SSLManager::SSLManager(const Params& params) : _validateCertificates(false), _weakValidation(params.weakCertificateValidation) { SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); if (params.fipsMode) { _setupFIPS(); } // Add all digests and ciphers to OpenSSL's internal table // so that encryption/decryption is backwards compatible OpenSSL_add_all_algorithms(); _context = SSL_CTX_new(SSLv23_method()); massert(15864, mongoutils::str::stream() << "can't create SSL Context: " << _getSSLErrorMessage(ERR_get_error()), _context); // Activate all bug workaround options, to support buggy client SSL's. SSL_CTX_set_options(_context, SSL_OP_ALL); // If renegotiation is needed, don't return from recv() or send() until it's successful. // Note: this is for blocking sockets only. SSL_CTX_set_mode(_context, SSL_MODE_AUTO_RETRY); // Set context within which session can be reused int status = SSL_CTX_set_session_id_context( _context, static_cast<unsigned char*>(static_cast<void*>(&_context)), sizeof(_context)); if (!status) { uasserted(16768,"ssl initialization problem"); } SSLThreadInfo::init(); SSLThreadInfo::get(); if (!params.pemfile.empty()) { if (!_setupPEM(params.pemfile, params.pempwd)) { uasserted(16562, "ssl initialization problem"); } } if (!params.cafile.empty()) { // Set up certificate validation with a certificate authority if (!_setupCA(params.cafile)) { uasserted(16563, "ssl initialization problem"); } } if (!params.crlfile.empty()) { if (!_setupCRL(params.crlfile)) { uasserted(16582, "ssl initialization problem"); } } }
SSLManager::SSLManager(const Params& params, bool isServer) : _validateCertificates(false), _weakValidation(params.weakCertificateValidation) { SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); if (params.fipsMode) { _setupFIPS(); } // Add all digests and ciphers to OpenSSL's internal table // so that encryption/decryption is backwards compatible OpenSSL_add_all_algorithms(); SSLThreadInfo::init(); SSLThreadInfo::get(); if (!_initSSLContext(&_clientContext, params)) { uasserted(16768, "ssl initialization problem"); } // SSL client specific initialization if (!isServer) { _serverContext = NULL; if (!params.pemfile.empty()) { if (!_setSubjectName(params.pemfile, _clientSubjectName)) { uasserted(16941, "ssl initialization problem"); } } } // SSL server specific initialization if (isServer) { if (!_initSSLContext(&_serverContext, params)) { uasserted(16562, "ssl initialization problem"); } if (!_setSubjectName(params.pemfile, _serverSubjectName)) { uasserted(16942, "ssl initialization problem"); } // use the cluster certificate for outgoing connections if specified if (!params.clusterfile.empty()) { if (!_setSubjectName(params.clusterfile, _clientSubjectName)) { uasserted(16943, "ssl initialization problem"); } } else { if (!_setSubjectName(params.pemfile, _clientSubjectName)) { uasserted(16944, "ssl initialization problem"); } } } }
void SSLManager::_initializeSSL(const SSLParams& params) { scoped_lock lk(sslInitMtx); if (sslInitialized) return; // already done SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); if (params.fipsMode) { _setupFIPS(); } // Add all digests and ciphers to OpenSSL's internal table // so that encryption/decryption is backwards compatible OpenSSL_add_all_algorithms(); sslInitialized = true; }