int ipfix_ssl_setup_server_ctx( SSL_CTX **ssl_ctx,
SSL_METHOD *method,
ipfix_ssl_opts_t *ssl_details )
{
SSL_CTX *ctx;
if ( ipfix_ssl_setup_ctx( &ctx, method?method:SSLv23_method(),
ssl_details ) <0 ) {
return -1;
}
SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
ipfix_ssl_verify_callback );
SSL_CTX_set_verify_depth( ctx, 4 );
SSL_CTX_set_options( ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_SINGLE_DH_USE);
if (!dh512 || !dh1024) {
init_dhparams();
}
SSL_CTX_set_tmp_dh_callback( ctx, ipfix_ssl_tmp_dh_callback );
if (SSL_CTX_set_cipher_list( ctx, CIPHER_LIST) != 1) {
mlogf( 0, "[ipfix] error setting cipher list (no valid ciphers)");
goto err;
}
*ssl_ctx = ctx;
return 0;
err:
SSL_CTX_free( ctx );
return -1;
}
DH* tmp_dh_callback(SSL* ssl, int is_export, int keylength){
DH* ret;
if(!dh512 || !dh1024)
init_dhparams();
switch(keylength){
case 512:
ret = dh512;
break;
case 1024:
ret = dh1024;
break;
}
return ret;
}
// simply switches on the required key size and returns either a 512-bit DH
// params or a 1024-bit DH params.
// This function intertionally does not try to perform any on-the-fly
// generation of params.
DH * tmp_dh_callback(SSL * ssl, int is_export, int keylength) {
DH * ret;
if (!dh512 || !dh1024)
init_dhparams();
switch (keylength) {
case 512:
ret = dh512;
break;
case 1024:
default:
//generating DH params is too costly to do on the fly
ret = dh1024;
break;
}
return ret;
}
DH *tmp_dh_callback(SSL *ssl, int is_export, int keylength)
{
DH *ret;
if(!dh512|| !dh1024)
init_dhparams();
switch (keylength)
{
case 512:
ret = dh512;
break;
case 1024:
default:
ret = dh1024;
break;
}
std::cout << "ephimeral key created" << std::endl;
return ret;
}