void SSLContextManager::reloadTrustStore(Uint32 contextType) { PEG_METHOD_ENTER(TRC_SSL, "SSLContextManager::reloadTrustStore()"); SSL_CTX* sslContext; String trustStore = String::EMPTY; if ( contextType == SERVER_CONTEXT && _sslContext ) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "Context Type is Server Context."); sslContext = _sslContext->_rep->getContext(); trustStore = _sslContext->getTrustStore(); } else if ( contextType == EXPORT_CONTEXT && _exportSSLContext ) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "Context Type is Export Context."); sslContext = _exportSSLContext->_rep->getContext(); trustStore = _exportSSLContext->getTrustStore(); } else { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "Could not reload the trust store, SSL Context is not initialized."); MessageLoaderParms parms( "Pegasus.Common.SSLContextManager.COULD_NOT_RELOAD_TRUSTSTORE_SSL_CONTEXT_NOT_INITIALIZED", "Could not reload the trust store, SSL Context is not initialized."); PEG_METHOD_EXIT(); throw SSLException(parms); } if (trustStore == String::EMPTY) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "Could not reload the trust store, the trust store is not configured."); MessageLoaderParms parms( "Pegasus.Common.SSLContextManager.TRUST_STORE_NOT_CONFIGURED", "Could not reload the trust store, the trust store is not configured."); PEG_METHOD_EXIT(); throw SSLException(parms); } X509_STORE* newStore = _getNewX509Store(trustStore); // // acquire write lock to Context object and then overwrite the trust // store cache // { WriteLock contextLock(_sslContextObjectLock); SSL_CTX_set_cert_store(sslContext, newStore); } PEG_METHOD_EXIT(); }
void SecureSocketImpl::connectSSL(bool performHandshake) { poco_assert (!_pSSL); poco_assert (_pSocket->initialized()); BIO* pBIO = BIO_new(BIO_s_socket()); if (!pBIO) throw SSLException("Cannot create SSL BIO object"); BIO_set_fd(pBIO, static_cast<int>(_pSocket->sockfd()), BIO_NOCLOSE); _pSSL = SSL_new(_pContext->sslContext()); if (!_pSSL) { BIO_free(pBIO); throw SSLException("Cannot create SSL object"); } SSL_set_bio(_pSSL, pBIO, pBIO); #if OPENSSL_VERSION_NUMBER >= 0x0908060L && !defined(OPENSSL_NO_TLSEXT) if (!_peerHostName.empty()) { SSL_set_tlsext_host_name(_pSSL, _peerHostName.c_str()); } #endif if (_pSession) { SSL_set_session(_pSSL, _pSession->sslSession()); } try { if (performHandshake && _pSocket->getBlocking()) { int ret = SSL_connect(_pSSL); handleError(ret); verifyPeerCertificate(); } else { SSL_set_connect_state(_pSSL); _needHandshake = true; } } catch (...) { SSL_free(_pSSL); _pSSL = 0; throw; } }
void SSLContextManager::reloadCRLStore() { PEG_METHOD_ENTER(TRC_SSL, "SSLContextManager::reloadCRLStore()"); if (!_sslContext && !_exportSSLContext) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "Could not reload the crl store, SSL Context is not initialized."); MessageLoaderParms parms( "Pegasus.Common.SSLContextManager.COULD_NOT_RELOAD_CRL_STORE_SSL_CONTEXT_NOT_INITIALIZED", "Could not reload the crl store, SSL Context is not initialized."); PEG_METHOD_EXIT(); throw SSLException(parms); } String crlPath = _sslContext->getCRLPath(); if (crlPath == String::EMPTY) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "Could not reload the crl store, the crl store is not configured."); MessageLoaderParms parms( "Pegasus.Common.SSLContextManager.CRL_STORE_NOT_CONFIGURED", "Could not reload the crl store, the crl store is not configured."); PEG_METHOD_EXIT(); throw SSLException(parms); } PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "CRL store path is " + crlPath); //update the CRL store for both the server and the export server since they share the same CRL store X509_STORE* crlStore; { WriteLock contextLock(_sslContextObjectLock); if (_sslContext) { _sslContext->_rep->setCRLStore(_getNewX509Store(crlPath)); } if (_exportSSLContext) { _exportSSLContext->_rep->setCRLStore(_getNewX509Store(crlPath)); } } PEG_METHOD_EXIT(); }
X509Certificate SecureStreamSocketImpl::peerCertificate() const { X509* pCert = _impl.peerCertificate(); if (pCert) return X509Certificate(pCert); else throw SSLException("No certificate available"); }
void Context::createSSLContext() { if (SSLManager::isFIPSEnabled()) { _pSSLContext = SSL_CTX_new(TLSv1_method()); } else { switch (_usage) { case CLIENT_USE: _pSSLContext = SSL_CTX_new(SSLv23_client_method()); break; case SERVER_USE: _pSSLContext = SSL_CTX_new(SSLv23_server_method()); break; #if defined(SSL_OP_NO_TLSv1) && !defined(OPENSSL_NO_TLS1) case TLSV1_CLIENT_USE: _pSSLContext = SSL_CTX_new(TLSv1_client_method()); break; case TLSV1_SERVER_USE: _pSSLContext = SSL_CTX_new(TLSv1_server_method()); break; #endif #if defined(SSL_OP_NO_TLSv1_1) && !defined(OPENSSL_NO_TLS1) /* SSL_OP_NO_TLSv1_1 is defined in ssl.h if the library version supports TLSv1.1. * OPENSSL_NO_TLS1 is defined in opensslconf.h or on the compiler command line * if TLS1.x was removed at OpenSSL library build time via Configure options. */ case TLSV1_1_CLIENT_USE: _pSSLContext = SSL_CTX_new(TLSv1_1_client_method()); break; case TLSV1_1_SERVER_USE: _pSSLContext = SSL_CTX_new(TLSv1_1_server_method()); break; #endif #if defined(SSL_OP_NO_TLSv1_2) && !defined(OPENSSL_NO_TLS1) case TLSV1_2_CLIENT_USE: _pSSLContext = SSL_CTX_new(TLSv1_2_client_method()); break; case TLSV1_2_SERVER_USE: _pSSLContext = SSL_CTX_new(TLSv1_2_server_method()); break; #endif default: throw Poco::InvalidArgumentException("Invalid or unsupported usage"); } } if (!_pSSLContext) { unsigned long err = ERR_get_error(); throw SSLException("Cannot create SSL_CTX object", ERR_error_string(err, 0)); } SSL_CTX_set_default_passwd_cb(_pSSLContext, &SSLManager::privateKeyPassphraseCallback); Utility::clearErrorStack(); SSL_CTX_set_options(_pSSLContext, SSL_OP_ALL); }
void SecureSocketImpl::acceptSSL() { poco_assert (!_pSSL); BIO* pBIO = BIO_new(BIO_s_socket()); if (!pBIO) throw SSLException("Cannot create BIO object"); BIO_set_fd(pBIO, static_cast<int>(_pSocket->sockfd()), BIO_NOCLOSE); _pSSL = SSL_new(_pContext->sslContext()); if (!_pSSL) { BIO_free(pBIO); throw SSLException("Cannot create SSL object"); } SSL_set_bio(_pSSL, pBIO, pBIO); SSL_set_accept_state(_pSSL); _needHandshake = true; }
int SecureSocketImpl::handleError(int rc) { if (rc > 0) return rc; int sslError = SSL_get_error(_pSSL, rc); switch (sslError) { case SSL_ERROR_ZERO_RETURN: return 0; case SSL_ERROR_WANT_READ: return SecureStreamSocket::ERR_SSL_WANT_READ; case SSL_ERROR_WANT_WRITE: return SecureStreamSocket::ERR_SSL_WANT_WRITE; case SSL_ERROR_WANT_CONNECT: case SSL_ERROR_WANT_ACCEPT: case SSL_ERROR_WANT_X509_LOOKUP: // these should not occur poco_bugcheck(); return rc; default: { long lastError = ERR_get_error(); if (lastError == 0) { if (rc == 0 || rc == -1) { throw SSLConnectionUnexpectedlyClosedException(); } else { SecureStreamSocketImpl::error(Poco::format("The BIO reported an error: %d", rc)); } } else { char buffer[256]; ERR_error_string_n(lastError, buffer, sizeof(buffer)); std::string msg(buffer); throw SSLException(msg); } } break; } return rc; }
void SSLManager::initDefaultContext(bool server) { if (server && _ptrDefaultServerContext) return; if (!server && _ptrDefaultClientContext) return; Poco::Crypto::OpenSSLInitializer openSSLInitializer; initEvents(server); Poco::Util::AbstractConfiguration& config = appConfig(); #ifdef OPENSSL_FIPS bool fipsEnabled = config.getBool(CFG_FIPS_MODE, VAL_FIPS_MODE); if (fipsEnabled && !Poco::Crypto::OpenSSLInitializer::isFIPSEnabled()) { Poco::Crypto::OpenSSLInitializer::enableFIPSMode(true); } #endif std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX; // mandatory options std::string privKeyFile = config.getString(prefix + CFG_PRIV_KEY_FILE, ""); std::string certFile = config.getString(prefix + CFG_CERTIFICATE_FILE, privKeyFile); std::string caLocation = config.getString(prefix + CFG_CA_LOCATION, ""); if (server && certFile.empty() && privKeyFile.empty()) throw SSLException("Configuration error: no certificate file has been specified"); // optional options for which we have defaults defined Context::VerificationMode verMode = VAL_VER_MODE; if (config.hasProperty(prefix + CFG_VER_MODE)) { // either: none, relaxed, strict, once std::string mode = config.getString(prefix + CFG_VER_MODE); verMode = Utility::convertVerificationMode(mode); } int verDepth = config.getInt(prefix + CFG_VER_DEPTH, VAL_VER_DEPTH); bool loadDefCA = config.getBool(prefix + CFG_ENABLE_DEFAULT_CA, VAL_ENABLE_DEFAULT_CA); std::string cipherList = config.getString(prefix + CFG_CIPHER_LIST, VAL_CIPHER_LIST); cipherList = config.getString(prefix + CFG_CYPHER_LIST, cipherList); // for backwards compatibility bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false); bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false); bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false); Context::Usage usage; if (server) { if (requireTLSv1_2) usage = Context::TLSV1_2_SERVER_USE; else if (requireTLSv1_1) usage = Context::TLSV1_1_SERVER_USE; else if (requireTLSv1) usage = Context::TLSV1_SERVER_USE; else usage = Context::SERVER_USE; _ptrDefaultServerContext = new Context(usage, privKeyFile, certFile, caLocation, verMode, verDepth, loadDefCA, cipherList); } else { if (requireTLSv1_2) usage = Context::TLSV1_2_CLIENT_USE; else if (requireTLSv1_1) usage = Context::TLSV1_1_CLIENT_USE; else if (requireTLSv1) usage = Context::TLSV1_CLIENT_USE; else usage = Context::CLIENT_USE; _ptrDefaultClientContext = new Context(usage, privKeyFile, certFile, caLocation, verMode, verDepth, loadDefCA, cipherList); } bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false); if (server) { std::string sessionIdContext = config.getString(prefix + CFG_SESSION_ID_CONTEXT, config.getString("application.name", "")); _ptrDefaultServerContext->enableSessionCache(cacheSessions, sessionIdContext); if (config.hasProperty(prefix + CFG_SESSION_CACHE_SIZE)) { int cacheSize = config.getInt(prefix + CFG_SESSION_CACHE_SIZE); _ptrDefaultServerContext->setSessionCacheSize(cacheSize); } if (config.hasProperty(prefix + CFG_SESSION_TIMEOUT)) { int timeout = config.getInt(prefix + CFG_SESSION_TIMEOUT); _ptrDefaultServerContext->setSessionTimeout(timeout); } } else { _ptrDefaultClientContext->enableSessionCache(cacheSessions); } bool extendedVerification = config.getBool(prefix + CFG_EXTENDED_VERIFICATION, false); if (server) _ptrDefaultServerContext->enableExtendedCertificateVerification(extendedVerification); else _ptrDefaultClientContext->enableExtendedCertificateVerification(extendedVerification); }
SSLContext* CIMServer::_getSSLContext() { PEG_METHOD_ENTER(TRC_SERVER, "CIMServer::_getSSLContext()"); static const String PROPERTY_NAME__SSL_CERT_FILEPATH = "sslCertificateFilePath"; static const String PROPERTY_NAME__SSL_KEY_FILEPATH = "sslKeyFilePath"; static const String PROPERTY_NAME__SSL_TRUST_STORE = "sslTrustStore"; static const String PROPERTY_NAME__SSL_CRL_STORE = "crlStore"; static const String PROPERTY_NAME__SSL_CLIENT_VERIFICATION = "sslClientVerificationMode"; static const String PROPERTY_NAME__SSL_AUTO_TRUST_STORE_UPDATE = "enableSSLTrustStoreAutoUpdate"; static const String PROPERTY_NAME__SSL_TRUST_STORE_USERNAME = "******"; static const String PROPERTY_NAME__HTTP_ENABLED = "enableHttpConnection"; static const String PROPERTY_NAME__SSL_CIPHER_SUITE = "sslCipherSuite"; static const String PROPERTY_NAME__SSL_COMPATIBILITY = "sslBackwardCompatibility"; String verifyClient; String trustStore; SSLContext* sslContext = 0; // // Get a config manager instance // ConfigManager* configManager = ConfigManager::getInstance(); // Note that if invalid values were set for either sslKeyFilePath, // sslCertificateFilePath, crlStore or sslTrustStore, the invalid // paths would have been detected in SecurityPropertyOwner and // terminated the server startup. This happens regardless of whether // or not HTTPS is enabled (not a great design, but that seems to // be how other properties are validated as well) // // Get the sslClientVerificationMode property from the Config // Manager. // verifyClient = configManager->getCurrentValue( PROPERTY_NAME__SSL_CLIENT_VERIFICATION); // // Get the sslTrustStore property from the Config Manager. // trustStore = configManager->getCurrentValue( PROPERTY_NAME__SSL_TRUST_STORE); if (trustStore != String::EMPTY) { trustStore = ConfigManager::getHomedPath(trustStore); } PEG_TRACE((TRC_SERVER, Tracer::LEVEL4,"Server trust store name: %s", (const char*)trustStore.getCString())); // // Get the sslTrustStoreUserName property from the Config Manager. // String trustStoreUserName; trustStoreUserName = configManager->getCurrentValue( PROPERTY_NAME__SSL_TRUST_STORE_USERNAME); if (!String::equal(verifyClient, "disabled")) { // // 'required' and 'optional' settings must have a valid truststore // if (trustStore == String::EMPTY) { MessageLoaderParms parms( "Pegasus.Server.SSLContextManager." "SSL_CLIENT_VERIFICATION_EMPTY_TRUSTSTORE", "The \"sslTrustStore\" configuration property must be set " "if \"sslClientVerificationMode\" is 'required' or " "'optional'."); PEG_METHOD_EXIT(); throw SSLException(parms); } #ifdef PEGASUS_DISABLE_LOCAL_DOMAIN_SOCKET // // ATTN: 'required' setting must have http port enabled. // If only https is enabled, and a call to shutdown the // cimserver is given, the call will hang and a forced shutdown // will ensue. This is because the CIMClient::connectLocal call // cannot specify a certificate for authentication against // the local server. This limitation is being investigated. // See Bugzilla 2995. // if (String::equal(verifyClient, "required")) { if (!ConfigManager::parseBooleanValue( configManager->getCurrentValue( PROPERTY_NAME__HTTP_ENABLED))) { MessageLoaderParms parms( "Pegasus.Server.SSLContextManager." "INVALID_CONF_HTTPS_REQUIRED", "The \"sslClientVerificationMode\" property cannot be " "set to \"required\" if HTTP is disabled, as the " "cimserver will be unable to properly shutdown. " "The recommended course of action is to change " "the property value to \"optional\"."); PEG_METHOD_EXIT(); throw SSLException(parms); } } #endif // // A truststore username must be specified if // sslClientVerificationMode is enabled and the truststore is a // single CA file. If the truststore is a directory, then the // CertificateProvider should be used to register users with // certificates. // if (trustStore != String::EMPTY) { if (!FileSystem::exists(trustStore)) { MessageLoaderParms parms( "Pegasus.Server.SSLContextManager." "COULD_NOT_ACCESS_TRUST_STORE", "Could not access the trust store." "Check the permissions of the truststore path \"$0\".", trustStore); PEG_METHOD_EXIT(); throw SSLException(parms); } if (!FileSystem::isDirectory(trustStore)) { if (trustStoreUserName == String::EMPTY) { MessageLoaderParms parms( "Pegasus.Server.SSLContextManager." "SSL_CLIENT_VERIFICATION_EMPTY_USERNAME", "The \"sslTrustStoreUserName\" property must specify a " "valid username if \"sslClientVerificationMode\" " "is 'required' or 'optional' and the truststore is " "a single CA file. To register individual " "certificates to users, you must use a truststore " "directory along with the CertificateProvider."); PEG_METHOD_EXIT(); throw SSLException(parms); } } } } #ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION // // Get the crlStore property from the Config Manager. // String crlStore = configManager->getCurrentValue( PROPERTY_NAME__SSL_CRL_STORE); if (crlStore != String::EMPTY) { crlStore = ConfigManager::getHomedPath(crlStore); } #else String crlStore; #endif // // Get the sslCertificateFilePath property from the Config Manager. // String certPath; certPath = ConfigManager::getHomedPath( configManager->getCurrentValue(PROPERTY_NAME__SSL_CERT_FILEPATH)); // // Get the sslKeyFilePath property from the Config Manager. // String keyPath; keyPath = ConfigManager::getHomedPath( configManager->getCurrentValue(PROPERTY_NAME__SSL_KEY_FILEPATH)); String randFile; #ifdef PEGASUS_SSL_RANDOMFILE // NOTE: It is technically not necessary to set up a random file on // the server side, but it is easier to use a consistent interface // on the client and server than to optimize out the random file on // the server side. randFile = ConfigManager::getHomedPath(PEGASUS_SSLSERVER_RANDOMFILE); #endif // // Get the cipherSuite property from the Config Manager. // String cipherSuite = configManager->getCurrentValue( PROPERTY_NAME__SSL_CIPHER_SUITE); PEG_TRACE((TRC_SERVER, Tracer::LEVEL4, "Cipher suite is %s", (const char*)cipherSuite.getCString())); Boolean sslCompatibility = ConfigManager::parseBooleanValue( configManager->getCurrentValue( PROPERTY_NAME__SSL_COMPATIBILITY)); // // Create the SSLContext defined by the configuration properties // if (String::equal(verifyClient, "required")) { PEG_TRACE_CSTRING(TRC_SERVER, Tracer::LEVEL3, "SSL Client verification REQUIRED."); _sslContextMgr->createSSLContext( trustStore, certPath, keyPath, crlStore, false, randFile, cipherSuite,sslCompatibility); } else if (String::equal(verifyClient, "optional")) { PEG_TRACE_CSTRING(TRC_SERVER, Tracer::LEVEL3, "SSL Client verification OPTIONAL."); _sslContextMgr->createSSLContext( trustStore, certPath, keyPath, crlStore, true, randFile, cipherSuite,sslCompatibility); } else if (String::equal(verifyClient, "disabled") || verifyClient == String::EMPTY) { PEG_TRACE_CSTRING(TRC_SERVER, Tracer::LEVEL3, "SSL Client verification DISABLED."); _sslContextMgr->createSSLContext( String::EMPTY, certPath, keyPath, crlStore, false, randFile, cipherSuite,sslCompatibility); } sslContext = _sslContextMgr->getSSLContext(); try { sslContext->_validateCertificate(); } catch (SSLException& e) { Logger::put( Logger::STANDARD_LOG, System::CIMSERVER, Logger::WARNING, e.getMessage()); } PEG_METHOD_EXIT(); return sslContext; }
PEGASUS_NAMESPACE_BEGIN // // Basic SSL socket // SSLSocket::SSLSocket( SocketHandle socket, SSLContext * sslcontext, ReadWriteSem * sslContextObjectLock, const String& ipAddress) : _SSLConnection(0), _socket(socket), _SSLContext(sslcontext), _sslContextObjectLock(sslContextObjectLock), _ipAddress(ipAddress), _certificateVerified(false) { PEG_METHOD_ENTER(TRC_SSL, "SSLSocket::SSLSocket()"); SSL* sslConnection; SharedPtr<X509_STORE, FreeX509STOREPtr> tmpCrlStore; _sslReadErrno = 0; // // create the SSLConnection area // if (!(sslConnection = SSL_new(_SSLContext->_rep->getContext()))) { PEG_METHOD_EXIT(); MessageLoaderParms parms( "Common.TLS.COULD_NOT_GET_SSL_CONNECTION_AREA", "Could not get SSL Connection Area."); throw SSLException(parms); } // This try/catch block is necessary so that we can free the SSL Connection // Area if any exceptions are thrown. try { // // set the verification callback data // // we are only storing one set of data, so we can just use index 0, // this is defined in SSLContext.h //int index = SSL_get_ex_new_index( // 0, (void*)"pegasus", NULL, NULL, NULL); // // Create a new callback info for each new connection // #ifdef PEGASUS_ENABLE_SSL_CRL_VERIFICATION tmpCrlStore = _SSLContext->_rep->getCRLStore(); #endif _SSLCallbackInfo.reset(new SSLCallbackInfo( _SSLContext->getSSLCertificateVerifyFunction(), tmpCrlStore.get(), _ipAddress )); if (SSL_set_ex_data( sslConnection, SSLCallbackInfo::SSL_CALLBACK_INDEX, _SSLCallbackInfo.get())) { PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "--->SSL: Set callback info"); } else { PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL1, "--->SSL: Error setting callback info"); } // // and connect the active socket with the ssl operation // if (!(SSL_set_fd(sslConnection, _socket) )) { PEG_METHOD_EXIT(); MessageLoaderParms parms( "Common.TLS.COULD_NOT_LINK_SOCKET", "Could not link socket to SSL Connection."); throw SSLException(parms); } } catch (...) { SSL_free(sslConnection); throw; } _SSLConnection = sslConnection; _crlStore = new SharedPtr<X509_STORE, FreeX509STOREPtr>(tmpCrlStore); PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "---> SSL: Created SSL socket"); PEG_METHOD_EXIT(); }
X509_STORE* SSLContextManager::_getNewX509Store(const String& storePath) { PEG_METHOD_ENTER(TRC_SSL, "SSLContextManager::_getNewX509Store()"); // // reload certificates from the specified store // PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "Reloading certificates from the store: " + storePath); X509_STORE* newStore = X509_STORE_new(); // // Check if there is a CA certificate file or directory specified. // If specified, load the certificates from the specified store path. // if (FileSystem::isDirectory(storePath)) { X509_LOOKUP* storeLookup = X509_STORE_add_lookup(newStore, X509_LOOKUP_hash_dir()); if (storeLookup == NULL) { X509_STORE_free(newStore); PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "Could not reload the trust or crl store."); MessageLoaderParms parms( "Pegasus.Common.SSLContextManager.COULD_NOT_RELOAD_TRUST_OR_CRL_STORE", "Could not reload the trust or crl store."); PEG_METHOD_EXIT(); throw SSLException(parms); } X509_LOOKUP_add_dir(storeLookup, storePath.getCString(), X509_FILETYPE_PEM); } else if (FileSystem::exists(storePath)) { X509_LOOKUP* storeLookup = X509_STORE_add_lookup(newStore, X509_LOOKUP_file()); if (storeLookup == NULL) { X509_STORE_free(newStore); PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "Could not reload the trust or crl store."); MessageLoaderParms parms( "Pegasus.Common.SSLContextManager.COULD_NOT_RELOAD_TRUST_OR_CRL_STORE", "Could not reload the trust or crl store."); PEG_METHOD_EXIT(); throw SSLException(parms); } X509_LOOKUP_load_file(storeLookup, storePath.getCString(), X509_FILETYPE_PEM); } else { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL4, "Could not reload the trust or crl store, configured store not found."); MessageLoaderParms parms( "Pegasus.Common.SSLContextManager.CONFIGURED_TRUST_OR_CRL_STORE_NOT_FOUND", "Could not reload the trust or crl store, configured store not found."); PEG_METHOD_EXIT(); throw SSLException(parms); } PEG_METHOD_EXIT(); return newStore; }