static const char *
openssl_iostream_get_security_string(struct ssl_iostream *ssl_io)
{
const SSL_CIPHER *cipher;
#ifdef HAVE_SSL_COMPRESSION
const COMP_METHOD *comp;
#endif
const char *comp_str;
int bits, alg_bits;
if (!ssl_io->handshaked)
return "";
cipher = SSL_get_current_cipher(ssl_io->ssl);
bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
#ifdef HAVE_SSL_COMPRESSION
comp = SSL_get_current_compression(ssl_io->ssl);
comp_str = comp == NULL ? "" :
t_strconcat(" ", SSL_COMP_get_name(comp), NULL);
#else
comp_str = "";
#endif
return t_strdup_printf("%s with cipher %s (%d/%d bits)%s",
SSL_get_version(ssl_io->ssl),
SSL_CIPHER_get_name(cipher),
bits, alg_bits, comp_str);
}
bool OpenSSLBase::handshake()
{
doTLSOperation( TLSHandshake );
if( !m_secure )
return true;
int res = SSL_get_verify_result( m_ssl );
if( res != X509_V_OK )
m_certInfo.status = CertInvalid;
else
m_certInfo.status = CertOk;
X509* peer = SSL_get_peer_certificate( m_ssl );
if( peer )
{
char peer_CN[256];
X509_NAME_get_text_by_NID( X509_get_issuer_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) );
m_certInfo.issuer = peer_CN;
X509_NAME_get_text_by_NID( X509_get_subject_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) );
m_certInfo.server = peer_CN;
m_certInfo.date_from = openSSLTime2UnixTime( (char*) (peer->cert_info->validity->notBefore->data) );
m_certInfo.date_to = openSSLTime2UnixTime( (char*) (peer->cert_info->validity->notAfter->data) );
std::string p( peer_CN );
std::transform( p.begin(), p.end(), p.begin(), tolower );
if( p != m_server )
m_certInfo.status |= CertWrongPeer;
if( ASN1_UTCTIME_cmp_time_t( X509_get_notBefore( peer ), time( 0 ) ) != -1 )
m_certInfo.status |= CertNotActive;
if( ASN1_UTCTIME_cmp_time_t( X509_get_notAfter( peer ), time( 0 ) ) != 1 )
m_certInfo.status |= CertExpired;
}
else
{
m_certInfo.status = CertInvalid;
}
const char* tmp;
tmp = SSL_get_cipher_name( m_ssl );
if( tmp )
m_certInfo.cipher = tmp;
tmp = SSL_get_cipher_version( m_ssl );
if( tmp )
m_certInfo.protocol = tmp;
tmp = SSL_COMP_get_name( SSL_get_current_compression( m_ssl ) );
if( tmp )
m_certInfo.compression = tmp;
m_valid = true;
m_handler->handleHandshakeResult( this, true, m_certInfo );
return true;
}
static int openssl_ssl_current_compression(lua_State *L)
{
SSL* s = CHECK_OBJECT(1, SSL, "openssl.ssl");
const COMP_METHOD *comp = SSL_get_current_compression(s);
if (comp)
lua_pushstring(L, SSL_COMP_get_name(comp));
else
lua_pushnil(L);
return 1;
}
const char *sycSSL_COMP_get_name(const COMP_METHOD *comp) {
const char *result;
Debug1("SSL_COMP_get_name(%p)", comp);
result = SSL_COMP_get_name(comp);
if (result) {
Debug1("SSL_COMP_get_name() -> \"%s\"", result);
} else {
Debug("SSL_COMP_get_name() -> NULL");
}
return result;
}
NOEXPORT void print_cipher(CLI *c) { /* print negotiated cipher */
SSL_CIPHER *cipher;
#if !defined(OPENSSL_NO_COMP) && OPENSSL_VERSION_NUMBER>=0x0090800fL
const COMP_METHOD *compression, *expansion;
#endif
if(global_options.debug_level<LOG_INFO) /* performance optimization */
return;
cipher=(SSL_CIPHER *)SSL_get_current_cipher(c->ssl);
s_log(LOG_INFO, "Negotiated %s ciphersuite: %s (%d-bit encryption)",
SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher),
SSL_CIPHER_get_bits(cipher, NULL));
#if !defined(OPENSSL_NO_COMP) && OPENSSL_VERSION_NUMBER>=0x0090800fL
compression=SSL_get_current_compression(c->ssl);
expansion=SSL_get_current_expansion(c->ssl);
s_log(LOG_INFO, "Compression: %s, expansion: %s",
compression ? SSL_COMP_get_name(compression) : "null",
expansion ? SSL_COMP_get_name(expansion) : "null");
#endif
}
static void print_cipher(CLI * c)
{
SSL_CIPHER *cipher;
const COMP_METHOD *compression, *expansion;
if (global_options.debug_level < LOG_INFO)
return;
cipher = (SSL_CIPHER *) SSL_get_current_cipher(c->ssl);
s_log(LOG_INFO, "Negotiated %s ciphersuite: %s (%d-bit encryption)",
SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher),
SSL_CIPHER_get_bits(cipher, NULL));
#if OPENSSL_VERSION_NUMBER>=0x0090800fL
compression = SSL_get_current_compression(c->ssl);
expansion = SSL_get_current_expansion(c->ssl);
s_log(LOG_INFO, "Compression: %s, expansion: %s",
compression ? SSL_COMP_get_name(compression) : "null",
expansion ? SSL_COMP_get_name(expansion) : "null");
#endif
}
/**
* Return the compression method used.
*/
static int meth_compression(lua_State *L)
{
const COMP_METHOD *comp;
p_ssl ssl = (p_ssl)luaL_checkudata(L, 1, "SSL:Connection");
if (ssl->state != LSEC_STATE_CONNECTED) {
lua_pushnil(L);
lua_pushstring(L, "closed");
return 2;
}
comp = SSL_get_current_compression(ssl->ssl);
if (comp)
lua_pushstring(L, SSL_COMP_get_name(comp));
else
lua_pushnil(L);
return 1;
}
static void print_stuff(BIO *bio, SSL *s, int full)
{
X509 *peer=NULL;
char *p;
static const char *space=" ";
char buf[BUFSIZ];
STACK_OF(X509) *sk;
STACK_OF(X509_NAME) *sk2;
SSL_CIPHER *c;
X509_NAME *xn;
int j,i;
#ifndef OPENSSL_NO_COMP
const COMP_METHOD *comp, *expansion;
#endif
if (full)
{
int got_a_chain = 0;
sk=SSL_get_peer_cert_chain(s);
if (sk != NULL)
{
got_a_chain = 1; /* we don't have it for SSL2 (yet) */
BIO_printf(bio,"---\nCertificate chain\n");
for (i=0; i<sk_X509_num(sk); i++)
{
X509_NAME_oneline(X509_get_subject_name(
sk_X509_value(sk,i)),buf,sizeof buf);
BIO_printf(bio,"%2d s:%s\n",i,buf);
X509_NAME_oneline(X509_get_issuer_name(
sk_X509_value(sk,i)),buf,sizeof buf);
BIO_printf(bio," i:%s\n",buf);
if (c_showcerts)
PEM_write_bio_X509(bio,sk_X509_value(sk,i));
}
}
BIO_printf(bio,"---\n");
peer=SSL_get_peer_certificate(s);
if (peer != NULL)
{
BIO_printf(bio,"Server certificate\n");
if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
PEM_write_bio_X509(bio,peer);
X509_NAME_oneline(X509_get_subject_name(peer),
buf,sizeof buf);
BIO_printf(bio,"subject=%s\n",buf);
X509_NAME_oneline(X509_get_issuer_name(peer),
buf,sizeof buf);
BIO_printf(bio,"issuer=%s\n",buf);
}
else
BIO_printf(bio,"no peer certificate available\n");
sk2=SSL_get_client_CA_list(s);
if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
{
BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
for (i=0; i<sk_X509_NAME_num(sk2); i++)
{
xn=sk_X509_NAME_value(sk2,i);
X509_NAME_oneline(xn,buf,sizeof(buf));
BIO_write(bio,buf,strlen(buf));
BIO_write(bio,"\n",1);
}
}
else
{
BIO_printf(bio,"---\nNo client certificate CA names sent\n");
}
p=SSL_get_shared_ciphers(s,buf,sizeof buf);
if (p != NULL)
{
/* This works only for SSL 2. In later protocol
* versions, the client does not know what other
* ciphers (in addition to the one to be used
* in the current connection) the server supports. */
BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
j=i=0;
while (*p)
{
if (*p == ':')
{
BIO_write(bio,space,15-j%25);
i++;
j=0;
BIO_write(bio,((i%3)?" ":"\n"),1);
}
else
{
BIO_write(bio,p,1);
j++;
}
p++;
}
BIO_write(bio,"\n",1);
}
BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
BIO_number_read(SSL_get_rbio(s)),
BIO_number_written(SSL_get_wbio(s)));
}
BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, "));
c=SSL_get_current_cipher(s);
BIO_printf(bio,"%s, Cipher is %s\n",
SSL_CIPHER_get_version(c),
SSL_CIPHER_get_name(c));
if (peer != NULL) {
EVP_PKEY *pktmp;
pktmp = X509_get_pubkey(peer);
BIO_printf(bio,"Server public key is %d bit\n",
EVP_PKEY_bits(pktmp));
EVP_PKEY_free(pktmp);
}
#ifndef OPENSSL_NO_COMP
comp=SSL_get_current_compression(s);
expansion=SSL_get_current_expansion(s);
BIO_printf(bio,"Compression: %s\n",
comp ? SSL_COMP_get_name(comp) : "NONE");
BIO_printf(bio,"Expansion: %s\n",
expansion ? SSL_COMP_get_name(expansion) : "NONE");
#endif
SSL_SESSION_print(bio,SSL_get_session(s));
BIO_printf(bio,"---\n");
if (peer != NULL)
X509_free(peer);
/* flush, or debugging output gets mixed with http response */
(void)BIO_flush(bio);
}
bool OpenSSLBase::handshake()
{
doTLSOperation( TLSHandshake );
if( !m_secure )
return true;
long res = SSL_get_verify_result( m_ssl );
if( res != X509_V_OK )
m_certInfo.status = CertInvalid;
else
m_certInfo.status = CertOk;
X509* peer = SSL_get_peer_certificate( m_ssl );
if( peer )
{
char peer_CN[256];
X509_NAME_get_text_by_NID( X509_get_issuer_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) );
m_certInfo.issuer = peer_CN;
X509_NAME_get_text_by_NID( X509_get_subject_name( peer ), NID_commonName, peer_CN, sizeof( peer_CN ) );
m_certInfo.server = peer_CN;
m_certInfo.date_from = ASN1Time2UnixTime( X509_get_notBefore( peer ) );
m_certInfo.date_to = ASN1Time2UnixTime( X509_get_notAfter( peer ) );
std::string p( peer_CN );
std::transform( p.begin(), p.end(), p.begin(), tolower );
#if defined OPENSSL_VERSION_NUMBER && ( OPENSSL_VERSION_NUMBER >= 0x10002000 )
res = X509_check_host( peer, p.c_str(), p.length(), X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, 0 );
if( res <= 0 ) // 0: verification failed; -1: internal error; -2 input is malformed
m_certInfo.status |= CertWrongPeer;
#else
if( p != m_server )
m_certInfo.status |= CertWrongPeer;
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000
if( ASN1_UTCTIME_cmp_time_t( X509_get_notBefore( peer ), time( 0 ) ) != -1 )
m_certInfo.status |= CertNotActive;
if( ASN1_UTCTIME_cmp_time_t( X509_get_notAfter( peer ), time( 0 ) ) != 1 )
m_certInfo.status |= CertExpired;
X509_free( peer );
}
else
{
m_certInfo.status = CertInvalid;
}
const char* tmp;
tmp = SSL_get_cipher_name( m_ssl );
if( tmp )
m_certInfo.cipher = tmp;
SSL_SESSION* sess = SSL_get_session( m_ssl );
if( sess )
{
switch( SSL_SESSION_get_protocol_version( sess ) )
{
case TLS1_VERSION:
m_certInfo.protocol = "TLSv1";
break;
case TLS1_1_VERSION:
m_certInfo.protocol = "TLSv1.1";
break;
case TLS1_2_VERSION:
m_certInfo.protocol = "TLSv1.2";
break;
#ifdef TLS1_3_VERSION
case TLS1_3_VERSION:
m_certInfo.protocol = "TLSv1.3";
break;
#endif // TLS1_3_VERSION
default:
m_certInfo.protocol = "Unknown TLS version";
break;
}
}
tmp = SSL_COMP_get_name( SSL_get_current_compression( m_ssl ) );
if( tmp )
m_certInfo.compression = tmp;
m_valid = true;
m_handler->handleHandshakeResult( this, true, m_certInfo );
return true;
}
