void
augd::createsslctxs(sslctxs& sslctxs, const options& options, char* frobpass)
{
const char* contexts = options.get("ssl.contexts", 0);
if (contexts) {
istringstream is(contexts);
string name;
while (is >> name)
sslctxs.insert(make_pair(name, createsslctx(name, options,
frobpass)));
}
}
sslctxptr
augd::createsslctx(const string& name, const options& options,
char* frobpass)
{
string s("ssl.context.");
s += name;
// Read ssl options from configuration.
const char* certfile(options.get(s + ".certfile", 0));
const char* keyfile(options.get(s + ".keyfile", 0));
const char* cadir(options.get(s + ".cadir", 0));
const char* cafile(options.get(s + ".cafile", 0));
const char* crlfile(options.get(s + ".crlfile", 0));
const char* ciphers(options.get(s + ".ciphers", 0));
int depth(atoi(options.get(s + ".depth", "1")));
int verify(atoi(options.get(s + ".verify", "1")));
sslctxptr ptr(new (tlx) sslctx());
SSL_CTX* ctx(ptr->get());
// Load keys and certificates.
if (certfile) {
if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_ASN1)) {
ERR_clear_error();
if (!SSL_CTX_use_certificate_chain_file(ctx, certfile))
throw ssl_error(__FILE__, __LINE__, ERR_get_error());
}
if (!keyfile)
keyfile = certfile;
}
SSL_CTX_set_default_passwd_cb(ctx, passwdcb_);
SSL_CTX_set_default_passwd_cb_userdata(ctx, frobpass);
if (keyfile) {
if (!SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_ASN1)) {
ERR_clear_error();
if (!SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM))
throw ssl_error(__FILE__, __LINE__, ERR_get_error());
}
}
// Load trusted CAs.
if ((cafile || cadir)
&& !SSL_CTX_load_verify_locations(ctx, cafile, cadir))
throw ssl_error(__FILE__, __LINE__, ERR_get_error());
if (ciphers && !SSL_CTX_set_cipher_list(ctx, ciphers))
throw ssl_error(__FILE__, __LINE__, ERR_get_error());
SSL_CTX_set_info_callback(ctx, infocb_);
SSL_CTX_set_verify(ctx, tomode_(verify), verifycb_);
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_verify_depth(ctx, verify);
if (crlfile) {
X509_STORE* store(SSL_CTX_get_cert_store(ctx));
X509_LOOKUP* lookup;
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
throw ssl_error(__FILE__, __LINE__, ERR_get_error());
if (!X509_load_crl_file(lookup, crlfile, X509_FILETYPE_PEM))
throw ssl_error(__FILE__, __LINE__, ERR_get_error());
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK
| X509_V_FLAG_CRL_CHECK_ALL);
}
return ptr;
}
