static int setup_ssl(const char *cert_file, const char *key_file) { SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); ssl_ctx = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); /* load certificate and private key */ if (SSL_CTX_use_certificate_file(ssl_ctx, cert_file, SSL_FILETYPE_PEM) != 1) { fprintf(stderr, "an error occured while trying to load server certificate file:%s\n", cert_file); return -1; } if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) { fprintf(stderr, "an error occured while trying to load private key file:%s\n", key_file); return -1; } /* setup protocol negotiation methods */ #if H2O_USE_NPN h2o_ssl_register_npn_protocols(ssl_ctx, h2o_http2_npn_protocols); #endif #if H2O_USE_ALPN h2o_ssl_register_alpn_protocols(ssl_ctx, h2o_http2_alpn_protocols); #endif return 0; }
static SSL_CTX *on_config_listen_setup_ssl(h2o_configurator_command_t *cmd, const char *config_file, yoml_t *config_node) { SSL_CTX *ssl_ctx = NULL; const char *cert_file = NULL, *key_file = NULL; yoml_t *t; /* parse */ if (config_node->type != YOML_TYPE_MAPPING) { h2o_config_print_error(cmd, config_file, config_node, "`ssl` is not a mapping"); goto Error; } if ((t = yoml_get(config_node, "certificate-file")) == NULL) { h2o_config_print_error(cmd, config_file, config_node, "could not find mandatory property `certificate-file`"); goto Error; } else if (t->type != YOML_TYPE_SCALAR) { h2o_config_print_error(cmd, config_file, t, "the property must be a string"); goto Error; } cert_file = t->data.scalar; if ((t = yoml_get(config_node, "key-file")) == NULL) { h2o_config_print_error(cmd, config_file, config_node, "could not find mandatory property `key-file`"); goto Error; } else if (t->type != YOML_TYPE_SCALAR) { h2o_config_print_error(cmd, config_file, t, "the property must be a string"); goto Error; } key_file = t->data.scalar; /* setup */ init_openssl(); ssl_ctx = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); setup_ecc_key(ssl_ctx); if (SSL_CTX_use_certificate_file(ssl_ctx, cert_file, SSL_FILETYPE_PEM) != 1) { h2o_config_print_error(cmd, config_file, config_node, "failed to load certificate file:%s\n", cert_file); ERR_print_errors_fp(stderr); goto Error; } if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) { h2o_config_print_error(cmd, config_file, config_node, "failed to load private key file:%s\n", key_file); ERR_print_errors_fp(stderr); goto Error; } /* setup protocol negotiation methods */ #if H2O_USE_NPN h2o_ssl_register_npn_protocols(ssl_ctx, h2o_http2_npn_protocols); #endif #if H2O_USE_ALPN h2o_ssl_register_alpn_protocols(ssl_ctx, h2o_http2_alpn_protocols); #endif return ssl_ctx; Error: if (ssl_ctx != NULL) SSL_CTX_free(ssl_ctx); return NULL; }
void initialize_openssl(const config_t *config, global_data_t *global_data) { SSL_library_init(); SSL_load_error_strings(); openssl_global_data.num_lock = CRYPTO_num_locks(); openssl_global_data.lock = calloc(openssl_global_data.num_lock, sizeof(*openssl_global_data.lock)); CHECK_ERROR(pthread_mutexattr_init, &openssl_global_data.lock_attr); CHECK_ERROR(pthread_mutexattr_settype, &openssl_global_data.lock_attr, PTHREAD_MUTEX_ADAPTIVE_NP); for (size_t i = 0; i < openssl_global_data.num_lock; i++) CHECK_ERROR(pthread_mutex_init, openssl_global_data.lock + i, &openssl_global_data.lock_attr); CRYPTO_set_locking_callback(locking_function); CRYPTO_set_dynlock_create_callback(dyn_create_function); CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function); CRYPTO_set_dynlock_lock_callback(dyn_lock_function); global_data->ssl_ctx = SSL_CTX_new(TLSv1_2_server_method()); #if OPENSSL_VERSION_NUMBER >= 0x1000200fL SSL_CTX_set_ecdh_auto(global_data->ssl_ctx, 1); h2o_ssl_register_alpn_protocols(global_data->ssl_ctx, h2o_http2_alpn_protocols); #endif SSL_CTX_set_cipher_list(global_data->ssl_ctx, "DEFAULT:!3DES:!RC4"); CHECK_OPENSSL_ERROR(SSL_CTX_use_certificate_file, global_data->ssl_ctx, config->cert, SSL_FILETYPE_PEM); CHECK_OPENSSL_ERROR(SSL_CTX_use_PrivateKey_file, global_data->ssl_ctx, config->key, SSL_FILETYPE_PEM); }