bool SSLManager::_initSSLContext(SSL_CTX** context, const Params& params) { *context = SSL_CTX_new(SSLv23_method()); massert(15864, mongoutils::str::stream() << "can't create SSL Context: " << getSSLErrorMessage(ERR_get_error()), context); // SSL_OP_ALL - Activate all bug workaround options, to support buggy client SSL's. // SSL_OP_NO_SSLv2 - Disable SSL v2 support SSL_CTX_set_options(*context, SSL_OP_ALL|SSL_OP_NO_SSLv2); // If renegotiation is needed, don't return from recv() or send() until it's successful. // Note: this is for blocking sockets only. SSL_CTX_set_mode(*context, SSL_MODE_AUTO_RETRY); // Set context within which session can be reused int status = SSL_CTX_set_session_id_context( *context, static_cast<unsigned char*>(static_cast<void*>(context)), sizeof(*context)); if (!status) { error() << "failed to set session id context: " << getSSLErrorMessage(ERR_get_error()) << endl; return false; } // Use the clusterfile for internal outgoing SSL connections if specified if (context == &_clientContext && !params.clusterfile.empty()) { EVP_set_pw_prompt("Enter cluster certificate passphrase"); if (!_setupPEM(*context, params.clusterfile, params.clusterpwd)) { return false; } } // Use the pemfile for everything else else if (!params.pemfile.empty()) { EVP_set_pw_prompt("Enter PEM passphrase"); if (!_setupPEM(*context, params.pemfile, params.pempwd)) { return false; } } if (!params.cafile.empty()) { // Set up certificate validation with a certificate authority if (!_setupCA(*context, params.cafile)) { return false; } } if (!params.crlfile.empty()) { if (!_setupCRL(*context, params.crlfile)) { return false; } } return true; }
SSLManager::SSLManager(const Params& params) : _validateCertificates(false), _weakValidation(params.weakCertificateValidation) { SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); if (params.fipsMode) { _setupFIPS(); } // Add all digests and ciphers to OpenSSL's internal table // so that encryption/decryption is backwards compatible OpenSSL_add_all_algorithms(); _context = SSL_CTX_new(SSLv23_method()); massert(15864, mongoutils::str::stream() << "can't create SSL Context: " << _getSSLErrorMessage(ERR_get_error()), _context); // Activate all bug workaround options, to support buggy client SSL's. SSL_CTX_set_options(_context, SSL_OP_ALL); // If renegotiation is needed, don't return from recv() or send() until it's successful. // Note: this is for blocking sockets only. SSL_CTX_set_mode(_context, SSL_MODE_AUTO_RETRY); // Set context within which session can be reused int status = SSL_CTX_set_session_id_context( _context, static_cast<unsigned char*>(static_cast<void*>(&_context)), sizeof(_context)); if (!status) { uasserted(16768,"ssl initialization problem"); } SSLThreadInfo::init(); SSLThreadInfo::get(); if (!params.pemfile.empty()) { if (!_setupPEM(params.pemfile, params.pempwd)) { uasserted(16562, "ssl initialization problem"); } } if (!params.cafile.empty()) { // Set up certificate validation with a certificate authority if (!_setupCA(params.cafile)) { uasserted(16563, "ssl initialization problem"); } } if (!params.crlfile.empty()) { if (!_setupCRL(params.crlfile)) { uasserted(16582, "ssl initialization problem"); } } }