bool Socket::create(int timeout_sec) { #if defined(unix) || defined(__unix__) || defined(__unix) m_sock = socket(AF_INET, SOCK_STREAM, 0); #endif if (!is_valid()) return false; // TIME_WAIT - argh int on = 1; #if defined(unix) || defined(__unix__) || defined(__unix) if (setsockopt(m_sock, SOL_SOCKET, SO_REUSEADDR, (const char*) &on, sizeof ( on)) == -1) return false; struct timeval timeout; timeout.tv_sec = timeout_sec; timeout.tv_usec = 0; if (setsockopt(m_sock, SOL_SOCKET, SO_RCVTIMEO, (char *) &timeout, sizeof (timeout)) < 0) return false; if (setsockopt(m_sock, SOL_SOCKET, SO_SNDTIMEO, (char *) &timeout, sizeof (timeout)) < 0) return false; #endif if (socketType == Socket::TLS1_1) { InitializeSSL(); #if defined(__APPLE__) sslctx = SSL_CTX_new(TLSv1_1_method()); #elif defined(unix) || defined(__unix__) || defined(__unix) sslctx = SSL_CTX_new(TLSv1_1_method()); #endif #if defined(unix) || defined(__unix__) || defined(__unix) SSL_CTX_set_options(sslctx, SSL_OP_SINGLE_DH_USE); /*----- Load a client certificate into the SSL_CTX structure -----*/ if (SSL_CTX_use_certificate_file(sslctx, (char*) CLIENT_CERT.c_str(), SSL_FILETYPE_PEM) <= 0 ) { ERR_print_errors_fp(stderr); exit(1); } /*----- Load a private-key into the SSL_CTX structure -----*/ if (SSL_CTX_use_PrivateKey_file(sslctx, (char*) CLIENT_KEY.c_str(), SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); exit(1); } int CA = SSL_CTX_load_verify_locations(sslctx, (char*) CA_FILE.c_str(), NULL); SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, NULL); SSL_CTX_set_verify_depth(sslctx, 1); cSSL = SSL_new(sslctx); int sssfd = SSL_set_fd(cSSL, m_sock); #endif } return true; }
SSL_CTX* EdSSLContext::buildCtx(int ver) { SSL_CTX *pctx; const SSL_METHOD *method; switch (ver) { case SSL_VER_TLSV1: method = TLSv1_method(); break; case SSL_VER_TLSV11: method = TLSv1_1_method(); break; case SSL_VER_V23: method = SSLv23_method(); break; case SSL_VER_V3: method = SSLv3_method(); break; case SSL_VER_DTLSV1: method = DTLSv1_method(); break; default: method = NULL; break; } if (method == NULL) return NULL; pctx = SSL_CTX_new(method); return pctx; }
void CTLSConnection::initialize() throw(CTCPConnection::CConnectException) { //Use ONLY TLS 1.1: this is the latest version supported by libssl m_TLSContext = SSL_CTX_new(TLSv1_1_method()); if(m_TLSContext == NULL) { deallocate(); throw CConnectException( "Failed to create a new SSL/TLS context"); } SSL_CTX_set_options(m_TLSContext, SSL_OP_SINGLE_DH_USE | //docs seem to indicate this improves security SSL_OP_NO_SSLv2 | //do not use old SSL v2 protocol SSL_OP_NO_SSLv3 | //do not use old SSL v3 protocol SSL_OP_NO_TLSv1 | //do not use old TLS v1.0 protocol SSL_MODE_AUTO_RETRY //send and receive implementations depend on this ); //TODO m_TLSConnection = SSL_new(m_TLSContext); if(m_TLSConnection == NULL) { deallocate(); throw CConnectException( "Failed to create a new SSL/TLS connection structure"); } //TODO: if(!SSL_set_fd(m_TLSConnection, getFD())) { deallocate(); throw CConnectException( "Failed to connect SSL/TLS object to file descriptor"); } }
static const SSL_METHOD *tls1_get_method(int ver) { if (ver == TLS1_1_VERSION) return TLSv1_1_method(); if (ver == TLS1_VERSION) return TLSv1_method(); return NULL; }
extern "C" const SSL_METHOD* CryptoNative_TlsV1_1Method() { #if HAVE_TLS_V1_1 const SSL_METHOD* method = TLSv1_1_method(); assert(method != nullptr); return method; #else return nullptr; #endif }
/** * Find the protocol. */ static LSEC_SSL_METHOD* str2method(const char *method) { if (!strcmp(method, "sslv23")) return SSLv23_method(); if (!strcmp(method, "sslv3")) return SSLv3_method(); if (!strcmp(method, "tlsv1")) return TLSv1_method(); #if (OPENSSL_VERSION_NUMBER >= 0x1000100fL) if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method(); if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method(); #endif return NULL; }
static const SSL_METHOD * tls1_get_method(int ver) { if (ver == TLS1_2_VERSION) return (TLSv1_2_method()); if (ver == TLS1_1_VERSION) return (TLSv1_1_method()); if (ver == TLS1_VERSION) return (TLSv1_method()); return (NULL); }
// nassl.SSL_CTX.new() static PyObject* nassl_SSL_CTX_new(PyTypeObject *type, PyObject *args, PyObject *kwds) { nassl_SSL_CTX_Object *self; int sslVersion; SSL_CTX *sslCtx; self = (nassl_SSL_CTX_Object *)type->tp_alloc(type, 0); if (self == NULL) return NULL; self->sslCtx = NULL; self->pkeyPasswordBuf = NULL; if (!PyArg_ParseTuple(args, "I", &sslVersion)) { Py_DECREF(self); return NULL; } switch (sslVersion) { case sslv23: sslCtx = SSL_CTX_new(SSLv23_method()); break; case sslv2: sslCtx = SSL_CTX_new(SSLv2_method()); break; case sslv3: sslCtx = SSL_CTX_new(SSLv3_method()); break; case tlsv1: sslCtx = SSL_CTX_new(TLSv1_method()); break; case tlsv1_1: sslCtx = SSL_CTX_new(TLSv1_1_method()); break; case tlsv1_2: sslCtx = SSL_CTX_new(TLSv1_2_method()); break; default: PyErr_SetString(PyExc_ValueError, "Invalid value for ssl version"); Py_DECREF(self); return NULL; } if (sslCtx == NULL) { raise_OpenSSL_error(); Py_DECREF(self); return NULL; } // Add the client certificate callback SSL_CTX_set_client_cert_cb(sslCtx, client_cert_cb); self->sslCtx = sslCtx; return (PyObject *)self; }
static const SSL_METHOD * ssl23_get_method(int ver) { if (ver == SSL3_VERSION) return (SSLv3_method()); if (ver == TLS1_VERSION) return (TLSv1_method()); if (ver == TLS1_1_VERSION) return (TLSv1_1_method()); if (ver == TLS1_2_VERSION) return (TLSv1_2_method()); return (NULL); }
static const SSL_METHOD *swSSL_get_method(int method) { switch (method) { #ifndef OPENSSL_NO_SSL3_METHOD case SW_SSLv3_METHOD: return SSLv3_method(); case SW_SSLv3_SERVER_METHOD: return SSLv3_server_method(); case SW_SSLv3_CLIENT_METHOD: return SSLv3_client_method(); #endif case SW_SSLv23_SERVER_METHOD: return SSLv23_server_method(); case SW_SSLv23_CLIENT_METHOD: return SSLv23_client_method(); case SW_TLSv1_METHOD: return TLSv1_method(); case SW_TLSv1_SERVER_METHOD: return TLSv1_server_method(); case SW_TLSv1_CLIENT_METHOD: return TLSv1_client_method(); #ifdef TLS1_1_VERSION case SW_TLSv1_1_METHOD: return TLSv1_1_method(); case SW_TLSv1_1_SERVER_METHOD: return TLSv1_1_server_method(); case SW_TLSv1_1_CLIENT_METHOD: return TLSv1_1_client_method(); #endif #ifdef TLS1_2_VERSION case SW_TLSv1_2_METHOD: return TLSv1_2_method(); case SW_TLSv1_2_SERVER_METHOD: return TLSv1_2_server_method(); case SW_TLSv1_2_CLIENT_METHOD: return TLSv1_2_client_method(); #endif case SW_DTLSv1_METHOD: return DTLSv1_method(); case SW_DTLSv1_SERVER_METHOD: return DTLSv1_server_method(); case SW_DTLSv1_CLIENT_METHOD: return DTLSv1_client_method(); case SW_SSLv23_METHOD: default: return SSLv23_method(); } return SSLv23_method(); }
static const SSL_METHOD *ssl23_get_method(int ver) { #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_method()); else #endif if (ver == TLS1_VERSION) return (TLSv1_method()); else if (ver == TLS1_1_VERSION) return (TLSv1_1_method()); else if (ver == TLS1_2_VERSION) return (TLSv1_2_method()); else return (NULL); }
static const SSL_METHOD *tls1_get_method(int ver) { if (ver == TLS_ANY_VERSION) return TLS_method(); if (ver == TLS1_2_VERSION) return TLSv1_2_method(); if (ver == TLS1_1_VERSION) return TLSv1_1_method(); if (ver == TLS1_VERSION) return TLSv1_method(); #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return (SSLv3_method()); else #endif return NULL; }
static const SSL_METHOD* get_ssl_method(const char* tls_version) { if (!tls_version || !*tls_version) { LOG_ERROR("tls_version is not set."); return 0; } if (!strcmp(tls_version, "1.0")) return TLSv1_method(); if (!strcmp(tls_version, "1.1")) return TLSv1_1_method(); if (!strcmp(tls_version, "1.2")) return TLSv1_2_method(); LOG_ERROR("Unable to recognize tls_version."); return 0; }
static const SSL_METHOD *swSSL_get_method(int method) { switch (method) { case SW_SSLv3_METHOD: return SSLv3_method(); case SW_SSLv3_SERVER_METHOD: return SSLv3_server_method(); case SW_SSLv3_CLIENT_METHOD: return SSLv3_client_method(); case SW_SSLv23_SERVER_METHOD: return SSLv23_server_method(); case SW_SSLv23_CLIENT_METHOD: return SSLv23_client_method(); case SW_TLSv1_METHOD: return TLSv1_method(); case SW_TLSv1_SERVER_METHOD: return TLSv1_server_method(); case SW_TLSv1_CLIENT_METHOD: return TLSv1_client_method(); case SW_TLSv1_1_METHOD: return TLSv1_1_method(); case SW_TLSv1_1_SERVER_METHOD: return TLSv1_1_server_method(); case SW_TLSv1_1_CLIENT_METHOD: return TLSv1_1_client_method(); case SW_TLSv1_2_METHOD: return TLSv1_2_method(); case SW_TLSv1_2_SERVER_METHOD: return TLSv1_2_server_method(); case SW_TLSv1_2_CLIENT_METHOD: return TLSv1_2_client_method(); case SW_DTLSv1_METHOD: return DTLSv1_method(); case SW_DTLSv1_SERVER_METHOD: return DTLSv1_server_method(); case SW_DTLSv1_CLIENT_METHOD: return DTLSv1_client_method(); case SW_SSLv23_METHOD: default: return SSLv23_method(); } return SSLv23_method(); }
static int openssl_ssl_ctx_new(lua_State*L) { const char* meth = luaL_optstring(L, 1, "TLSv1"); #if OPENSSL_VERSION_NUMBER >= 0x01000000L const #endif SSL_METHOD* method = NULL; const char* ciphers; SSL_CTX* ctx; if (strcmp(meth, "SSLv3") == 0) method = SSLv3_method(); /* SSLv3 */ else if (strcmp(meth, "SSLv3_server") == 0) method = SSLv3_server_method(); /* SSLv3 */ else if (strcmp(meth, "SSLv3_client") == 0) method = SSLv3_client_method(); /* SSLv3 */ else if (strcmp(meth, "SSLv23") == 0) method = SSLv23_method(); /* SSLv3 but can rollback to v2 */ else if (strcmp(meth, "SSLv23_server") == 0) method = SSLv23_server_method(); /* SSLv3 but can rollback to v2 */ else if (strcmp(meth, "SSLv23_client") == 0) method = SSLv23_client_method(); /* SSLv3 but can rollback to v2 */ else if (strcmp(meth, "TLSv1_1") == 0) method = TLSv1_1_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_1_server") == 0) method = TLSv1_1_server_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_1_client") == 0) method = TLSv1_1_client_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_2") == 0) method = TLSv1_2_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_2_server") == 0) method = TLSv1_2_server_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_2_client") == 0) method = TLSv1_2_client_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1") == 0) method = TLSv1_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_server") == 0) method = TLSv1_server_method(); /* TLSv1.0 */ else if (strcmp(meth, "TLSv1_client") == 0) method = TLSv1_client_method(); /* TLSv1.0 */ else if (strcmp(meth, "DTLSv1") == 0) method = DTLSv1_method(); /* DTLSv1.0 */ else if (strcmp(meth, "DTLSv1_server") == 0) method = DTLSv1_server_method(); /* DTLSv1.0 */ else if (strcmp(meth, "DTLSv1_client") == 0) method = DTLSv1_client_method(); /* DTLSv1.0 */ #ifndef OPENSSL_NO_SSL2 #if OPENSSL_VERSION_NUMBER < 0x10100000L else if (strcmp(meth, "SSLv2") == 0) method = SSLv2_method(); /* SSLv2 */ else if (strcmp(meth, "SSLv2_server") == 0) method = SSLv2_server_method(); /* SSLv2 */ else if (strcmp(meth, "SSLv2_client") == 0) method = SSLv2_client_method(); #endif #ifdef LOAD_SSL_CUSTOM LOAD_SSL_CUSTOM #endif #endif else luaL_error(L, "#1:%s not supported\n" "Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n", "default is SSLv3", meth); ciphers = luaL_optstring(L, 2, SSL_DEFAULT_CIPHER_LIST); ctx = SSL_CTX_new(method); if (!ctx) luaL_error(L, "#1:%s not supported\n" "Maybe SSLv3 SSLv23 TLSv1 TLSv1_1 TLSv1_2 DTLSv1 [SSLv2], option followed by _client or _server\n", "default is SSLv3", meth); openssl_newvalue(L, ctx); SSL_CTX_set_cipher_list(ctx, ciphers); PUSH_OBJECT(ctx, "openssl.ssl_ctx"); SSL_CTX_set_app_data(ctx, L); return 1; }
const SSL_METHOD *TLSv1_1_server_method(void) { return TLSv1_1_method(); }
const SSL_METHOD *TLSv1_1_client_method(void) { return TLSv1_1_method(); }
static const SSL_METHOD *get_method(int protocol, int type) { const SSL_METHOD *method = NULL; caml_enter_blocking_section(); switch (protocol) { case 0: switch (type) { case 0: method = SSLv23_client_method(); break; case 1: method = SSLv23_server_method(); break; case 2: method = SSLv23_method(); break; } break; case 1: switch (type) { case 0: method = SSLv3_client_method(); break; case 1: method = SSLv3_server_method(); break; case 2: method = SSLv3_method(); break; } break; case 2: switch (type) { case 0: method = TLSv1_client_method(); break; case 1: method = TLSv1_server_method(); break; case 2: method = TLSv1_method(); break; } break; case 3: #ifdef HAVE_TLS11 switch (type) { case 0: method = TLSv1_1_client_method(); break; case 1: method = TLSv1_1_server_method(); break; case 2: method = TLSv1_1_method(); break; } #endif break; case 4: #ifdef HAVE_TLS12 switch (type) { case 0: method = TLSv1_2_client_method(); break; case 1: method = TLSv1_2_server_method(); break; case 2: method = TLSv1_2_method(); break; } #endif break; default: caml_leave_blocking_section(); caml_invalid_argument("Unknown method (this should not have happened, please report)."); break; } caml_leave_blocking_section(); if (method == NULL) caml_raise_constant(*caml_named_value("ssl_exn_method_error")); return method; }