void Context::flushSessionCache()
{
poco_assert (isForServerUse());
Poco::Timestamp now;
SSL_CTX_flush_sessions(_pSSLContext, static_cast<long>(now.epochTime()));
}
void SSLContext::enableSessionCache(bool flag)
{
if (flag)
{
SSL_CTX_set_session_cache_mode(_sslContext, isForServerUse() ? SSL_SESS_CACHE_SERVER : SSL_SESS_CACHE_CLIENT);
}
else
{
SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF);
}
}
SSLContext::SSLContext(
Usage usage,
const std::string& caLocation,
VerificationMode verificationMode,
int verificationDepth,
bool loadDefaultCAs,
const std::string& cipherList):
_usage(usage),
_mode(verificationMode),
_sslContext(0),
_extendedVerificationErrorDetails(true)
{
crypto::initializeEngine();
createSSLContext();
int errCode = 0;
if (!caLocation.empty())
{
if (fs::isdir(caLocation))
errCode = SSL_CTX_load_verify_locations(_sslContext, 0, fs::transcode(caLocation).c_str());
else
errCode = SSL_CTX_load_verify_locations(_sslContext, fs::transcode(caLocation).c_str(), 0);
if (errCode != 1)
{
std::string msg = getLastError();
SSL_CTX_free(_sslContext);
throw std::runtime_error(std::string("SSL Error: Cannot load CA file/directory at ") + caLocation + ": " + msg);
}
}
if (loadDefaultCAs)
{
errCode = SSL_CTX_set_default_verify_paths(_sslContext);
if (errCode != 1)
{
std::string msg = getLastError();
SSL_CTX_free(_sslContext);
throw std::runtime_error("SSL Error: Cannot load default CA certificates: " + msg);
}
}
if (isForServerUse())
SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyServerCallback);
else
SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyClientCallback);
SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str());
SSL_CTX_set_verify_depth(_sslContext, verificationDepth);
SSL_CTX_set_mode(_sslContext, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF);
}
void SSLContext::enableSessionCache(bool flag, const std::string& sessionIdContext)
{
assert(isForServerUse());
if (flag)
{
SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_SERVER);
}
else
{
SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF);
}
unsigned length = static_cast<unsigned>(sessionIdContext.length());
if (length > SSL_MAX_SSL_SESSION_ID_LENGTH) length = SSL_MAX_SSL_SESSION_ID_LENGTH;
int rc = SSL_CTX_set_session_id_context(_sslContext, reinterpret_cast<const unsigned char*>(sessionIdContext.data()), length);
if (rc != 1) throw std::runtime_error("SSL Error: cannot set session ID context");
}
void SSLContext::setSessionTimeout(long seconds)
{
assert(isForServerUse());
SSL_CTX_set_timeout(_sslContext, seconds);
}
std::size_t SSLContext::getSessionCacheSize() const
{
assert(isForServerUse());
return static_cast<std::size_t>(SSL_CTX_sess_get_cache_size(_sslContext));
}
void SSLContext::setSessionCacheSize(std::size_t size)
{
assert(isForServerUse());
SSL_CTX_sess_set_cache_size(_sslContext, static_cast<long>(size));
}
long Context::getSessionTimeout() const
{
poco_assert (isForServerUse());
return SSL_CTX_get_timeout(_pSSLContext);
}
void Context::init(const Params& params)
{
Poco::Crypto::OpenSSLInitializer::initialize();
createSSLContext();
try
{
int errCode = 0;
if (!params.caLocation.empty())
{
Poco::File aFile(params.caLocation);
if (aFile.isDirectory())
errCode = SSL_CTX_load_verify_locations(_pSSLContext, 0, Poco::Path::transcode(params.caLocation).c_str());
else
errCode = SSL_CTX_load_verify_locations(_pSSLContext, Poco::Path::transcode(params.caLocation).c_str(), 0);
if (errCode != 1)
{
std::string msg = Utility::getLastError();
throw SSLContextException(std::string("Cannot load CA file/directory at ") + params.caLocation, msg);
}
}
if (params.loadDefaultCAs)
{
errCode = SSL_CTX_set_default_verify_paths(_pSSLContext);
if (errCode != 1)
{
std::string msg = Utility::getLastError();
throw SSLContextException("Cannot load default CA certificates", msg);
}
}
if (!params.privateKeyFile.empty())
{
errCode = SSL_CTX_use_PrivateKey_file(_pSSLContext, Poco::Path::transcode(params.privateKeyFile).c_str(), SSL_FILETYPE_PEM);
if (errCode != 1)
{
std::string msg = Utility::getLastError();
throw SSLContextException(std::string("Error loading private key from file ") + params.privateKeyFile, msg);
}
}
if (!params.certificateFile.empty())
{
errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, Poco::Path::transcode(params.certificateFile).c_str());
if (errCode != 1)
{
std::string errMsg = Utility::getLastError();
throw SSLContextException(std::string("Error loading certificate from file ") + params.certificateFile, errMsg);
}
}
if (isForServerUse())
SSL_CTX_set_verify(_pSSLContext, params.verificationMode, &SSLManager::verifyServerCallback);
else
SSL_CTX_set_verify(_pSSLContext, params.verificationMode, &SSLManager::verifyClientCallback);
SSL_CTX_set_cipher_list(_pSSLContext, params.cipherList.c_str());
SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth);
SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
initDH(params.dhParamsFile);
initECDH(params.ecdhCurve);
}
catch (...)
{
SSL_CTX_free(_pSSLContext);
throw;
}
}
