bool SSLManager::_initSSLContext(SSL_CTX** context, const Params& params) {
*context = SSL_CTX_new(SSLv23_method());
massert(15864,
mongoutils::str::stream() << "can't create SSL Context: " <<
getSSLErrorMessage(ERR_get_error()),
context);
// SSL_OP_ALL - Activate all bug workaround options, to support buggy client SSL's.
// SSL_OP_NO_SSLv2 - Disable SSL v2 support
SSL_CTX_set_options(*context, SSL_OP_ALL|SSL_OP_NO_SSLv2);
// If renegotiation is needed, don't return from recv() or send() until it's successful.
// Note: this is for blocking sockets only.
SSL_CTX_set_mode(*context, SSL_MODE_AUTO_RETRY);
// Set context within which session can be reused
int status = SSL_CTX_set_session_id_context(
*context,
static_cast<unsigned char*>(static_cast<void*>(context)),
sizeof(*context));
if (!status) {
error() << "failed to set session id context: " <<
getSSLErrorMessage(ERR_get_error()) << endl;
return false;
}
// Use the clusterfile for internal outgoing SSL connections if specified
if (context == &_clientContext && !params.clusterfile.empty()) {
EVP_set_pw_prompt("Enter cluster certificate passphrase");
if (!_setupPEM(*context, params.clusterfile, params.clusterpwd)) {
return false;
}
}
// Use the pemfile for everything else
else if (!params.pemfile.empty()) {
EVP_set_pw_prompt("Enter PEM passphrase");
if (!_setupPEM(*context, params.pemfile, params.pempwd)) {
return false;
}
}
if (!params.cafile.empty()) {
// Set up certificate validation with a certificate authority
if (!_setupCA(*context, params.cafile)) {
return false;
}
}
if (!params.crlfile.empty()) {
if (!_setupCRL(*context, params.crlfile)) {
return false;
}
}
return true;
}
SSLManager::SSLManager(const Params& params) :
_validateCertificates(false),
_weakValidation(params.weakCertificateValidation) {
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
if (params.fipsMode) {
_setupFIPS();
}
// Add all digests and ciphers to OpenSSL's internal table
// so that encryption/decryption is backwards compatible
OpenSSL_add_all_algorithms();
_context = SSL_CTX_new(SSLv23_method());
massert(15864,
mongoutils::str::stream() << "can't create SSL Context: " <<
_getSSLErrorMessage(ERR_get_error()),
_context);
// Activate all bug workaround options, to support buggy client SSL's.
SSL_CTX_set_options(_context, SSL_OP_ALL);
// If renegotiation is needed, don't return from recv() or send() until it's successful.
// Note: this is for blocking sockets only.
SSL_CTX_set_mode(_context, SSL_MODE_AUTO_RETRY);
// Set context within which session can be reused
int status = SSL_CTX_set_session_id_context(
_context,
static_cast<unsigned char*>(static_cast<void*>(&_context)),
sizeof(_context));
if (!status) {
uasserted(16768,"ssl initialization problem");
}
SSLThreadInfo::init();
SSLThreadInfo::get();
if (!params.pemfile.empty()) {
if (!_setupPEM(params.pemfile, params.pempwd)) {
uasserted(16562, "ssl initialization problem");
}
}
if (!params.cafile.empty()) {
// Set up certificate validation with a certificate authority
if (!_setupCA(params.cafile)) {
uasserted(16563, "ssl initialization problem");
}
}
if (!params.crlfile.empty()) {
if (!_setupCRL(params.crlfile)) {
uasserted(16582, "ssl initialization problem");
}
}
}
