SSLContext::SSLContext( Usage usage, const std::string& caLocation, VerificationMode verificationMode, int verificationDepth, bool loadDefaultCAs, const std::string& cipherList): _usage(usage), _mode(verificationMode), _sslContext(0), _extendedVerificationErrorDetails(true) { crypto::initializeEngine(); createSSLContext(); int errCode = 0; if (!caLocation.empty()) { if (fs::isdir(caLocation)) errCode = SSL_CTX_load_verify_locations(_sslContext, 0, fs::transcode(caLocation).c_str()); else errCode = SSL_CTX_load_verify_locations(_sslContext, fs::transcode(caLocation).c_str(), 0); if (errCode != 1) { std::string msg = getLastError(); SSL_CTX_free(_sslContext); throw std::runtime_error(std::string("SSL Error: Cannot load CA file/directory at ") + caLocation + ": " + msg); } } if (loadDefaultCAs) { errCode = SSL_CTX_set_default_verify_paths(_sslContext); if (errCode != 1) { std::string msg = getLastError(); SSL_CTX_free(_sslContext); throw std::runtime_error("SSL Error: Cannot load default CA certificates: " + msg); } } if (isForServerUse()) SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyServerCallback); else SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyClientCallback); SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str()); SSL_CTX_set_verify_depth(_sslContext, verificationDepth); SSL_CTX_set_mode(_sslContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF); }
void ThreadedSSLSocketInitiator::onInitialize(const SessionSettings &s) throw( RuntimeError) { if (m_sslInit) return; ssl_init(); std::string errStr; /* set up the application context */ if ((m_ctx = createSSLContext(false, m_settings, errStr)) == 0) { throw RuntimeError(errStr); } if (m_cert && m_key) { if (SSL_CTX_use_certificate(m_ctx, m_cert) < 1) { ssl_term(); throw RuntimeError("Failed to set certificate"); } if (SSL_CTX_use_RSAPrivateKey(m_ctx, m_key) <= 0) { ssl_term(); throw RuntimeError("Failed to set key"); } } else if (!loadSSLCert(m_ctx, false, m_settings, getLog(), ThreadedSSLSocketInitiator::passwordHandleCB, errStr)) { ssl_term(); throw RuntimeError(errStr); } int verifyLevel; if (!loadCAInfo(m_ctx, false, m_settings, getLog(), errStr, verifyLevel)) { ssl_term(); throw RuntimeError(errStr); } m_sslInit = true; }
void Context::init(const Params& params) { Poco::Crypto::OpenSSLInitializer::initialize(); createSSLContext(); try { int errCode = 0; if (!params.caLocation.empty()) { Poco::File aFile(params.caLocation); if (aFile.isDirectory()) errCode = SSL_CTX_load_verify_locations(_pSSLContext, 0, Poco::Path::transcode(params.caLocation).c_str()); else errCode = SSL_CTX_load_verify_locations(_pSSLContext, Poco::Path::transcode(params.caLocation).c_str(), 0); if (errCode != 1) { std::string msg = Utility::getLastError(); throw SSLContextException(std::string("Cannot load CA file/directory at ") + params.caLocation, msg); } } if (params.loadDefaultCAs) { errCode = SSL_CTX_set_default_verify_paths(_pSSLContext); if (errCode != 1) { std::string msg = Utility::getLastError(); throw SSLContextException("Cannot load default CA certificates", msg); } } if (!params.privateKeyFile.empty()) { errCode = SSL_CTX_use_PrivateKey_file(_pSSLContext, Poco::Path::transcode(params.privateKeyFile).c_str(), SSL_FILETYPE_PEM); if (errCode != 1) { std::string msg = Utility::getLastError(); throw SSLContextException(std::string("Error loading private key from file ") + params.privateKeyFile, msg); } } if (!params.certificateFile.empty()) { errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, Poco::Path::transcode(params.certificateFile).c_str()); if (errCode != 1) { std::string errMsg = Utility::getLastError(); throw SSLContextException(std::string("Error loading certificate from file ") + params.certificateFile, errMsg); } } if (isForServerUse()) SSL_CTX_set_verify(_pSSLContext, params.verificationMode, &SSLManager::verifyServerCallback); else SSL_CTX_set_verify(_pSSLContext, params.verificationMode, &SSLManager::verifyClientCallback); SSL_CTX_set_cipher_list(_pSSLContext, params.cipherList.c_str()); SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth); SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF); initDH(params.dhParamsFile); initECDH(params.ecdhCurve); } catch (...) { SSL_CTX_free(_pSSLContext); throw; } }