SSLManager::SSLManager(const Params& params) :
_validateCertificates(false),
_weakValidation(params.weakCertificateValidation) {
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
if (params.fipsMode) {
_setupFIPS();
}
// Add all digests and ciphers to OpenSSL's internal table
// so that encryption/decryption is backwards compatible
OpenSSL_add_all_algorithms();
_context = SSL_CTX_new(SSLv23_method());
massert(15864,
mongoutils::str::stream() << "can't create SSL Context: " <<
_getSSLErrorMessage(ERR_get_error()),
_context);
// Activate all bug workaround options, to support buggy client SSL's.
SSL_CTX_set_options(_context, SSL_OP_ALL);
// If renegotiation is needed, don't return from recv() or send() until it's successful.
// Note: this is for blocking sockets only.
SSL_CTX_set_mode(_context, SSL_MODE_AUTO_RETRY);
// Set context within which session can be reused
int status = SSL_CTX_set_session_id_context(
_context,
static_cast<unsigned char*>(static_cast<void*>(&_context)),
sizeof(_context));
if (!status) {
uasserted(16768,"ssl initialization problem");
}
SSLThreadInfo::init();
SSLThreadInfo::get();
if (!params.pemfile.empty()) {
if (!_setupPEM(params.pemfile, params.pempwd)) {
uasserted(16562, "ssl initialization problem");
}
}
if (!params.cafile.empty()) {
// Set up certificate validation with a certificate authority
if (!_setupCA(params.cafile)) {
uasserted(16563, "ssl initialization problem");
}
}
if (!params.crlfile.empty()) {
if (!_setupCRL(params.crlfile)) {
uasserted(16582, "ssl initialization problem");
}
}
}
SSLManager::SSLManager(const Params& params, bool isServer) :
_validateCertificates(false),
_weakValidation(params.weakCertificateValidation) {
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
if (params.fipsMode) {
_setupFIPS();
}
// Add all digests and ciphers to OpenSSL's internal table
// so that encryption/decryption is backwards compatible
OpenSSL_add_all_algorithms();
SSLThreadInfo::init();
SSLThreadInfo::get();
if (!_initSSLContext(&_clientContext, params)) {
uasserted(16768, "ssl initialization problem");
}
// SSL client specific initialization
if (!isServer) {
_serverContext = NULL;
if (!params.pemfile.empty()) {
if (!_setSubjectName(params.pemfile, _clientSubjectName)) {
uasserted(16941, "ssl initialization problem");
}
}
}
// SSL server specific initialization
if (isServer) {
if (!_initSSLContext(&_serverContext, params)) {
uasserted(16562, "ssl initialization problem");
}
if (!_setSubjectName(params.pemfile, _serverSubjectName)) {
uasserted(16942, "ssl initialization problem");
}
// use the cluster certificate for outgoing connections if specified
if (!params.clusterfile.empty()) {
if (!_setSubjectName(params.clusterfile, _clientSubjectName)) {
uasserted(16943, "ssl initialization problem");
}
}
else {
if (!_setSubjectName(params.pemfile, _clientSubjectName)) {
uasserted(16944, "ssl initialization problem");
}
}
}
}
void SSLManager::_initializeSSL(const SSLParams& params) {
scoped_lock lk(sslInitMtx);
if (sslInitialized)
return; // already done
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
if (params.fipsMode) {
_setupFIPS();
}
// Add all digests and ciphers to OpenSSL's internal table
// so that encryption/decryption is backwards compatible
OpenSSL_add_all_algorithms();
sslInitialized = true;
}
