static void perform_ssl_connection (void) { struct evhttp_connection *con; struct evhttp_request *req; struct bufferevent *bev; SSL_CTX *sctx; SSL *ssl; sctx = SSL_CTX_new (SSLv23_client_method ()); assert (sctx); SSL_CTX_set_options (sctx, SSL_OP_NO_TLSv1_2); //SSL_CTX_set_options (sctx, SSL_OP_ALL); SSL_CTX_set_timeout (sctx, 3000); SSL_CTX_set_verify (sctx, SSL_VERIFY_PEER, SSLX_CTX_verify_callback); SSL_CTX_set_default_verify_paths (sctx); SSL_CTX_set_cipher_list (sctx, "RC4-MD5"); ssl = SSL_new (sctx); assert (ssl); bev = bufferevent_openssl_socket_new (evbase, -1, ssl, BUFFEREVENT_SSL_CONNECTING , BEV_OPT_CLOSE_ON_FREE); //bev = bufferevent_socket_new (evbase, -1, BEV_OPT_CLOSE_ON_FREE); assert (bev); con = evhttp_connection_base_bufferevent_new (evbase, dnsbase, bev, HOST, PORT); evhttp_connection_set_closecb (con, on_connection_close, NULL); evhttp_connection_set_timeout (con, 10); req = evhttp_request_new (on_response_cb, NULL); evhttp_add_header (req->output_headers, "Host", HOST); // evhttp_add_header (req->output_headers, "Connection", "Keep-Alive"); evhttp_make_request (con, req, EVHTTP_REQ_GET, "/index.html"); }
int git_openssl_stream_global_init(void) { #ifdef GIT_OPENSSL long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Older OpenSSL and MacOS OpenSSL doesn't have this */ #ifdef SSL_OP_NO_COMPRESSION ssl_opts |= SSL_OP_NO_COMPRESSION; #endif SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); /* * Load SSLv{2,3} and TLSv1 so that we can talk with servers * which use the SSL hellos, which are often used for * compatibility. We then disable SSL so we only allow OpenSSL * to speak TLSv1 to perform the encryption itself. */ git__ssl_ctx = SSL_CTX_new(SSLv23_method()); SSL_CTX_set_options(git__ssl_ctx, ssl_opts); SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL); if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; return -1; } #endif git__on_shutdown(shutdown_ssl); return 0; }
/* sqSetupSSL: Common SSL setup tasks */ sqInt sqSetupSSL(sqSSL *ssl, int server) { /* Fixme. Needs to use specified version */ if(ssl->loglevel) printf("sqSetupSSL: setting method\n"); ssl->method = SSLv23_method(); if(ssl->loglevel) printf("sqSetupSSL: Creating context\n"); ssl->ctx = SSL_CTX_new(ssl->method); if(!ssl->ctx) ERR_print_errors_fp(stdout); if(ssl->loglevel) printf("sqSetupSSL: setting cipher list\n"); SSL_CTX_set_cipher_list(ssl->ctx, "!ADH:HIGH:MEDIUM:@STRENGTH"); /* if a cert is provided, use it */ if(ssl->certName) { if(ssl->loglevel) printf("sqSetupSSL: Using cert file %s\n", ssl->certName); if(SSL_CTX_use_certificate_file(ssl->ctx, ssl->certName, SSL_FILETYPE_PEM)<=0) ERR_print_errors_fp(stderr); if(SSL_CTX_use_PrivateKey_file(ssl->ctx, ssl->certName, SSL_FILETYPE_PEM)<=0) ERR_print_errors_fp(stderr); } /* Set up trusted CA */ if(ssl->loglevel) printf("sqSetupSSL: No root CA given; using default verify paths\n"); if(SSL_CTX_set_default_verify_paths(ssl->ctx) <=0) ERR_print_errors_fp(stderr); if(ssl->loglevel) printf("sqSetupSSL: Creating SSL\n"); ssl->ssl = SSL_new(ssl->ctx); if(ssl->loglevel) printf("sqSetupSSL: setting bios\n"); SSL_set_bio(ssl->ssl, ssl->bioRead, ssl->bioWrite); return 1; }
static int ssl_setup(git_transport *t, const char *host) { int ret; SSL_library_init(); SSL_load_error_strings(); t->ssl.ctx = SSL_CTX_new(SSLv23_method()); if (t->ssl.ctx == NULL) return ssl_set_error(&t->ssl, 0); SSL_CTX_set_mode(t->ssl.ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(t->ssl.ctx, SSL_VERIFY_PEER, NULL); if (!SSL_CTX_set_default_verify_paths(t->ssl.ctx)) return ssl_set_error(&t->ssl, 0); t->ssl.ssl = SSL_new(t->ssl.ctx); if (t->ssl.ssl == NULL) return ssl_set_error(&t->ssl, 0); if((ret = SSL_set_fd(t->ssl.ssl, t->socket)) == 0) return ssl_set_error(&t->ssl, ret); if ((ret = SSL_connect(t->ssl.ssl)) <= 0) return ssl_set_error(&t->ssl, ret); if (t->check_cert && verify_server_cert(t, host) < 0) return -1; return 0; }
int _ssl_ctx_set_packed_file(void *ctx, const char *cfile) { _SSLO_CTX *so = ctx; if (ctx == NULL) { return ERR_TR50_BADHANDLE; } if (SSL_CTX_use_certificate_chain_file(so->ctx, cfile) != 1) { //so->errcode = ERR_get_error(); //ERR_error_string_n(so->errcode, so->errmsg, SSL_ERR_STR_LEN); return ERR_TR50_SSL_CTX; } if (SSL_CTX_load_verify_locations(so->ctx, cfile, NULL) != 1) { //so->errcode = ERR_get_error(); //ERR_error_string_n(so->errcode, so->errmsg, SSL_ERR_STR_LEN); return ERR_TR50_SSL_CTX; } if (SSL_CTX_set_default_verify_paths(so->ctx) != 1) { //so->errcode = ERR_get_error(); //ERR_error_string_n(so->errcode, so->errmsg, SSL_ERR_STR_LEN); return ERR_TR50_SSL_CTX; } SSL_CTX_set_default_passwd_cb(so->ctx, _ssl_ctx_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(so->ctx, so->passwd); if (SSL_CTX_use_PrivateKey_file(so->ctx, cfile, SSL_FILETYPE_PEM) != 1) { //so->errcode = ERR_get_error(); //ERR_error_string_n(so->errcode, so->errmsg, SSL_ERR_STR_LEN); return ERR_TR50_SSL_CTX; } return 0; }
SSL *getSSL(void) { if (!context) { const SSL_METHOD *m; unsigned char f_randfile[PATH_MAX]; const unsigned char *f = (const unsigned char *)RAND_file_name(cast_char f_randfile, sizeof(f_randfile)); if (f && RAND_egd(cast_const_char f)<0) { /* Not an EGD, so read and write to it */ if (RAND_load_file(cast_const_char f_randfile, -1)) RAND_write_file(cast_const_char f_randfile); } SSLeay_add_ssl_algorithms(); m = SSLv23_client_method(); if (!m) return NULL; context = SSL_CTX_new((void *)m); if (!context) return NULL; SSL_CTX_set_options(context, SSL_OP_ALL); SSL_CTX_set_default_verify_paths(context); /* needed for systems without /dev/random, but obviously kills security. */ /*{ unsigned char pool[32768]; int i; int rs; struct timeval tv; EINTRLOOP(rs, gettimeofday(&tv, NULL)); for (i = 0; i < sizeof pool; i++) pool[i] = random() ^ tv.tv_sec ^ tv.tv_usec; RAND_add(pool, sizeof pool, sizeof pool); }*/ } return (SSL_new(context)); }
static int ssl_setup(gitno_socket *socket, const char *host, int flags) { int ret; SSL_library_init(); SSL_load_error_strings(); socket->ssl.ctx = SSL_CTX_new(SSLv23_method()); if (socket->ssl.ctx == NULL) return ssl_set_error(&socket->ssl, 0); SSL_CTX_set_mode(socket->ssl.ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(socket->ssl.ctx, SSL_VERIFY_NONE, NULL); if (!SSL_CTX_set_default_verify_paths(socket->ssl.ctx)) return ssl_set_error(&socket->ssl, 0); socket->ssl.ssl = SSL_new(socket->ssl.ctx); if (socket->ssl.ssl == NULL) return ssl_set_error(&socket->ssl, 0); if((ret = SSL_set_fd(socket->ssl.ssl, socket->socket)) == 0) return ssl_set_error(&socket->ssl, ret); if ((ret = SSL_connect(socket->ssl.ssl)) <= 0) return ssl_set_error(&socket->ssl, ret); if (GITNO_CONNECT_SSL_NO_CHECK_CERT & flags) return 0; return verify_server_cert(&socket->ssl, host); }
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile) { if (SSL_CTX_load_verify_locations(ctx, CertFile, KeyFile) != 1) ERR_print_errors_fp(stderr); if (SSL_CTX_set_default_verify_paths(ctx) != 1) ERR_print_errors_fp(stderr); if (SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); abort(); } if (SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); abort(); } if (!SSL_CTX_check_private_key(ctx)) { fprintf(stderr, "Private key does not match the public certificate\n"); abort(); } SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); }
bool HTTPSClient::initSSL() { #if SSLEAY_VERSION_NUMBER < 0x0800 mpCTX = SSL_CTX_new(); if (mpCTX == NULL) return false; X509_set_default_verify_paths(pCTX->cert); #else SSLeay_add_ssl_algorithms(); mpCTX = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_options(pCTX, SSL_OP_ALL); SSL_CTX_set_default_verify_paths(pCTX); #endif /* SSLEAY_VERSION_NUMBER < 0x0800 */ #if SSLEAY_VERSION_NUMBER >= 0x00905100 if (RAND_status() == 0) { time_t t; long l,seed; t = time(NULL); RAND_seed((unsigned char *)&t, sizeof(time_t)); RAND_bytes((unsigned char *)&seed, sizeof(long)); srand(seed); while (RAND_status() == 0) { l = rand(); RAND_seed((unsigned char *)&l, sizeof(long)); } } #endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */ mpSSL = SSL_new(pCTX); if(!mpSSL) return false; #if SSLEAY_VERSION_NUMBER >= 0x0900 pSSL->options|=SSL_OP_NO_TLSv1; #endif return true; }
/* Initialize the library */ static void tls_init(int verify) { if(_tlsctx) { TLSERROR("Library is already initialized!"); return; } SSL_load_error_strings(); SSL_library_init(); _tlsctx = SSL_CTX_new(TLSv1_method()); if(!_tlsctx) TLSERROR("Couldn't create TLS object.\n"); else { OPENSSLCHECK(SSL_CTX_set_quiet_shutdown(_tlsctx, 1)); OPENSSLCHECK(SSL_CTX_set_info_callback(_tlsctx, NULL)); OPENSSLCHECK(SSL_CTX_load_verify_locations(ctx, CAfile, CApath)); OPENSSLCHECK(SSL_CTX_set_default_verify_paths()); if(verify == GGZ_TLS_VERIFY_PEER) SSL_CTX_set_verify(_tlsctx, SSL_VERIFY_PEER, tls_verify); else SSL_CTX_set_verify(_tlsctx, SSL_VERIFY_NONE, NULL); } openssllist = ggz_list_create(NULL, NULL, NULL, GGZ_LIST_ALLOW_DUPS); }
SSL_CTX *setup_client_ctx (void) { SSL_CTX *ctx; ctx = SSL_CTX_new (SSLv23_method ()); /* Test de la passphrase */ SSL_CTX_set_default_passwd_cb (ctx, passwd_cb); if (SSL_CTX_load_verify_locations (ctx, CAFILE, CADIR) != 1) int_error ("ERREUR DE CHARGEMENT DU FICHIER"); if (SSL_CTX_set_default_verify_paths (ctx) != 1) int_error ("ERREUR DE CHARGEMENT DU FICHIER default CA file"); if (SSL_CTX_use_certificate_chain_file (ctx, CERTFILE) != 1) int_error ("ERREUR DE CHARGEMENT DU CERTIFICAT"); if (SSL_CTX_use_PrivateKey_file (ctx, CERTFILE, SSL_FILETYPE_PEM) != 1) int_error ("ERREUR DE CHARGEMENT DE LA CLEF PRIVE"); SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); SSL_CTX_set_verify_depth (ctx, 4); SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); /* SSL_CTX_set_tmp_dh_callback (ctx, tmp_dh_callback); if (SSL_CTX_set_cipher_list (ctx, CIPHER_LIST) != 1) int_error ("ERREUR DE LECTURE DE LA LISTE DE CHIPTER"); */ return (ctx); }
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile) { if (SSL_CTX_load_verify_locations(ctx, CertFile, KeyFile) != 1) ERR_print_errors_fp(stderr); if (SSL_CTX_set_default_verify_paths(ctx) != 1) ERR_print_errors_fp(stderr); /* set the local certificate from CertFile */ if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 ){ ERR_print_errors_fp(stderr); abort(); } /* set the private key from KeyFile (may be the same as CertFile) */ if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 ){ ERR_print_errors_fp(stderr); abort(); } /* verify private key */ if ( !SSL_CTX_check_private_key(ctx) ){ fprintf(stderr, "Private key does not match the public certificate\n"); abort(); } }
//========================================= // setupClientCTX //----------------------------------------- void SSLClient::setupClientCTX (void) { ctx = SSL_CTX_new(SSLv23_method( )); SSL_CTX_set_default_passwd_cb (ctx, passwd_cb); OpenSSL_add_all_algorithms(); if (SSL_CTX_load_verify_locations( ctx, CAFILE.toLatin1().data(), CADIR) != 1 ) { qerror("Error loading CA file and/or directory"); } if (SSL_CTX_set_default_verify_paths(ctx) != 1) { qerror("Error loading default CA file and/or directory"); } if (SSL_CTX_use_certificate_chain_file( ctx, CLIENT_CERTFILE.toLatin1().data()) != 1 ) { qerror("Error loading certificate from file"); } if (SSL_CTX_use_PrivateKey_file( ctx,CLIENT_CERTFILE.toLatin1().data(),SSL_FILETYPE_PEM ) != 1) { qerror("Error loading private key from file"); } SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); SSL_CTX_set_verify_depth(ctx, 4); SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) { qerror("Error setting cipher list (no valid ciphers)"); } }
static void init_openssl(struct module *module) { unsigned char f_randfile[PATH_MAX]; /* In a nutshell, on OS's without a /dev/urandom, the OpenSSL library * cannot initialize the PRNG and so every attempt to use SSL fails. * It's actually an OpenSSL FAQ, and according to them, it's up to the * application coders to seed the RNG. -- William Yodlowsky */ RAND_file_name(f_randfile, sizeof(f_randfile)); #ifdef HAVE_RAND_EGD if (RAND_egd(f_randfile) < 0) { /* Not an EGD, so read and write to it */ #endif if (RAND_load_file(f_randfile, -1)) RAND_write_file(f_randfile); #ifdef HAVE_RAND_EGD } #endif SSLeay_add_ssl_algorithms(); context = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_options(context, SSL_OP_ALL); SSL_CTX_set_default_verify_paths(context); socket_SSL_ex_data_idx = SSL_get_ex_new_index(0, NULL, NULL, socket_SSL_ex_data_dup, NULL); }
int git_openssl_stream_global_init(void) { #ifdef GIT_OPENSSL long ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; const char *ciphers = git_libgit2__ssl_ciphers(); /* Older OpenSSL and MacOS OpenSSL doesn't have this */ #ifdef SSL_OP_NO_COMPRESSION ssl_opts |= SSL_OP_NO_COMPRESSION; #endif #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); #else OPENSSL_init_ssl(0, NULL); #endif /* * Load SSLv{2,3} and TLSv1 so that we can talk with servers * which use the SSL hellos, which are often used for * compatibility. We then disable SSL so we only allow OpenSSL * to speak TLSv1 to perform the encryption itself. */ git__ssl_ctx = SSL_CTX_new(SSLv23_method()); SSL_CTX_set_options(git__ssl_ctx, ssl_opts); SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL); if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; return -1; } if (!ciphers) { ciphers = GIT_SSL_DEFAULT_CIPHERS; } if(!SSL_CTX_set_cipher_list(git__ssl_ctx, ciphers)) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; return -1; } if (init_bio_method() < 0) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; return -1; } #endif git__on_shutdown(shutdown_ssl); return 0; }
SSL_CTX* SSLListener::initSSLContext() { SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_tmp_ecdh(ctx,ecdh); EC_KEY_free(ecdh); SSL_CTX_set_default_verify_paths(ctx); return ctx; };
SSL_CTX *initCTX() { SSL_CTX *m_ctx; ERR((m_ctx = SSL_CTX_new(SSLv23_method())) == NULL, COMP("SSL_CTX_new():%1", SSLErrors())) SSL_CTX_set_options(m_ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); ERR(SSL_CTX_set_default_verify_paths(m_ctx) == 0, COMP("SSL_CTX_set_default_verify_paths():%1", SSLErrors())) return m_ctx; }
static inline int tls_setup(shout_tls_t *tls) { SSL_METHOD *meth; SSL_library_init(); SSL_load_error_strings(); SSLeay_add_all_algorithms(); SSLeay_add_ssl_algorithms(); meth = TLSv1_client_method(); if (!meth) goto error; tls->ssl_ctx = SSL_CTX_new(meth); if (!tls->ssl_ctx) goto error; SSL_CTX_set_default_verify_paths(tls->ssl_ctx); SSL_CTX_load_verify_locations(tls->ssl_ctx, tls->ca_file, tls->ca_directory); SSL_CTX_set_verify(tls->ssl_ctx, SSL_VERIFY_NONE, NULL); if (tls->client_certificate) { if (SSL_CTX_use_certificate_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1) goto error; if (SSL_CTX_use_PrivateKey_file(tls->ssl_ctx, tls->client_certificate, SSL_FILETYPE_PEM) != 1) goto error; } if (SSL_CTX_set_cipher_list(tls->ssl_ctx, tls->allowed_ciphers) <= 0) goto error; SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(tls->ssl_ctx, SSL_MODE_AUTO_RETRY); tls->ssl = SSL_new(tls->ssl_ctx); if (!tls->ssl) goto error; if (!SSL_set_fd(tls->ssl, tls->socket)) goto error; SSL_set_tlsext_host_name(tls->ssl, tls->host); SSL_set_connect_state(tls->ssl); tls->ssl_ret = SSL_connect(tls->ssl); return SHOUTERR_SUCCESS; error: if (tls->ssl) SSL_free(tls->ssl); if (tls->ssl_ctx) SSL_CTX_free(tls->ssl_ctx); return SHOUTERR_UNSUPPORTED; }
void server_ssl_init(void) { SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); global_server_ssl_context = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_set_mode(global_server_ssl_context, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); if (!SSL_CTX_set_default_verify_paths(global_server_ssl_context)) { panic(0, "can not set default path for server"); } }
SSLContext::SSLContext( Usage usage, const std::string& caLocation, VerificationMode verificationMode, int verificationDepth, bool loadDefaultCAs, const std::string& cipherList): _usage(usage), _mode(verificationMode), _sslContext(0), _extendedVerificationErrorDetails(true) { crypto::initializeEngine(); createSSLContext(); int errCode = 0; if (!caLocation.empty()) { if (fs::isdir(caLocation)) errCode = SSL_CTX_load_verify_locations(_sslContext, 0, fs::transcode(caLocation).c_str()); else errCode = SSL_CTX_load_verify_locations(_sslContext, fs::transcode(caLocation).c_str(), 0); if (errCode != 1) { std::string msg = getLastError(); SSL_CTX_free(_sslContext); throw std::runtime_error(std::string("SSL Error: Cannot load CA file/directory at ") + caLocation + ": " + msg); } } if (loadDefaultCAs) { errCode = SSL_CTX_set_default_verify_paths(_sslContext); if (errCode != 1) { std::string msg = getLastError(); SSL_CTX_free(_sslContext); throw std::runtime_error("SSL Error: Cannot load default CA certificates: " + msg); } } if (isForServerUse()) SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyServerCallback); else SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyClientCallback); SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str()); SSL_CTX_set_verify_depth(_sslContext, verificationDepth); SSL_CTX_set_mode(_sslContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF); }
static int ssl_init(GF_DownloadManager *dm, u32 mode) { SSL_METHOD *meth; if (!dm) return 0; /* The SSL has already been initialized. */ if (dm->ssl_ctx) return 1; /* Init the PRNG. If that fails, bail out. */ init_prng(); if (RAND_status() != 1) goto error; SSL_library_init(); SSL_load_error_strings(); SSLeay_add_all_algorithms(); SSLeay_add_ssl_algorithms(); switch (mode) { case 0: meth = SSLv23_client_method(); break; case 1: meth = SSLv2_client_method(); break; case 2: meth = SSLv3_client_method(); break; case 3: meth = TLSv1_client_method(); break; default: goto error; } dm->ssl_ctx = SSL_CTX_new(meth); if (!dm->ssl_ctx) goto error; SSL_CTX_set_default_verify_paths(dm->ssl_ctx); SSL_CTX_load_verify_locations (dm->ssl_ctx, NULL, NULL); /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the certificate is invalid. We verify the certificate separately in ssl_check_certificate, which provides much better diagnostics than examining the error stack after a failed SSL_connect. */ SSL_CTX_set_verify(dm->ssl_ctx, SSL_VERIFY_NONE, NULL); /* Since fd_write unconditionally assumes partial writes (and handles them correctly), allow them in OpenSSL. */ SSL_CTX_set_mode(dm->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); return 1; error: if (dm->ssl_ctx) SSL_CTX_free(dm->ssl_ctx); dm->ssl_ctx = NULL; return 0; }
static void init_ssl(void) { #ifdef GIT_SSL SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); /* * Load SSLv{2,3} and TLSv1 so that we can talk with servers * which use the SSL hellos, which are often used for * compatibility. We then disable SSL so we only allow OpenSSL * to speak TLSv1 to perform the encryption itself. */ git__ssl_ctx = SSL_CTX_new(SSLv23_method()); SSL_CTX_set_options(git__ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 /* Older OpenSSL and MacOS OpenSSL doesn't have this */ # ifdef SSL_OP_NO_COMPRESSION | SSL_OP_NO_COMPRESSION # endif ); SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL); if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; } # ifdef GIT_THREADS { int num_locks, i; num_locks = CRYPTO_num_locks(); openssl_locks = git__calloc(num_locks, sizeof(git_mutex)); if (openssl_locks == NULL) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; } for (i = 0; i < num_locks; i++) { if (git_mutex_init(&openssl_locks[i]) != 0) { SSL_CTX_free(git__ssl_ctx); git__ssl_ctx = NULL; } } CRYPTO_set_locking_callback(openssl_locking_function); } git__on_shutdown(shutdown_ssl); # endif #endif }
/* * we keep local copies of each of the variables so we can properly determine * when something has changed. if neither ca_path nor ca_file is set, then we * load the default paths. */ void ssl_setup_certs(u_char *dummy) { #ifdef USE_OPENSSL if (!ssl_ctx) return; static u_char *ca_file; static u_char *ca_path; static u_char *chain_file; static u_char *private_key_file; u_char *cur_ca_file = get_string_var(SSL_CA_FILE_VAR); u_char *cur_ca_path = get_string_var(SSL_CA_PATH_VAR); u_char *cur_chain_file = get_string_var(SSL_CA_CHAIN_FILE_VAR); u_char *cur_private_key_file = get_string_var(SSL_CA_PRIVATE_KEY_FILE_VAR); if (ca_file != cur_ca_file || ca_path != cur_ca_path) { ca_file = cur_ca_file; ca_path = cur_ca_path; Debug(DB_SSL, "calling SSL_CTX_load_verify_locations(%s, %s)", ca_file, ca_path); SSL_CTX_load_verify_locations(ssl_ctx, CP(ca_file), CP(ca_path)); } if (!ca_path && !ca_file) SSL_CTX_set_default_verify_paths(ssl_ctx); if (chain_file != cur_chain_file) { chain_file = cur_chain_file; Debug(DB_SSL, "calling SSL_CTX_use_certificate_chain_file(%s)", chain_file); SSL_CTX_use_certificate_chain_file(ssl_ctx, CP(chain_file)); } if (private_key_file != cur_private_key_file) { private_key_file = cur_private_key_file; Debug(DB_SSL, "calling SSL_CTX_use_PrivateKey_file(%s)", private_key_file); SSL_CTX_use_PrivateKey_file(ssl_ctx, CP(private_key_file), SSL_FILETYPE_PEM); } #endif }
static int BSslSetupVerify(SSL_CTX *pSCtx, SslServerBind const *pSSLB) { char const *pszKeyFile = pSSLB->pszKeyFile; if (pSSLB->pszCertFile != NULL) { if (SSL_CTX_use_certificate_chain_file(pSCtx, pSSLB->pszCertFile) <= 0) { ErrSetErrorCode(ERR_SSL_SETCERT, pSSLB->pszCertFile); return ERR_SSL_SETCERT; } if (pszKeyFile == NULL) pszKeyFile = pSSLB->pszCertFile; } if (pszKeyFile != NULL) { if (SSL_CTX_use_PrivateKey_file(pSCtx, pszKeyFile, SSL_FILETYPE_PEM) <= 0) { ErrSetErrorCode(ERR_SSL_SETKEY, pszKeyFile); return ERR_SSL_SETKEY; } if (!SSL_CTX_check_private_key(pSCtx)) { ErrSetErrorCode(ERR_SSL_CHECKKEY, pszKeyFile); return ERR_SSL_CHECKKEY; } } if (pSSLB->ulFlags & BSSLF_WANT_VERIFY) { int iVerMode = SSL_VERIFY_PEER; if (pSSLB->ulFlags & BSSLF_WANT_CERT) iVerMode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; SSL_CTX_set_verify(pSCtx, iVerMode, BSslCertVerifyCB); if (pSSLB->iMaxDepth > 0) SSL_CTX_set_verify_depth(pSCtx, pSSLB->iMaxDepth); SSL_CTX_set_app_data(pSCtx, pSSLB); if (pSSLB->pszCAFile != NULL || pSSLB->pszCAPath != NULL) { if (!SSL_CTX_load_verify_locations(pSCtx, pSSLB->pszCAFile, pSSLB->pszCAPath)) { ErrSetErrorCode(ERR_SSL_VERPATHS); return ERR_SSL_VERPATHS; } } else if (!SSL_CTX_set_default_verify_paths(pSCtx)) { ErrSetErrorCode(ERR_SSL_VERPATHS); return ERR_SSL_VERPATHS; } } return 0; }
SSL_CTX *setup_client_ctx(void) { SSL_CTX *ctx; ctx = SSL_CTX_new(SSLv23_method( )); if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) int_error("Error loading CA file and/or directory"); if (SSL_CTX_set_default_verify_paths(ctx) != 1) int_error("Error loading default CA file and/or directory"); if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1) int_error("Error loading certificate from file"); if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1) int_error("Error loading private key from file"); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); SSL_CTX_set_verify_depth(ctx, 4); return ctx; }
extern SSL_CTX * MakeSSL_CTX_PKCS11( ENGINE **e, char *pkcs11, char *slotstr, char *cafile, char *capath, char *ciphers) { SSL_CTX *ctx; int mode = SSL_VERIFY_NONE; if ((ctx = SSL_CTX_new(SSLv23_method())) == NULL){ SSL_Error(_d("SSL_CTX_new failure:\n %s\n"), GetSSLErrorString()); return NULL; } if (!SSL_CTX_set_cipher_list(ctx, ciphers)){ SSL_Error(_d("SSL_CTX_set_cipher_list(%s) failure:\n %s\n"), ciphers, GetSSLErrorString()); SSL_CTX_free(ctx); return NULL; } mode = SSL_VERIFY_PEER; mode |= SSL_VERIFY_CLIENT_ONCE; SSL_CTX_set_verify(ctx, mode, RemoteVerifyCallBack); SSL_CTX_set_options(ctx, SSL_OP_ALL); if ((cafile == NULL) && (capath == NULL)){ if (!SSL_CTX_set_default_verify_paths(ctx)){ SSL_Error(_d("SSL_CTX_set_default_verify_paths error:\n %s\n"), GetSSLErrorString()); } } else if (!SSL_CTX_load_verify_locations(ctx, cafile, capath)){ if (cafile == NULL) cafile = capath; SSL_Error(_d("SSL_CTX_load_verify_locations(%s)\n"), cafile); SSL_CTX_free(ctx); return NULL; } if (LoadEnginePKCS11(ctx, e, pkcs11, slotstr)) return ctx; return NULL; }
void _lm_ssl_initialize (LmSSL *ssl) { static gboolean initialized = FALSE; /*const char *cert_file = NULL;*/ if (!initialized) { SSL_library_init(); /* FIXME: Is this needed when we are not in debug? */ SSL_load_error_strings(); initialized = TRUE; } ssl->ssl_method = TLSv1_client_method(); if (ssl->ssl_method == NULL) { g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "TLSv1_client_method() == NULL"); abort(); } ssl->ssl_ctx = SSL_CTX_new(ssl->ssl_method); if (ssl->ssl_ctx == NULL) { g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "SSL_CTX_new() == NULL"); abort(); } /* Set the NO_TICKET option on the context to allow for talk to Google Talk * which apparently seems to be having a problem handling empty session * tickets due to a bug in Java. * * See http://twistedmatrix.com/trac/ticket/3463 and * Loudmouth [#28]. */ SSL_CTX_set_options (ssl->ssl_ctx, SSL_OP_NO_TICKET); /*if (access("/etc/ssl/cert.pem", R_OK) == 0) cert_file = "/etc/ssl/cert.pem"; if (!SSL_CTX_load_verify_locations(ssl->ssl_ctx, cert_file, "/etc/ssl/certs")) { g_warning("SSL_CTX_load_verify_locations() failed"); }*/ SSL_CTX_set_default_verify_paths (ssl->ssl_ctx); SSL_CTX_set_verify (ssl->ssl_ctx, SSL_VERIFY_PEER, ssl_verify_cb); }
/** * oh_ssl_ctx_init * * Create a new SSL_CTX object as a framework for TLS/SSL enabled functions. * In particular: * - Creates a new CTX object with default option values * - Sets common compatibility options * - Sets the default locations for trusted CA certificates. * SSL_CTX_set_default_verify_paths() is used to add system-wide default * certificate paths to the verify CApath without having to specify a * default location. The intent is that the distribution's configured * location will be used. * * Return value: pointer to SSL_CTX or NULL for failure **/ SSL_CTX *oh_ssl_ctx_init() { SSL_CTX *ctx; ctx = SSL_CTX_new(SSLv23_client_method()); if (ctx == NULL) { err("SSL_CTX_new() failed"); return(NULL); } SSL_CTX_set_options(ctx, SSL_OP_TLS_ROLLBACK_BUG | SSL_OP_ALL); if (! SSL_CTX_set_default_verify_paths(ctx)) { err("SSL_CTX_set_default_verify_paths() failed"); return(NULL); } return(ctx); }
SSL* imap_create_ssl(void) { SSL *ssl; g_mutex_lock(&global_tls_lock); if(!global_ssl_context) { /* Initialize OpenSSL library, follow "Network Security with OpenSSL", ISBN 0-596-00270-X, guidelines. Example 4-2. */ imaptls_thread_setup(); SSL_library_init(); SSL_load_error_strings(); #if 0 global_ssl_context = SSL_CTX_new (TLSv1_client_method ()); #else /* Note: SSLv23_client_method() actually enables *all* protocols, including * SSLv(2|3) and TLSv1.(0|1|2), so we must switch all unsafe ones off */ global_ssl_context = SSL_CTX_new (SSLv23_client_method ()); #ifdef ENABLE_SSL3 SSL_CTX_set_options(global_ssl_context, SSL_OP_ALL|SSL_OP_NO_SSLv2); #else SSL_CTX_set_options(global_ssl_context, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); #endif #endif /* no client certificate password support yet * SSL_CTX_set_default_passwd_cb (ctx, ctx_password_cb); * SSL_CTX_set_default_passwd_cb_userdata (ctx, ctx_password_cb_arg); */ /* Load the trusted CAs here. We just trust the system CA for the moment but we could try to be compatible with libESMTP in this respect. */ SSL_CTX_set_default_verify_paths (global_ssl_context); } g_mutex_unlock(&global_tls_lock); ssl = SSL_new(global_ssl_context); /* setup client certificates here */ return ssl; }
void PosixSslServerSocket::loadCertificates( const std::string & certificateFile, const std::string & keyFile ) { SSL_CTX * sslContext; int rc; sslContext = SSL_CTX_new(SSLv3_server_method()); rc = SSL_CTX_load_verify_locations(sslContext,certificateFile.c_str(),keyFile.c_str()); if( rc <= 0 ) ERR_print_errors_fp(stdout); rc = SSL_CTX_set_default_verify_paths(sslContext); if( rc <= 0 ) ERR_print_errors_fp(stdout); rc = SSL_CTX_use_certificate_file(sslContext,certificateFile.c_str(),SSL_FILETYPE_PEM); if( rc <= 0 ) ERR_print_errors_fp(stdout); rc = SSL_CTX_use_PrivateKey_file(sslContext,keyFile.c_str(),SSL_FILETYPE_PEM); if( rc <= 0 ) ERR_print_errors_fp(stdout); setSslContext(sslContext); }