static bool
ConnSSL_LoadServerKey_gnutls(void)
{
int err;
const char *cert_file;
err = gnutls_certificate_allocate_credentials(&x509_cred);
if (err < 0) {
Log(LOG_ERR, "gnutls_certificate_allocate_credentials: %s", gnutls_strerror(err));
return false;
}
cert_file = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile;
if (!cert_file) {
Log(LOG_NOTICE, "No SSL server key configured, SSL disabled.");
return false;
}
if (array_bytes(&Conf_SSLOptions.KeyFilePassword))
Log(LOG_WARNING,
"Ignoring KeyFilePassword: Not supported by GNUTLS.");
if (!Load_DH_params())
return false;
gnutls_certificate_set_dh_params(x509_cred, dh_params);
err = gnutls_certificate_set_x509_key_file(x509_cred, cert_file, Conf_SSLOptions.KeyFile, GNUTLS_X509_FMT_PEM);
if (err < 0) {
Log(LOG_ERR, "gnutls_certificate_set_x509_key_file (cert %s, key %s): %s",
cert_file, Conf_SSLOptions.KeyFile ? Conf_SSLOptions.KeyFile : "(NULL)", gnutls_strerror(err));
return false;
}
return true;
}
static bool
ConnSSL_LoadServerKey_openssl(SSL_CTX *ctx)
{
char *cert_key;
assert(ctx);
if (!Conf_SSLOptions.KeyFile) {
Log(LOG_ERR, "No SSL server key configured!");
return false;
}
SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ctx, &Conf_SSLOptions.KeyFilePassword);
if (SSL_CTX_use_PrivateKey_file(ctx, Conf_SSLOptions.KeyFile, SSL_FILETYPE_PEM) != 1) {
array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
LogOpenSSLError("Failed to add private key", Conf_SSLOptions.KeyFile);
return false;
}
cert_key = Conf_SSLOptions.CertFile ? Conf_SSLOptions.CertFile:Conf_SSLOptions.KeyFile;
if (SSL_CTX_use_certificate_chain_file(ctx, cert_key) != 1) {
array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
LogOpenSSLError("Failed to load certificate chain", cert_key);
return false;
}
array_free_wipe(&Conf_SSLOptions.KeyFilePassword);
if (!SSL_CTX_check_private_key(ctx)) {
LogOpenSSLError("Server private key does not match certificate", NULL);
return false;
}
if (Load_DH_params()) {
if (SSL_CTX_set_tmp_dh(ctx, dh_params) != 1)
LogOpenSSLError("Error setting DH parameters", Conf_SSLOptions.DHFile);
/* don't return false here: the non-DH modes will still work */
DH_free(dh_params);
dh_params = NULL;
}
return true;
}
