void Context::flushSessionCache() { poco_assert (isForServerUse()); Poco::Timestamp now; SSL_CTX_flush_sessions(_pSSLContext, static_cast<long>(now.epochTime())); }
void SSLContext::enableSessionCache(bool flag) { if (flag) { SSL_CTX_set_session_cache_mode(_sslContext, isForServerUse() ? SSL_SESS_CACHE_SERVER : SSL_SESS_CACHE_CLIENT); } else { SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF); } }
SSLContext::SSLContext( Usage usage, const std::string& caLocation, VerificationMode verificationMode, int verificationDepth, bool loadDefaultCAs, const std::string& cipherList): _usage(usage), _mode(verificationMode), _sslContext(0), _extendedVerificationErrorDetails(true) { crypto::initializeEngine(); createSSLContext(); int errCode = 0; if (!caLocation.empty()) { if (fs::isdir(caLocation)) errCode = SSL_CTX_load_verify_locations(_sslContext, 0, fs::transcode(caLocation).c_str()); else errCode = SSL_CTX_load_verify_locations(_sslContext, fs::transcode(caLocation).c_str(), 0); if (errCode != 1) { std::string msg = getLastError(); SSL_CTX_free(_sslContext); throw std::runtime_error(std::string("SSL Error: Cannot load CA file/directory at ") + caLocation + ": " + msg); } } if (loadDefaultCAs) { errCode = SSL_CTX_set_default_verify_paths(_sslContext); if (errCode != 1) { std::string msg = getLastError(); SSL_CTX_free(_sslContext); throw std::runtime_error("SSL Error: Cannot load default CA certificates: " + msg); } } if (isForServerUse()) SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyServerCallback); else SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyClientCallback); SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str()); SSL_CTX_set_verify_depth(_sslContext, verificationDepth); SSL_CTX_set_mode(_sslContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF); }
void SSLContext::enableSessionCache(bool flag, const std::string& sessionIdContext) { assert(isForServerUse()); if (flag) { SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_SERVER); } else { SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF); } unsigned length = static_cast<unsigned>(sessionIdContext.length()); if (length > SSL_MAX_SSL_SESSION_ID_LENGTH) length = SSL_MAX_SSL_SESSION_ID_LENGTH; int rc = SSL_CTX_set_session_id_context(_sslContext, reinterpret_cast<const unsigned char*>(sessionIdContext.data()), length); if (rc != 1) throw std::runtime_error("SSL Error: cannot set session ID context"); }
void SSLContext::setSessionTimeout(long seconds) { assert(isForServerUse()); SSL_CTX_set_timeout(_sslContext, seconds); }
std::size_t SSLContext::getSessionCacheSize() const { assert(isForServerUse()); return static_cast<std::size_t>(SSL_CTX_sess_get_cache_size(_sslContext)); }
void SSLContext::setSessionCacheSize(std::size_t size) { assert(isForServerUse()); SSL_CTX_sess_set_cache_size(_sslContext, static_cast<long>(size)); }
long Context::getSessionTimeout() const { poco_assert (isForServerUse()); return SSL_CTX_get_timeout(_pSSLContext); }
void Context::init(const Params& params) { Poco::Crypto::OpenSSLInitializer::initialize(); createSSLContext(); try { int errCode = 0; if (!params.caLocation.empty()) { Poco::File aFile(params.caLocation); if (aFile.isDirectory()) errCode = SSL_CTX_load_verify_locations(_pSSLContext, 0, Poco::Path::transcode(params.caLocation).c_str()); else errCode = SSL_CTX_load_verify_locations(_pSSLContext, Poco::Path::transcode(params.caLocation).c_str(), 0); if (errCode != 1) { std::string msg = Utility::getLastError(); throw SSLContextException(std::string("Cannot load CA file/directory at ") + params.caLocation, msg); } } if (params.loadDefaultCAs) { errCode = SSL_CTX_set_default_verify_paths(_pSSLContext); if (errCode != 1) { std::string msg = Utility::getLastError(); throw SSLContextException("Cannot load default CA certificates", msg); } } if (!params.privateKeyFile.empty()) { errCode = SSL_CTX_use_PrivateKey_file(_pSSLContext, Poco::Path::transcode(params.privateKeyFile).c_str(), SSL_FILETYPE_PEM); if (errCode != 1) { std::string msg = Utility::getLastError(); throw SSLContextException(std::string("Error loading private key from file ") + params.privateKeyFile, msg); } } if (!params.certificateFile.empty()) { errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, Poco::Path::transcode(params.certificateFile).c_str()); if (errCode != 1) { std::string errMsg = Utility::getLastError(); throw SSLContextException(std::string("Error loading certificate from file ") + params.certificateFile, errMsg); } } if (isForServerUse()) SSL_CTX_set_verify(_pSSLContext, params.verificationMode, &SSLManager::verifyServerCallback); else SSL_CTX_set_verify(_pSSLContext, params.verificationMode, &SSLManager::verifyClientCallback); SSL_CTX_set_cipher_list(_pSSLContext, params.cipherList.c_str()); SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth); SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF); initDH(params.dhParamsFile); initECDH(params.ecdhCurve); } catch (...) { SSL_CTX_free(_pSSLContext); throw; } }