static int setup_ssl(const char *cert_file, const char *key_file)
{
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
/* load certificate and private key */
if (SSL_CTX_use_certificate_file(ssl_ctx, cert_file, SSL_FILETYPE_PEM) != 1) {
fprintf(stderr, "an error occured while trying to load server certificate file:%s\n", cert_file);
return -1;
}
if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) {
fprintf(stderr, "an error occured while trying to load private key file:%s\n", key_file);
return -1;
}
/* setup protocol negotiation methods */
#if H2O_USE_NPN
h2o_ssl_register_npn_protocols(ssl_ctx, h2o_http2_npn_protocols);
#endif
#if H2O_USE_ALPN
h2o_ssl_register_alpn_protocols(ssl_ctx, h2o_http2_alpn_protocols);
#endif
return 0;
}
static SSL_CTX *on_config_listen_setup_ssl(h2o_configurator_command_t *cmd, const char *config_file, yoml_t *config_node)
{
SSL_CTX *ssl_ctx = NULL;
const char *cert_file = NULL, *key_file = NULL;
yoml_t *t;
/* parse */
if (config_node->type != YOML_TYPE_MAPPING) {
h2o_config_print_error(cmd, config_file, config_node, "`ssl` is not a mapping");
goto Error;
}
if ((t = yoml_get(config_node, "certificate-file")) == NULL) {
h2o_config_print_error(cmd, config_file, config_node, "could not find mandatory property `certificate-file`");
goto Error;
} else if (t->type != YOML_TYPE_SCALAR) {
h2o_config_print_error(cmd, config_file, t, "the property must be a string");
goto Error;
}
cert_file = t->data.scalar;
if ((t = yoml_get(config_node, "key-file")) == NULL) {
h2o_config_print_error(cmd, config_file, config_node, "could not find mandatory property `key-file`");
goto Error;
} else if (t->type != YOML_TYPE_SCALAR) {
h2o_config_print_error(cmd, config_file, t, "the property must be a string");
goto Error;
}
key_file = t->data.scalar;
/* setup */
init_openssl();
ssl_ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
setup_ecc_key(ssl_ctx);
if (SSL_CTX_use_certificate_file(ssl_ctx, cert_file, SSL_FILETYPE_PEM) != 1) {
h2o_config_print_error(cmd, config_file, config_node, "failed to load certificate file:%s\n", cert_file);
ERR_print_errors_fp(stderr);
goto Error;
}
if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) {
h2o_config_print_error(cmd, config_file, config_node, "failed to load private key file:%s\n", key_file);
ERR_print_errors_fp(stderr);
goto Error;
}
/* setup protocol negotiation methods */
#if H2O_USE_NPN
h2o_ssl_register_npn_protocols(ssl_ctx, h2o_http2_npn_protocols);
#endif
#if H2O_USE_ALPN
h2o_ssl_register_alpn_protocols(ssl_ctx, h2o_http2_alpn_protocols);
#endif
return ssl_ctx;
Error:
if (ssl_ctx != NULL)
SSL_CTX_free(ssl_ctx);
return NULL;
}
void initialize_openssl(const config_t *config, global_data_t *global_data)
{
SSL_library_init();
SSL_load_error_strings();
openssl_global_data.num_lock = CRYPTO_num_locks();
openssl_global_data.lock = calloc(openssl_global_data.num_lock,
sizeof(*openssl_global_data.lock));
CHECK_ERROR(pthread_mutexattr_init, &openssl_global_data.lock_attr);
CHECK_ERROR(pthread_mutexattr_settype,
&openssl_global_data.lock_attr,
PTHREAD_MUTEX_ADAPTIVE_NP);
for (size_t i = 0; i < openssl_global_data.num_lock; i++)
CHECK_ERROR(pthread_mutex_init,
openssl_global_data.lock + i,
&openssl_global_data.lock_attr);
CRYPTO_set_locking_callback(locking_function);
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
global_data->ssl_ctx = SSL_CTX_new(TLSv1_2_server_method());
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
SSL_CTX_set_ecdh_auto(global_data->ssl_ctx, 1);
h2o_ssl_register_alpn_protocols(global_data->ssl_ctx, h2o_http2_alpn_protocols);
#endif
SSL_CTX_set_cipher_list(global_data->ssl_ctx, "DEFAULT:!3DES:!RC4");
CHECK_OPENSSL_ERROR(SSL_CTX_use_certificate_file,
global_data->ssl_ctx,
config->cert,
SSL_FILETYPE_PEM);
CHECK_OPENSSL_ERROR(SSL_CTX_use_PrivateKey_file,
global_data->ssl_ctx,
config->key,
SSL_FILETYPE_PEM);
}
