE_OFF);
      // SSL_CTX_set_options(mContext, SSL_OP_NO_TICKET);
      // Set SRTP profiles
      r = SSL_CTX_set_tlsext_use_srtp(mContext, DefaultSrtpProfile);
      assert(r == 0);

      SSL_CTX_set_verify_depth(mContext, 2);
      SSL_CTX_set_read_ahead(mContext, 1);

      ELOG_DEBUG("DtlsSocketContext %p created", this);
    }
Exemple #3
0
int
tls_configure_ssl(struct tls *ctx)
{
	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);

	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);

	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);

	if (ctx->config->ciphers != NULL) {
		if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
		    ctx->config->ciphers) != 1) {
			tls_set_errorx(ctx, "failed to set ciphers");
			goto err;
		}
	}

	SSL_CTX_set_info_callback(ctx->ssl_ctx, tls_info_callback);

	return (0);

err:
	return (-1);
}
Exemple #4
0
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
	SSL_CTX *ctx;
#ifdef WIN32
	int i, r;
#endif

	SSLeay_add_ssl_algorithms ();
	SSL_load_error_strings ();
	ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ());

	SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
	SSL_CTX_set_timeout (ctx, 300);

	/* used in SSL_connect(), SSL_accept() */
	SSL_CTX_set_info_callback (ctx, info_cb_func);

#ifdef WIN32
	/* under win32, OpenSSL needs to be seeded with some randomness */
	for (i = 0; i < 128; i++)
	{
		r = rand ();
		RAND_seed ((unsigned char *)&r, sizeof (r));
	}
#endif

	return(ctx);
}
Exemple #5
0
int SSLSocket_setSocketForSSL(networkHandles* net, MQTTClient_SSLOptions* opts)
{
	int rc = 1;

	FUNC_ENTRY;

	if (net->ctx != NULL || (rc = SSLSocket_createContext(net, opts)) == 1)
	{
    	int i;
    	SSL_CTX_set_info_callback(net->ctx, SSL_CTX_info_callback);
   		if (opts->enableServerCertAuth)
			SSL_CTX_set_verify(net->ctx, SSL_VERIFY_PEER, NULL);

		net->ssl = SSL_new(net->ctx);

    	/* Log all ciphers available to the SSL sessions (loaded in ctx) */
    	for (i = 0; ;i++)
    	{
        	const char* cipher = SSL_get_cipher_list(net->ssl, i);
        	if (cipher == NULL) break;
        	Log(TRACE_MIN, 1, "SSL cipher available: %d:%s", i, cipher);
    	}

		if ((rc = SSL_set_fd(net->ssl, net->socket)) != 1)
			SSLSocket_error("SSL_set_fd", net->ssl, net->socket, rc);
	}

	FUNC_EXIT_RC(rc);
	return rc;
}
Exemple #6
0
SSL_CTX *ssl_init() {
    SSL_CTX *ctx = NULL;

    SSL_load_error_strings();
    SSL_library_init();
    OpenSSL_add_all_algorithms();
    ssl_data_index = SSL_get_ex_new_index(0,0,0,0,0);

    if ((locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t)))) {
        for (int i = 0; i < CRYPTO_num_locks(); i++) {
            pthread_mutex_init(&locks[i], NULL);
        }

        CRYPTO_set_locking_callback(ssl_lock);
        CRYPTO_set_id_callback(ssl_id);

        if ((ctx = SSL_CTX_new(SSLv23_client_method()))) {
            SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
            SSL_CTX_set_verify_depth(ctx, 0);
            SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
            SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
            SSL_CTX_sess_set_new_cb(ctx, new_session_callback);
            SSL_CTX_set_info_callback(ctx, ssl_info_callback);
        }
    }

    return ctx;
}
Exemple #7
0
/* Initialize the library */
static void tls_init(int verify)
{
	if(_tlsctx)
	{
		TLSERROR("Library is already initialized!");
		return;
	}

	SSL_load_error_strings();
	SSL_library_init();

	_tlsctx = SSL_CTX_new(TLSv1_method());
	if(!_tlsctx) TLSERROR("Couldn't create TLS object.\n");
	else
	{
		OPENSSLCHECK(SSL_CTX_set_quiet_shutdown(_tlsctx, 1));
		OPENSSLCHECK(SSL_CTX_set_info_callback(_tlsctx, NULL));
		OPENSSLCHECK(SSL_CTX_load_verify_locations(ctx, CAfile, CApath));
		OPENSSLCHECK(SSL_CTX_set_default_verify_paths());
		if(verify == GGZ_TLS_VERIFY_PEER) SSL_CTX_set_verify(_tlsctx, SSL_VERIFY_PEER, tls_verify);
		else SSL_CTX_set_verify(_tlsctx, SSL_VERIFY_NONE, NULL);
	}

	openssllist = ggz_list_create(NULL, NULL, NULL, GGZ_LIST_ALLOW_DUPS);
}
void ConnectionManager(ServerGame& aGame, Ogre::String aAddress, int32 aPort)
{
    LOG(INFO) << "Init SRP";

    boost::asio::ssl::context sslCtx(boost::asio::ssl::context::tlsv1_server);
    SSL_CTX* ctx = sslCtx.native_handle();

    SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
    SSL_CTX_SRP_CTX_init(ctx);
    if (SSL_CTX_set_cipher_list(ctx, "SRP") != 1)
    {
        LOG(ERROR) << "Can not set SRP ciphers";
        return;
    }

    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
    SSL_CTX_set_srp_username_callback(ctx, SSLSRPServerParamCallback);

    AddUser("test", "test");

    LOG(INFO) << "Listening to " << aAddress << ":" << aPort;
    boost::asio::io_service IOService;
    boost::asio::ip::tcp::acceptor gate(IOService,
        boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), aPort));

    while (true)
    {
        SSLStreamPtr sslStream(new SSLStream(IOService, sslCtx));
        gate.accept(sslStream->lowest_layer());
        boost::thread thrd(boost::bind(ClientConnection, boost::ref(aGame), sslStream));
    }
}
Exemple #9
0
context::context(void)
	: _impl( SSL_CTX_new( SSLv23_method()))
{
	SSL_CTX_set_verify(_impl, SSL_VERIFY_NONE, nullptr);
	SSL_CTX_set_default_passwd_cb( _impl , &pem_password );
	SSL_CTX_set_default_passwd_cb_userdata( _impl , this );
	SSL_CTX_set_info_callback(_impl,ssl_info_callback);
}
Exemple #10
0
/*
**  Create an SSL application context if not already done
*/
PUBLIC BOOL HTSSL_init (void)
{
    char rnd_filename[HT_MAX_PATH];

    /*
    ** Initialise OpenSSL 0.9.5 random number generator.
    ** The random generator of OpenSSL had to be initialised on platforms
    ** that do not support /dev/random, like Compaq True64 Unix.
    ** This is done in the default way, and means that the user of the
    ** libwww-ssl library needs to have a .rnd file in his/her home-directory.
    */
    RAND_file_name(rnd_filename, sizeof(rnd_filename));
    RAND_load_file(rnd_filename, -1);
    
    if (!app_ctx) {
	SSL_METHOD * meth = NULL;
        SSLeay_add_ssl_algorithms();
	/* Seems to provide English error messages */
        SSL_load_error_strings();

	/* select the protocol method */
	switch (ssl_prot_method) {
	case HTSSL_V2:
	  meth = SSLv2_client_method();
	  break;
	case HTSSL_V3:
	  meth = SSLv3_client_method();
	  break;
	case HTSSL_V23:
	  meth = SSLv23_client_method();
	  break;
	default:
	case HTTLS_V1:
	  meth = TLSv1_client_method();
	  break;
	}

        /* set up the application context */
	if ((app_ctx = SSL_CTX_new(meth)) == NULL) {
            HTTRACE(PROT_TRACE, "HTSSLContext Could not create context\n");
	    return NO;
	}
	HTTRACE(PROT_TRACE, "HTSSLContext Created context %p" _ app_ctx);

	/* See the SSL states in our own callback */
#ifdef HTDEBUG
	SSL_CTX_set_info_callback(app_ctx, apps_ssl_info_callback);
#endif
	
	/* Set the certificate verification callback */
	SSL_CTX_set_verify(app_ctx, SSL_VERIFY_PEER, verify_callback);

	/* Not sure what this does */
        SSL_CTX_set_session_cache_mode(app_ctx, SSL_SESS_CACHE_CLIENT);
     }
    return YES;
}
Exemple #11
0
ape_ssl_t *ape_ssl_init_ctx(const char *cert, const char *key)
{
    ape_ssl_t *ssl = NULL;
    SSL_CTX *ctx   = SSL_CTX_new(SSLv23_server_method());

    if (ctx == NULL) {
        printf("Failed to init SSL ctx\n");
        return NULL;
    }

    ssl      = malloc(sizeof(*ssl));
    ssl->ctx = ctx;
    ssl->con = NULL;
    SSL_CTX_set_info_callback(ssl->ctx, ape_ssl_info_callback);
    SSL_CTX_set_options(ssl->ctx, SSL_OP_ALL);
    SSL_CTX_set_default_read_ahead(ssl->ctx, 1);

    /* see APE_socket_write() ape_socket.c */
    SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

    /* TODO: what for? */
    // SSL_CTX_set_read_ahead(ssl->ctx, 1);

    if (SSL_CTX_set_cipher_list(ssl->ctx, CIPHER_LIST) <= 0) {
        printf("Failed to set cipher\n");
        SSL_CTX_free(ctx);
        free(ssl);
        return NULL;
    }

    if (SSL_CTX_use_certificate_chain_file(ssl->ctx, cert) == 0) {
        printf("Failed to load cert\n");
        SSL_CTX_free(ctx);
        free(ssl);
        return NULL;
    }
    if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (key != NULL ? key : cert),
                                    SSL_FILETYPE_PEM)
        == 0) {
        printf("Failed to load private key\n");
        SSL_CTX_free(ctx);
        free(ssl);
        return NULL;
    }

    if (SSL_CTX_check_private_key(ssl->ctx) == 0) {
        printf("Private key does not match the certificate public key\n");
        SSL_CTX_free(ctx);
        free(ssl);
        return NULL;
    }

    printf("[SSL] New context\n");

    return ssl;
}
static SSL_CTX *dtls_setup_sslclient (void)
{
	SSL_METHOD *meth = NULL;
	SSL_CTX *ctx = NULL;
	extern char *pass;

	if (!dtls_bio_err)
	{
		SSL_library_init ();
		ERR_clear_error ();
		SSL_load_error_strings ();
		OpenSSL_add_all_algorithms ();

		dtls_bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
	}

	meth = DTLSv1_client_method (); // Datagam TLS v1 client - requires openSSL > v0.9.8
	ctx = SSL_CTX_new (meth);	// New SSL CTX object as Framework to establish new SSL connections

	if (!SSL_CTX_use_certificate_chain_file (ctx, DTLSC_CERT))
	{
		dtls_destroy_ctx (ctx);
		dtls_report_berr ("Error loading the file \"%s\" - %s\n", DTLSC_CERT, strerror (errno));
	}

	pass = PASSWORD;

	/* Enable this if u hve generated your certificates with password. If certs are generated with '-nodes' option, this 			is not required */

//	SSL_CTX_set_default_passwd_cb (ctx, dtls_password_cb);

//	fprintf (stderr, "%s: %s(): Am now here @ %d\n", __FILE__, __func__, __LINE__);
	if (!SSL_CTX_use_PrivateKey_file (ctx, DTLSC_KEY_CERT, SSL_FILETYPE_PEM))
	{
		dtls_destroy_ctx (ctx);
		dtls_report_berr ("Error loading the private key from the file \"%s\" - %s\n", DTLSC_KEY_CERT, \
			strerror (errno));
	}
	
	if (!SSL_CTX_load_verify_locations (ctx, DTLSC_ROOT_CACERT, 0))
	{
		dtls_destroy_ctx (ctx);
		dtls_report_berr ("Error loading the CA file - %s\n", strerror (errno));
	}

	SSL_CTX_set_verify_depth (ctx, 2);
	SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);

#ifdef DEBUG
	SSL_CTX_set_info_callback (ctx, &dtls_info_callback);
#endif
	SSL_CTX_set_read_ahead (ctx, 1); // Required for DTLS - please refer apps/s_client.c source file
	
	return ctx;
}
static void ssl_init_ctx_callbacks(server_rec *s,
                                   apr_pool_t *p,
                                   apr_pool_t *ptemp,
                                   modssl_ctx_t *mctx)
{
    SSL_CTX *ctx = mctx->ssl_ctx;

    SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
    SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);

    SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
}
void
tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
  ASSERT(NULL != ctx);

  /* process SSL options including minimum TLS version we will accept from peer */
  {
    long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
    const int tls_ver_min =
	(ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
    int tls_ver_max =
	(ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;

    if (tls_ver_max <= TLS_VER_UNSPEC)
	tls_ver_max = tls_version_max();

    if (tls_ver_min > TLS_VER_1_0 || tls_ver_max < TLS_VER_1_0)
      sslopt |= SSL_OP_NO_TLSv1;
#ifdef SSL_OP_NO_TLSv1_1
    if (tls_ver_min > TLS_VER_1_1 || tls_ver_max < TLS_VER_1_1)
      sslopt |= SSL_OP_NO_TLSv1_1;
#endif
#ifdef SSL_OP_NO_TLSv1_2
    if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
      sslopt |= SSL_OP_NO_TLSv1_2;
#endif
#ifdef SSL_OP_NO_COMPRESSION
    /* Disable compression - flag not available in OpenSSL 0.9.8 */
    sslopt |= SSL_OP_NO_COMPRESSION;
#endif
    SSL_CTX_set_options (ctx->ctx, sslopt);
  }

  SSL_CTX_set_session_cache_mode (ctx->ctx, SSL_SESS_CACHE_OFF);
  SSL_CTX_set_default_passwd_cb (ctx->ctx, pem_password_callback);

  /* Require peer certificate verification */
#if P2MP_SERVER
  if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
    {
      msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
	  "--client-cert-not-required may accept clients which do not present "
	  "a certificate");
    }
  else
#endif
  SSL_CTX_set_verify (ctx->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
		      verify_callback);

  SSL_CTX_set_info_callback (ctx->ctx, info_callback);
}
int TlsInit( char* cacertPath )
{
    e_TlsError    vl_Error;
    char a_DefaultCertPath[] = DEFAULT_CERT_PATH;
    char *p_CertToUse;

    DEBUG_LOG_PRINT_LEV2(("TlsInit : Entry"));

    SSL_load_error_strings();
    SSL_library_init();

    gp_SSL_CTX = SSL_CTX_new(TLSv1_method());
    if( NULL == gp_SSL_CTX )
    {
        DEBUG_LOG_PRINT_LEV2(("SSL_CTX_new returned NULL!\n"));
         return FALSE;
    }
    if ( SSL_CTX_set_cipher_list(gp_SSL_CTX, DEFAULT_CIPHER_LIST ) != 1 )
    {
        DEBUG_LOG_PRINT_LEV2(("SSL_CTX_set_cipher_list returned NULL!\n"));
        SSL_CTX_free(gp_SSL_CTX);
        return FALSE;  // ERROR selecting SUPL cipher list
    }
    SSL_CTX_set_info_callback(gp_SSL_CTX, Tls_openssl_info_callback);
#ifdef AGPS_DISABLE_TLS_CA_CERT_VERIFY
    /* In this mode, even if a CA cert is not found, a secure connection is established */
    SSL_CTX_set_verify( gp_SSL_CTX , SSL_VERIFY_NONE , NULL );
#else
    /* If a CA cert is not found matching the server certificate, the handshake is shutdown */
    SSL_CTX_set_verify( gp_SSL_CTX , SSL_VERIFY_PEER , Tls_openssl_certificate_verify_callback );
#endif


    p_CertToUse = ( cacertPath == NULL ) ? a_DefaultCertPath : cacertPath;

    DEBUG_LOG_PRINT_LEV2(("TlsInit : Certificate %s\n" , p_CertToUse));

    if( SSL_CTX_load_verify_locations(gp_SSL_CTX, p_CertToUse ,NULL) != 1 )
    {
        DEBUG_LOG_PRINT_LEV2(("SSL_CTX_load_verify_locations failed!\n"));
         return FALSE;
    }
    DEBUG_LOG_PRINT_LEV2(("SSL_CTX_get_options : %ld" , SSL_CTX_get_options( gp_SSL_CTX ) ));
    SSL_CTX_set_options( gp_SSL_CTX,SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3) ;
    DEBUG_LOG_PRINT_LEV2(("SSL_CTX_get_options : %ld" , SSL_CTX_get_options( gp_SSL_CTX ) ));

    DEBUG_LOG_PRINT_LEV2(("TlsInit : Exit"));
    return TRUE;
}
Exemple #16
0
static void ssl_init_ctx_callbacks(server_rec *s,
                                   apr_pool_t *p,
                                   apr_pool_t *ptemp,
                                   modssl_ctx_t *mctx)
{
    SSL_CTX *ctx = mctx->ssl_ctx;

    SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
    SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);

    if (s->loglevel >= APLOG_DEBUG) {
        /* this callback only logs if LogLevel >= info */
        SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
    }
}
Exemple #17
0
static void init()
{
    if (gSSL_CTX) return;
    SSL_load_error_strings();
    SSL_library_init();
    gSSL_CTX = SSL_CTX_new(TLSv1_method());
#if OPENSSL_VERSION_NUMBER >= 0x00905000L
    SSL_CTX_set_cipher_list(gSSL_CTX, "ADH:@STRENGTH");
#else
    SSL_CTX_set_cipher_list(gSSL_CTX, "ADH");
#endif
    SSL_CTX_set_info_callback(gSSL_CTX, (void (*)())ssl_info_callback);
    DH *dh = get_dh512();
    SSL_CTX_set_tmp_dh(gSSL_CTX, dh);
    DH_free(dh);
}
Exemple #18
0
void bb_socket_ssl(struct bb_acceptor *acceptor) {

        if (!blastbeat.ssl_initialized) {
                OPENSSL_config(NULL);
                SSL_library_init();
                SSL_load_error_strings();
                OpenSSL_add_all_algorithms();
                blastbeat.ssl_initialized = 1;
                blastbeat.ssl_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
        }

        acceptor->ctx = SSL_CTX_new(SSLv23_server_method());
        if (!acceptor->ctx) {
                fprintf(stderr, "unable to initialize SSL context: SSL_CTX_new()");
                exit(1);
        }

        long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
        // disable compression (if possibile)
#ifdef SSL_OP_NO_COMPRESSION
        ssloptions |= SSL_OP_NO_COMPRESSION;
#endif
        SSL_CTX_set_options(acceptor->ctx, ssloptions);

        // release/reuse buffers as soon as possibile
#ifdef SSL_MODE_RELEASE_BUFFERS
        SSL_CTX_set_mode(acceptor->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif

        if (SSL_CTX_set_cipher_list(acceptor->ctx, "HIGH") == 0) {
                fprintf(stderr,"unable to set SSL ciphers: SSL_CTX_set_cipher_list()");
                exit(1);
        }

        SSL_CTX_set_options(acceptor->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

        SSL_CTX_set_info_callback(acceptor->ctx, bb_ssl_info_cb);
#ifdef OPENSSL_NPN_UNSUPPORTED
        SSL_CTX_set_next_protos_advertised_cb(acceptor->ctx, bb_ssl_npn, NULL);
#endif

        SSL_CTX_set_session_cache_mode(acceptor->ctx, SSL_SESS_CACHE_SERVER);

        acceptor->read = bb_ssl_read;
        acceptor->write = bb_ssl_write;
}
Exemple #19
0
// --------------------
int main() {
  char client_key_file[1024];
  sprintf(client_key_file, "%s/%s", dirname(__FILE__), "client-key.pem");
 
  // Initialize SSL
  SSL_library_init();
  SSL_load_error_strings();

  BIO* bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
  SSL_CTX* ssl_ctx = SSL_CTX_new(SSLv23_client_method());
  int rc = SSL_CTX_use_PrivateKey_file(ssl_ctx, client_key_file, SSL_FILETYPE_PEM);
  if(!rc) {
    EXIT("Could not load client key file.\n");
  }

  SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); 
  SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_ssl_verify_callback); // our callback always returns true, so no validation
  SSL_CTX_set_info_callback(ssl_ctx, dummy_ssl_info_callback);  // for dibugging
  SSL_CTX_set_msg_callback(ssl_ctx, dummy_ssl_msg_callback);

  uv_loop_t* loop = uv_loop_new();

  // Client context
  Client c;
  c.loop = loop;
  c.connect_req.data = &c;
  c.socket.data = &c;
  c.ssl = NULL;
  c.ssl_ctx = ssl_ctx;

  sprintf(c.host, "%s", "test.localhost");
  sprintf(c.port, "%s", "443");
  sprintf(c.page, "%s", "/chunked.php");

  // Resolve host
  struct addrinfo hints;
  hints.ai_family = PF_INET;
  hints.ai_socktype = SOCK_STREAM;
  hints.ai_protocol = IPPROTO_TCP;
  hints.ai_flags = 0;
  uv_getaddrinfo_t resolver;
  resolver.data = &c;
  int r = uv_getaddrinfo(loop, &resolver, on_resolved_callback, c.host, c.port, &hints);
  uv_run(loop, UV_RUN_DEFAULT);
  return 0;
}
Exemple #20
0
/**
 * @brief Configure generic SSL parameters 
 * @param d domain
 * @return 0
 */
static int set_ssl_options(tls_domain_t* d)
{
	int i;
	int procs_no;
	long options;
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
	long ssl_version;
	STACK_OF(SSL_COMP)* comp_methods;
#endif
	
	procs_no=get_max_procs();
	options=SSL_OP_ALL; /* all the bug workarrounds by default */
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
	options|=SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
				SSL_OP_CIPHER_SERVER_PREFERENCE;
#if		OPENSSL_VERSION_NUMBER >= 0x00908000L
	ssl_version=SSLeay();
	if ((ssl_version >= 0x0090800L) && (ssl_version < 0x0090803fL)){
		/* if 0.9.8 <= openssl version < 0.9.8c and compression support is
		 * enabled disable SSL_OP_TLS_BLOCK_PADDING_BUG (set by SSL_OP_ALL),
		 * see openssl #1204 http://rt.openssl.org/Ticket/Display.html?id=1204
		 */
		
		comp_methods=SSL_COMP_get_compression_methods();
		if (comp_methods && (sk_SSL_COMP_num(comp_methods) > 0)){
			options &= ~SSL_OP_TLS_BLOCK_PADDING_BUG;
			LOG(L_WARN, "tls: set_ssl_options: openssl "
					"SSL_OP_TLS_BLOCK_PADDING bug workaround enabled "
					"(openssl version %lx)\n", ssl_version);
		}else{
			LOG(L_INFO, "tls: set_ssl_options: detected openssl version (%lx) "
					" has the SSL_OP_TLS_BLOCK_PADDING bug, but compression "
					" is disabled so no workaround is needed\n", ssl_version);
		}
	}
#	endif
#endif
	for(i = 0; i < procs_no; i++) {
		SSL_CTX_set_options(d->ctx[i], options);
		if(sr_tls_renegotiation==0)
			SSL_CTX_set_info_callback(d->ctx[i], sr_ssl_ctx_info_callback);
	}
	return 0;
}
Exemple #21
0
/* initialize a new connection; @todo cleanup + free on failure */
int krx_ssl_conn_init(krx_ssl* k) {

  printf("------------ start initialize ssl_con -----------\n");

  if(k->conn_initialized) {
    printf("Error: already initialize the ssl connection.\n");
    return -1;
  }

  k->ssl = SSL_new(k->ctx);
  if(k->ssl == NULL) {
    printf("Error: cannot create the SSL object.\n");
    ERR_print_errors_fp(stderr);
    return -2;
  }

  k->in = BIO_new(&krx_bio);
  if(k->in == NULL) {
    printf("Error: cannot create the in BIO.\n");
    SSL_free(k->ssl);
    return -3;
  }

  k->out = BIO_new(&krx_bio);
  if(k->out == NULL) {
    BIO_free(k->in);
    SSL_free(k->ssl);
    return -4;
  }

  k->in->ptr = k;
  k->out->ptr = k;

  SSL_set_bio(k->ssl, k->in, k->out);

  SSL_set_accept_state(k->ssl);  /* set to accept state so it we act like we're a server */

  SSL_CTX_set_info_callback(k->ctx, krx_ssl_info_callback);

  k->conn_initialized = true; 

  printf("------------ end initialize ssl_con -----------\n");
  return 0;
}
Exemple #22
0
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
    SSL_CTX *ctx;

    SSLeay_add_ssl_algorithms ();
    SSL_load_error_strings ();
    ctx =
        SSL_CTX_new (server ? SSLv3_server_method () :
                     SSLv3_client_method ());

    SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
    SSL_CTX_set_timeout (ctx, 300);

    /* used in SSL_connect(), SSL_accept() */
    SSL_CTX_set_info_callback (ctx, info_cb_func);

    return (ctx);
}
Exemple #23
0
int
tls_configure_ssl(struct tls *ctx)
{
	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);

	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);

	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);

	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
		SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);

	if (ctx->config->ciphers != NULL) {
		if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
		    ctx->config->ciphers) != 1) {
			tls_set_errorx(ctx, "failed to set ciphers");
			goto err;
		}
	}

	SSL_CTX_set_info_callback(ctx->ssl_ctx, tls_info_callback);

#ifdef X509_V_FLAG_NO_CHECK_TIME
	if (ctx->config->verify_time == 0) {
		X509_VERIFY_PARAM *vfp = SSL_CTX_get0_param(ctx->ssl_ctx);
		X509_VERIFY_PARAM_set_flags(vfp, X509_V_FLAG_NO_CHECK_TIME);
	}
#endif

	return (0);

 err:
	return (-1);
}
int SslContext::init(int iMethod)
{
    if (m_pCtx != NULL)
        return 0;
    SSL_METHOD *meth;
    if (initSSL())
        return LS_FAIL;
    m_iMethod = iMethod;
    m_iEnableSpdy = 0;
    meth = (SSL_METHOD *)SSLv23_method();
    m_pCtx = SSL_CTX_new(meth);
    if (m_pCtx)
    {
#ifdef SSL_OP_NO_COMPRESSION
        /* OpenSSL >= 1.0 only */
        SSL_CTX_set_options(m_pCtx, SSL_OP_NO_COMPRESSION);
#endif
        setOptions(SSL_OP_SINGLE_DH_USE | SSL_OP_ALL);
        //setOptions( SSL_OP_NO_SSLv2 );
        updateProtocol(iMethod);

        setOptions(SSL_OP_CIPHER_SERVER_PREFERENCE);

        SSL_CTX_set_mode(m_pCtx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
#ifdef SSL_MODE_RELEASE_BUFFERS
                         | SSL_MODE_RELEASE_BUFFERS
#endif
                        );
        if (m_iRenegProtect)
        {
            setOptions(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
            SSL_CTX_set_info_callback(m_pCtx, SslConnection_ssl_info_cb);
        }

        //initECDH();
        return 0;
    }
    else
    {
        //TODO: log ssl error
        return LS_FAIL;
    }
}
Exemple #25
0
/*
 *	Attempt to negotiate SSL connection.
 */
static int
open_server_SSL(Port *port)
{
	Assert(!port->ssl);
	Assert(!port->peer);

	if (!(port->ssl = SSL_new(SSL_context)) ||
		!my_SSL_set_fd(port->ssl, port->sock) ||
		SSL_accept(port->ssl) <= 0)
	{
		ereport(COMMERROR,
				(errcode(ERRCODE_PROTOCOL_VIOLATION),
				 errmsg("could not initialize SSL connection: %s",
						SSLerrmessage())));
		close_SSL(port);
		return -1;
	}
	port->count = 0;

	/* get client certificate, if available. */
	port->peer = SSL_get_peer_certificate(port->ssl);
	if (port->peer == NULL)
	{
		strncpy(port->peer_dn, "(anonymous)", sizeof(port->peer_dn));
		strncpy(port->peer_cn, "(anonymous)", sizeof(port->peer_cn));
	}
	else
	{
		X509_NAME_oneline(X509_get_subject_name(port->peer),
						  port->peer_dn, sizeof(port->peer_dn));
		port->peer_dn[sizeof(port->peer_dn) - 1] = '\0';
		X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
				   NID_commonName, port->peer_cn, sizeof(port->peer_cn));
		port->peer_cn[sizeof(port->peer_cn) - 1] = '\0';
	}
	ereport(DEBUG2,
			(errmsg("SSL connection from \"%s\"", port->peer_cn)));

	/* set up debugging/info callback */
	SSL_CTX_set_info_callback(SSL_context, info_cb);

	return 0;
}
Exemple #26
0
SSL_CTX *bb_new_ssl_ctx() {

        SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
        if (!ctx) {
                fprintf(stderr, "unable to initialize SSL context: SSL_CTX_new()");
		return NULL;
        }

        long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
        // disable compression (if possibile)
#ifdef SSL_OP_NO_COMPRESSION
        ssloptions |= SSL_OP_NO_COMPRESSION;
#endif
        SSL_CTX_set_options(ctx, ssloptions);

        // release/reuse buffers as soon as possibile
#ifdef SSL_MODE_RELEASE_BUFFERS
        SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
#endif

        if (SSL_CTX_set_cipher_list(ctx, "HIGH") == 0) {
                fprintf(stderr,"unable to set SSL ciphers: SSL_CTX_set_cipher_list()");
		SSL_CTX_free(ctx);
		return NULL;
        }

        SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

        SSL_CTX_set_info_callback(ctx, bb_ssl_info_cb);
#ifdef OPENSSL_NPN_UNSUPPORTED
        SSL_CTX_set_next_protos_advertised_cb(ctx, bb_ssl_npn, NULL);
#endif
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
	SSL_CTX_set_tlsext_servername_callback(ctx, bb_ssl_servername);	
#else
#warning TLS SNI support not available !!!
#endif

        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);

	return ctx;
}
Exemple #27
0
void * tls_init(void)
{
	SSL_CTX *ssl;

	SSL_load_error_strings();
	SSL_library_init();
	/* TODO: if /dev/urandom is available, PRNG is seeded automatically.
	 * If this is not the case, random data should be added here. */

#ifdef PKCS12_FUNCS
	PKCS12_PBE_add();
#endif  /* PKCS12_FUNCS */

	ssl = SSL_CTX_new(TLSv1_method());
	if (ssl == NULL)
		return NULL;

	SSL_CTX_set_info_callback(ssl, ssl_info_cb);

	return ssl;
}
Exemple #28
0
SSL_CTX *
_SSL_context_init (void (*info_cb_func), int server)
{
	SSL_CTX *ctx;
#ifdef WIN32
	int i, r;
#endif

	SSLeay_add_ssl_algorithms ();
	SSL_load_error_strings ();
	ctx = SSL_CTX_new (server ? SSLv23_server_method() : SSLv23_client_method ());

	SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
	SSL_CTX_set_timeout (ctx, 300);
	SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
							  |SSL_OP_NO_COMPRESSION
							  |SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE
							  |SSL_OP_NO_TICKET
							  |SSL_OP_CIPHER_SERVER_PREFERENCE);

#if OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */
	sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
#endif

	/* used in SSL_connect(), SSL_accept() */
	SSL_CTX_set_info_callback (ctx, info_cb_func);

#ifdef WIN32
	/* under win32, OpenSSL needs to be seeded with some randomness */
	for (i = 0; i < 128; i++)
	{
		r = rand ();
		RAND_seed ((unsigned char *)&r, sizeof (r));
	}
#endif

	return(ctx);
}
Exemple #29
0
static void tls_init_options(void)
{
    static int passes;

# ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
    SSL_CTX_set_options(tls_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
# endif
# ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
    SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
# endif
    SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv2);
    SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv3);
# ifdef SSL_OP_NO_TLSv1
    SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1);
# endif
# ifdef SSL_OP_NO_TLSv1_1
    SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_1);
# endif
# ifdef SSL_OP_NO_TLSv1_2
    SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2);
# endif
# ifdef SSL_OP_NO_TLSv1_3
    SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_3);
# endif
    if (tlsciphersuite != NULL) {
        if (SSL_CTX_set_cipher_list(tls_ctx, tlsciphersuite) != 1) {
            logfile(LOG_ERR, MSG_TLS_CIPHER_FAILED, tlsciphersuite);
            _EXIT(EXIT_FAILURE);
        }
    }
    SSL_CTX_set_info_callback(tls_ctx, ssl_info_cb);
    if (passes == 0) {
        SSL_CTX_set_tlsext_servername_callback(tls_ctx, ssl_servername_cb);
        passes++;
    }
    SSL_CTX_set_verify_depth(tls_ctx, MAX_CERTIFICATE_DEPTH);
}
Exemple #30
0
void
tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
  ASSERT(NULL != ctx);

  SSL_CTX_set_session_cache_mode (ctx->ctx, SSL_SESS_CACHE_OFF);
  SSL_CTX_set_options (ctx->ctx, SSL_OP_SINGLE_DH_USE);
  SSL_CTX_set_default_passwd_cb (ctx->ctx, pem_password_callback);

  /* Require peer certificate verification */
#if P2MP_SERVER
  if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
    {
      msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
	  "--client-cert-not-required may accept clients which do not present "
	  "a certificate");
    }
  else
#endif
  SSL_CTX_set_verify (ctx->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
		      verify_callback);

  SSL_CTX_set_info_callback (ctx->ctx, info_callback);
}