int ircd_client_init_ssl(struct ircd_client* const client) { if (ssl_init(&client->ssl_ctx) != 0) return -1; // We are a server (void) ssl_set_endpoint(&client->ssl_ctx, SSL_IS_SERVER); // Tell the library how to send and receive data to the client (void) ssl_set_bio(&client->ssl_ctx, net_recv, &client->fd, net_send, &client->fd); // Tell the library how to generate random data for the client (e.g. session ticket encryption key) (void) ssl_set_rng(&client->ssl_ctx, hmac_drbg_random, &ircd_ssl_hmac_drbg_ctx); // Normally DHE- ciphersuites are enabled anyway, but do so with a stronger prime (void) ssl_set_dh_param_ctx(&client->ssl_ctx, &ircd_ssl_dh_ctx); // To request (but not require) a certificate from the client (void) ssl_set_authmode(&client->ssl_ctx, SSL_VERIFY_OPTIONAL); //(void) ssl_set_ca_chain(&client->ssl_ctx, &ircd_ssl_ca_certificates, NULL, NULL); (void) ssl_set_ca_chain(&client->ssl_ctx, &ircd_ssl_certificate, NULL, NULL); // To test if the client supports RC4 (bad, in violation of TLS standards; see RFC 7465) (void) ssl_set_arc4_support(&client->ssl_ctx, SSL_ARC4_ENABLED); // To test if the client supports SNI (good) (void) ssl_set_sni(&client->ssl_ctx, ircd_server_ssl_sni_cb, (void*) client); // To test if the client supports Session Tickets (concerning) (void) ssl_set_session_tickets(&client->ssl_ctx, SSL_SESSION_TICKETS_ENABLED); (void) ssl_set_session_ticket_lifetime(&client->ssl_ctx, 300); // We could do this in the SNI callback, but that would require all clients to support SNI (void) ssl_set_own_cert(&client->ssl_ctx, &ircd_ssl_certificate, &ircd_ssl_private_key); #ifdef POLARSSL_SSL_CIPHERSUITES_CB // This is an addition of mine to the library - see the patch in patches/ (void) ssl_set_cs_cb(&client->ssl_ctx, ircd_server_ssl_cs_cb, (void*) client); #endif #ifdef POLARSSL_SSL_TICKETS_CB // This is an addition of mine to the library - see the patch in patches/ (void) ssl_set_tick_cb(&client->ssl_ctx, ircd_server_ssl_tick_cb, (void*) client); #endif return 0; }
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) { ngx_ssl_connection_t *sc; ngx_ssl_conn_t *ssl_ctx; ngx_ssl_session_cache_t *cache; int sslerr; sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); if (sc == NULL) { return NGX_ERROR; } sc->buffer = ((flags % NGX_SSL_BUFFER) != 0); /* Allocate the PolarSSL context */ ssl_ctx = ngx_pcalloc(c->pool, sizeof(ngx_ssl_conn_t)); if (sc == NULL) { return NGX_ERROR; } /* * Initialize this PolarSSL context * * Note: We also setup the options traditionally set in ngx_ssl_create * here since each ssl_ctx is unique to each fd. */ sslerr = ssl_init(ssl_ctx); if (sslerr != 0) { ngx_mbedtls_error(NGX_LOG_ALERT, ssl->log, 0, sslerr, "ssl_init failed"); return NGX_ERROR; } if (flags & NGX_SSL_CLIENT) { ssl_set_endpoint(ssl_ctx, SSL_IS_CLIENT); if (ssl->have_own_cert) { ssl_set_own_cert(ssl_ctx, &ssl->own_cert, &ssl->own_key); } } else { ssl_set_endpoint(ssl_ctx, SSL_IS_SERVER); ssl_set_own_cert(ssl_ctx, &ssl->own_cert, &ssl->own_key); } if (ssl->have_ca_cert) { if (ssl->have_ca_crl) { ssl_set_ca_chain(ssl_ctx, &ssl->ca_cert, &ssl->ca_crl, NULL); } else { ssl_set_ca_chain(ssl_ctx, &ssl->ca_cert, NULL, NULL); } /* * ngx_event_openssl has the callback rigged to allow the handshake * to continue even if verification fails. We shall do the same. */ ssl_set_authmode(ssl_ctx, SSL_VERIFY_OPTIONAL); } else { ssl_set_authmode(ssl_ctx, SSL_VERIFY_NONE); } ssl_set_min_version(ssl_ctx, SSL_MAJOR_VERSION_3, ssl->minor_min); ssl_set_max_version(ssl_ctx, SSL_MAJOR_VERSION_3, ssl->minor_max); ssl_set_renegotiation(ssl_ctx, SSL_RENEGOTIATION_ENABLED); ssl_legacy_renegotiation(ssl_ctx, SSL_LEGACY_NO_RENEGOTIATION); ssl_set_rng(ssl_ctx, ngx_mbedtls_rng, &ngx_ctr_drbg); ssl_set_bio(ssl_ctx, net_recv, &c->fd, net_send, &c->fd); ssl_set_dh_param_ctx(ssl_ctx, &ssl->dhm_ctx); ssl_set_ciphersuites(ssl_ctx, ssl->ciphersuites); if (ssl->builtin_session_cache == NGX_SSL_NONE_SCACHE) { ssl_set_session_cache(ssl_ctx, ngx_mbedtls_get_cache, NULL, ngx_mbedtls_set_cache, NULL); } if (ssl->builtin_session_cache != NGX_SSL_NO_SCACHE) { cache = ssl->cache_shm_zone->data; cache->ttl = ssl->cache_ttl; ssl_set_session_cache(ssl_ctx, ngx_mbedtls_get_cache, ssl->cache_shm_zone, ngx_mbedtls_set_cache, ssl->cache_shm_zone); } if (ssl->sni_fn) { ssl_set_sni(ssl_ctx, ssl->sni_fn, c); } /* All done, the connection is good to go now */ sc->connection = ssl_ctx; c->ssl = sc; return NGX_OK; }