本文整理汇总了C++中SSL_CTX_load_verify_locations函数的典型用法代码示例。如果您正苦于以下问题:C++ SSL_CTX_load_verify_locations函数的具体用法?C++ SSL_CTX_load_verify_locations怎么用?C++ SSL_CTX_load_verify_locations使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SSL_CTX_load_verify_locations函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: SSLSocket_createContext
int SSLSocket_createContext(networkHandles* net, MQTTClient_SSLOptions* opts)
{
int rc = 1;
char* ciphers = NULL;
FUNC_ENTRY;
if (net->ctx == NULL)
if ((net->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) /* SSLv23 for compatibility with SSLv2, SSLv3 and TLSv1 */
{
SSLSocket_error("SSL_CTX_new", NULL, net->socket, rc);
goto exit;
}
if (opts->keyStore)
{
if ((rc = SSL_CTX_use_certificate_chain_file(net->ctx, opts->keyStore)) != 1)
{
SSLSocket_error("SSL_CTX_use_certificate_chain_file", NULL, net->socket, rc);
goto free_ctx; /*If we can't load the certificate (chain) file then loading the privatekey won't work either as it needs a matching cert already loaded */
}
if (opts->privateKey == NULL)
opts->privateKey = opts->keyStore; /* the privateKey can be included in the keyStore */
if (opts->privateKeyPassword != NULL)
{
SSL_CTX_set_default_passwd_cb(net->ctx, pem_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(net->ctx, (void*)opts->privateKeyPassword);
}
/* support for ASN.1 == DER format? DER can contain only one certificate? */
if ((rc = SSL_CTX_use_PrivateKey_file(net->ctx, opts->privateKey, SSL_FILETYPE_PEM)) != 1)
{
SSLSocket_error("SSL_CTX_use_PrivateKey_file", NULL, net->socket, rc);
goto free_ctx;
}
}
if (opts->trustStore)
{
if ((rc = SSL_CTX_load_verify_locations(net->ctx, opts->trustStore, NULL)) != 1)
{
SSLSocket_error("SSL_CTX_load_verify_locations", NULL, net->socket, rc);
goto free_ctx;
}
}
else if ((rc = SSL_CTX_set_default_verify_paths(net->ctx)) != 1)
{
SSLSocket_error("SSL_CTX_set_default_verify_paths", NULL, net->socket, rc);
goto free_ctx;
}
if (opts->enabledCipherSuites == NULL)
ciphers = "DEFAULT";
else
ciphers = opts->enabledCipherSuites;
if ((rc = SSL_CTX_set_cipher_list(net->ctx, ciphers)) != 1)
{
SSLSocket_error("SSL_CTX_set_cipher_list", NULL, net->socket, rc);
goto free_ctx;
}
SSL_CTX_set_mode(net->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
goto exit;
free_ctx:
SSL_CTX_free(net->ctx);
net->ctx = NULL;
exit:
FUNC_EXIT_RC(rc);
return rc;
}示例2: cyassl_connect_step1
/*
* This function loads all the client/CA certificates and CRLs. Setup the TLS
* layer and do all necessary magic.
*/
static CURLcode
cyassl_connect_step1(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data* conssl = &conn->ssl[sockindex];
SSL_METHOD* req_method = NULL;
void* ssl_sessionid = NULL;
curl_socket_t sockfd = conn->sock[sockindex];
if(conssl->state == ssl_connection_complete)
return CURLE_OK;
/* CyaSSL doesn't support SSLv2 */
if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
failf(data, "CyaSSL does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
/* check to see if we've been told to use an explicit SSL/TLS version */
switch(data->set.ssl.version) {
case CURL_SSLVERSION_DEFAULT:
/* we try to figure out version */
req_method = SSLv23_client_method();
break;
case CURL_SSLVERSION_TLSv1:
req_method = TLSv1_client_method();
break;
case CURL_SSLVERSION_SSLv3:
req_method = SSLv3_client_method();
break;
default:
req_method = TLSv1_client_method();
}
if(!req_method) {
failf(data, "SSL: couldn't create a method!");
return CURLE_OUT_OF_MEMORY;
}
if(conssl->ctx)
SSL_CTX_free(conssl->ctx);
conssl->ctx = SSL_CTX_new(req_method);
if(!conssl->ctx) {
failf(data, "SSL: couldn't create a context!");
return CURLE_OUT_OF_MEMORY;
}
#ifndef NO_FILESYSTEM
/* load trusted cacert */
if(data->set.str[STRING_SSL_CAFILE]) {
if(!SSL_CTX_load_verify_locations(conssl->ctx,
data->set.str[STRING_SSL_CAFILE],
data->set.str[STRING_SSL_CAPATH])) {
if(data->set.ssl.verifypeer) {
/* Fail if we insiste on successfully verifying the server. */
failf(data,"error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s",
data->set.str[STRING_SSL_CAFILE]?
data->set.str[STRING_SSL_CAFILE]: "none",
data->set.str[STRING_SSL_CAPATH]?
data->set.str[STRING_SSL_CAPATH] : "none");
return CURLE_SSL_CACERT_BADFILE;
}
else {
/* Just continue with a warning if no strict certificate
verification is required. */
infof(data, "error setting certificate verify locations,"
" continuing anyway:\n");
}
}
else {
/* Everything is fine. */
infof(data, "successfully set certificate verify locations:\n");
}
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
data->set.str[STRING_SSL_CAFILE] ? data->set.str[STRING_SSL_CAFILE]:
"none",
data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
"none");
}
/* Load the client certificate, and private key */
if(data->set.str[STRING_CERT] && data->set.str[STRING_KEY]) {
int file_type = do_file_type(data->set.str[STRING_CERT_TYPE]);
if(SSL_CTX_use_certificate_file(conssl->ctx, data->set.str[STRING_CERT],
file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");
return CURLE_SSL_CONNECT_ERROR;
}
//.........这里部分代码省略.........
示例3: __ssl_setup
static int __ssl_setup(struct ast_tls_config *cfg, int client)
{
#ifndef DO_SSL
cfg->enabled = 0;
return 0;
#else
if (!cfg->enabled)
return 0;
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
if (client) {
#ifndef OPENSSL_NO_SSL2
if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
} else
#endif
if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
} else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
} else {
/* SSLv23_client_method() sends SSLv2, this was the original
* default for ssl clients before the option was given to
* pick what protocol a client should use. In order not
* to break expected behavior it remains the default. */
cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
}
} else {
/* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
}
if (!cfg->ssl_ctx) {
ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
cfg->enabled = 0;
return 0;
}
if (!ast_strlen_zero(cfg->certfile)) {
char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
if (!client) {
/* Clients don't need a certificate, but if its setup we can use it */
ast_verb(0, "SSL error loading cert file. <%s>", cfg->certfile);
sleep(2);
cfg->enabled = 0;
return 0;
}
}
if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
if (!client) {
/* Clients don't need a private key, but if its setup we can use it */
ast_verb(0, "SSL error loading private key file. <%s>", tmpprivate);
sleep(2);
cfg->enabled = 0;
return 0;
}
}
}
if (!ast_strlen_zero(cfg->cipher)) {
if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
if (!client) {
ast_verb(0, "SSL cipher error <%s>", cfg->cipher);
sleep(2);
cfg->enabled = 0;
return 0;
}
}
}
if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0)
ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
}
ast_verb(0, "SSL certificate ok\n");
return 1;
#endif
}示例4: tls_init_context
static
int tls_init_context(tls_t *tls, tls_issues_t const *ti)
{
int verify;
static int random_loaded;
ONCE_INIT(tls_init_once);
if (!random_loaded) {
random_loaded = 1;
if (ti->randFile &&
!RAND_load_file(ti->randFile, 1024 * 1024)) {
if (ti->configured > 1) {
SU_DEBUG_3(("%s: cannot open randFile %s\n",
"tls_init_context", ti->randFile));
tls_log_errors(3, "tls_init_context", 0);
}
/* errno = EIO; */
/* return -1; */
}
}
#if HAVE_SIGPIPE
/* Avoid possible SIGPIPE when sending close_notify */
signal(SIGPIPE, SIG_IGN);
#endif
if (tls->ctx == NULL) {
const SSL_METHOD *meth;
/* meth = SSLv3_method(); */
/* meth = SSLv23_method(); */
if (ti->version)
meth = TLSv1_method();
else
meth = SSLv23_method();
tls->ctx = SSL_CTX_new((SSL_METHOD*)meth);
}
if (tls->ctx == NULL) {
tls_log_errors(1, "tls_init_context", 0);
errno = EIO;
return -1;
}
/* Set callback if we have a passphrase */
if (ti->passphrase != NULL) {
SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, (void *)ti);
}
if (!SSL_CTX_use_certificate_file(tls->ctx,
ti->cert,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid local certificate: %s\n",
"tls_init_context", ti->cert));
tls_log_errors(3, "tls_init_context", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_use_PrivateKey_file(tls->ctx,
ti->key,
SSL_FILETYPE_PEM)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: invalid private key: %s\n",
"tls_init_context", ti->key));
tls_log_errors(3, "tls_init_context(key)", 0);
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
}
if (!SSL_CTX_check_private_key(tls->ctx)) {
if (ti->configured > 0) {
SU_DEBUG_1(("%s: private key does not match the certificate public key\n",
"tls_init_context"));
}
#if require_client_certificate
errno = EIO;
return -1;
#endif
}
if (!SSL_CTX_load_verify_locations(tls->ctx,
ti->CAfile,
ti->CApath)) {
SU_DEBUG_1(("%s: error loading CA list: %s\n",
"tls_init_context", ti->CAfile));
if (ti->configured > 0)
tls_log_errors(3, "tls_init_context(CA)", 0);
//.........这里部分代码省略.........
示例5: do_ca_cert_bootstrap
static int
do_ca_cert_bootstrap(struct vconn *vconn)
{
struct ssl_vconn *sslv = ssl_vconn_cast(vconn);
STACK_OF(X509) *chain;
X509 *ca_cert;
FILE *file;
int error;
int fd;
chain = SSL_get_peer_cert_chain(sslv->ssl);
if (!chain || !sk_X509_num(chain)) {
VLOG_ERR("could not bootstrap CA cert: no certificate presented by "
"peer");
return EPROTO;
}
ca_cert = sk_X509_value(chain, sk_X509_num(chain) - 1);
/* Check that 'ca_cert' is self-signed. Otherwise it is not a CA
* certificate and we should not attempt to use it as one. */
error = X509_check_issued(ca_cert, ca_cert);
if (error) {
VLOG_ERR("could not bootstrap CA cert: obtained certificate is "
"not self-signed (%s)",
X509_verify_cert_error_string(error));
if (sk_X509_num(chain) < 2) {
VLOG_ERR("only one certificate was received, so probably the peer "
"is not configured to send its CA certificate");
}
return EPROTO;
}
fd = open(ca_cert_file, O_CREAT | O_EXCL | O_WRONLY, 0444);
if (fd < 0) {
VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
ca_cert_file, strerror(errno));
return errno;
}
file = fdopen(fd, "w");
if (!file) {
int error = errno;
VLOG_ERR("could not bootstrap CA cert: fdopen failed: %s",
strerror(error));
unlink(ca_cert_file);
return error;
}
if (!PEM_write_X509(file, ca_cert)) {
VLOG_ERR("could not bootstrap CA cert: PEM_write_X509 to %s failed: "
"%s", ca_cert_file, ERR_error_string(ERR_get_error(), NULL));
fclose(file);
unlink(ca_cert_file);
return EIO;
}
if (fclose(file)) {
int error = errno;
VLOG_ERR("could not bootstrap CA cert: writing %s failed: %s",
ca_cert_file, strerror(error));
unlink(ca_cert_file);
return error;
}
VLOG_INFO("successfully bootstrapped CA cert to %s", ca_cert_file);
log_ca_cert(ca_cert_file, ca_cert);
bootstrap_ca_cert = false;
has_ca_cert = true;
/* SSL_CTX_add_client_CA makes a copy of ca_cert's relevant data. */
SSL_CTX_add_client_CA(ctx, ca_cert);
/* SSL_CTX_use_certificate() takes ownership of the certificate passed in.
* 'ca_cert' is owned by sslv->ssl, so we need to duplicate it. */
ca_cert = X509_dup(ca_cert);
if (!ca_cert) {
out_of_memory();
}
if (SSL_CTX_load_verify_locations(ctx, ca_cert_file, NULL) != 1) {
VLOG_ERR("SSL_CTX_load_verify_locations: %s",
ERR_error_string(ERR_get_error(), NULL));
return EPROTO;
}
VLOG_INFO("killing successful connection to retry using CA cert");
return EPROTO;
}示例6: s_time_main
/***********************************************************************
* MAIN - main processing area for client
* real name depends on MONOLITH
*/
int
s_time_main(int argc, char **argv)
{
double totalTime = 0.0;
int nConn = 0;
SSL *scon = NULL;
long finishtime = 0;
int ret = 1, i;
char buf[1024 * 8];
int ver;
s_time_meth = SSLv23_client_method();
verify_depth = 0;
verify_error = X509_V_OK;
memset(&s_time_config, 0, sizeof(s_time_config));
s_time_config.host = SSL_CONNECT_NAME;
s_time_config.maxtime = SECONDS;
s_time_config.perform = 3;
s_time_config.verify = SSL_VERIFY_NONE;
s_time_config.verify_depth = -1;
if (options_parse(argc, argv, s_time_options, NULL, NULL) != 0) {
s_time_usage();
goto end;
}
if (s_time_config.verify_depth >= 0) {
s_time_config.verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
verify_depth = s_time_config.verify_depth;
BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
}
if (s_time_config.www_path != NULL &&
strlen(s_time_config.www_path) > MYBUFSIZ - 100) {
BIO_printf(bio_err, "-www option too long\n");
goto end;
}
if ((tm_ctx = SSL_CTX_new(s_time_meth)) == NULL)
return (1);
SSL_CTX_set_quiet_shutdown(tm_ctx, 1);
if (s_time_config.bugs)
SSL_CTX_set_options(tm_ctx, SSL_OP_ALL);
if (s_time_config.cipher != NULL) {
if (!SSL_CTX_set_cipher_list(tm_ctx, s_time_config.cipher)) {
BIO_printf(bio_err, "error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (!set_cert_stuff(tm_ctx, s_time_config.certfile,
s_time_config.keyfile))
goto end;
if ((!SSL_CTX_load_verify_locations(tm_ctx, s_time_config.CAfile,
s_time_config.CApath)) ||
(!SSL_CTX_set_default_verify_paths(tm_ctx))) {
/*
* BIO_printf(bio_err,"error setting default verify
* locations\n");
*/
ERR_print_errors(bio_err);
/* goto end; */
}
if (!(s_time_config.perform & 1))
goto next;
printf("Collecting connection statistics for %d seconds\n",
s_time_config.maxtime);
/* Loop and time how long it takes to make connections */
bytes_read = 0;
finishtime = (long) time(NULL) + s_time_config.maxtime;
tm_Time_F(START);
for (;;) {
if (finishtime < (long) time(NULL))
break;
if ((scon = doConnection(NULL)) == NULL)
goto end;
if (s_time_config.www_path != NULL) {
int retval = snprintf(buf, sizeof buf,
"GET %s HTTP/1.0\r\n\r\n", s_time_config.www_path);
if ((size_t)retval >= sizeof buf) {
fprintf(stderr, "URL too long\n");
goto end;
}
SSL_write(scon, buf, strlen(buf));
//.........这里部分代码省略.........
示例7: main
int main()
{
BIO * bio;
SSL * ssl;
SSL_CTX * ctx;
int p;
/* Set up the library */
ERR_load_BIO_strings();
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
/* Create a CTX
* Application should set up SSL_CTX completely before creating
* SSL objects from it.
* In general, an application will create just one SSL_CTX object
* for all of the connections it makes.
*/
ctx = SSL_CTX_new(SSLv23_client_method());
if (ctx == NULL) {
fprintf(stderr, "Error creating ctx\n");
SSL_CTX_free(ctx);
return -1;
}
SSL_CTX_set_verify_depth(ctx, 50);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
char* CApath = "CAfiles";
char* CAfile = "CAfile.pem";
if(!SSL_CTX_load_verify_locations(ctx, CAfile, NULL))
{
fprintf(stderr, "Can't load trusted CA from %s\n", CApath);
return -1;
}
/* Setup the connection */
bio = BIO_new_connect("www.google.com:https");
if (!bio)
{
fprintf(stderr, "Error creating connection BIO\n");
}
if(BIO_do_connect(bio) <= 0)
{
fprintf(stderr, "Error connecting BIO\n");
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
if (!(ssl = SSL_new(ctx))) {
fprintf(stderr, "Error creating an SSL object\n");
return -1;
}
SSL_set_bio(ssl, bio, bio);
if (SSL_connect(ssl) <= 0) {
fprintf(stderr, "Error connecting SSL object\n");
ERR_print_errors_fp(stderr);
return -1;
}
if(SSL_get_verify_result(ssl) != X509_V_OK)
{
fprintf(stderr, "Verification Error: %ld\n", SSL_get_verify_result(ssl));
BIO_free_all(bio);
SSL_CTX_free(ctx);
return 0;
}
fprintf(stderr, "Peer verification passed\n");
char buf[80] = "GET /\n\r";
int nwritten, rc;
printf("Bytes to write: %ld\n", strlen(buf));
for (nwritten = 0; nwritten < sizeof buf; nwritten += rc)
{
rc = SSL_write(ssl, buf + nwritten, strlen(buf) - nwritten);
if (rc <= 0)
{
ERR_print_errors_fp(stderr);
break;
}
else
printf("Bytes written: %d return: %d\n", nwritten, rc);
}
char content[1024*1024];
for (nwritten = 0; nwritten < sizeof content; nwritten += rc)
{
rc = SSL_read(ssl, content + nwritten, sizeof content - nwritten);
if (rc <= 0)
{
ERR_print_errors_fp(stderr);
break;
}
else
//.........这里部分代码省略.........
示例8: tls_open
//.........这里部分代码省略.........
gnutls_transport_set_ptr(c->session, (gnutls_transport_ptr_t)
(intptr_t) c->fd);
gnutls_priority_set_direct(c->session, "NORMAL", NULL);
while (1) {
ret = gnutls_handshake(c->session);
if (ret == 0)
break;
if ((ret = do_tls_poll(h, ret)) < 0)
goto fail;
}
if (c->verify) {
unsigned int status, cert_list_size;
gnutls_x509_crt_t cert;
const gnutls_datum_t *cert_list;
if ((ret = gnutls_certificate_verify_peers2(c->session, &status)) < 0) {
av_log(h, AV_LOG_ERROR, "Unable to verify peer certificate: %s\n",
gnutls_strerror(ret));
ret = AVERROR(EIO);
goto fail;
}
if (status & GNUTLS_CERT_INVALID) {
av_log(h, AV_LOG_ERROR, "Peer certificate failed verification\n");
ret = AVERROR(EIO);
goto fail;
}
if (gnutls_certificate_type_get(c->session) != GNUTLS_CRT_X509) {
av_log(h, AV_LOG_ERROR, "Unsupported certificate type\n");
ret = AVERROR(EIO);
goto fail;
}
gnutls_x509_crt_init(&cert);
cert_list = gnutls_certificate_get_peers(c->session, &cert_list_size);
gnutls_x509_crt_import(cert, cert_list, GNUTLS_X509_FMT_DER);
ret = gnutls_x509_crt_check_hostname(cert, host);
gnutls_x509_crt_deinit(cert);
if (!ret) {
av_log(h, AV_LOG_ERROR,
"The certificate's owner does not match hostname %s\n", host);
ret = AVERROR(EIO);
goto fail;
}
}
#elif CONFIG_OPENSSL
c->ctx = SSL_CTX_new(c->listen ? TLSv1_server_method() : TLSv1_client_method());
if (!c->ctx) {
av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
ret = AVERROR(EIO);
goto fail;
}
set_options(h, uri);
if (c->ca_file) {
if (!SSL_CTX_load_verify_locations(c->ctx, c->ca_file, NULL))
av_log(h, AV_LOG_ERROR, "SSL_CTX_load_verify_locations %s\n", ERR_error_string(ERR_get_error(), NULL));
}
if (c->cert_file && !SSL_CTX_use_certificate_chain_file(c->ctx, c->cert_file)) {
av_log(h, AV_LOG_ERROR, "Unable to load cert file %s: %s\n",
c->cert_file, ERR_error_string(ERR_get_error(), NULL));
ret = AVERROR(EIO);
goto fail;
}
if (c->key_file && !SSL_CTX_use_PrivateKey_file(c->ctx, c->key_file, SSL_FILETYPE_PEM)) {
av_log(h, AV_LOG_ERROR, "Unable to load key file %s: %s\n",
c->key_file, ERR_error_string(ERR_get_error(), NULL));
ret = AVERROR(EIO);
goto fail;
}
// Note, this doesn't check that the peer certificate actually matches
// the requested hostname.
if (c->verify)
SSL_CTX_set_verify(c->ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
c->ssl = SSL_new(c->ctx);
if (!c->ssl) {
av_log(h, AV_LOG_ERROR, "%s\n", ERR_error_string(ERR_get_error(), NULL));
ret = AVERROR(EIO);
goto fail;
}
SSL_set_fd(c->ssl, c->fd);
if (!c->listen && !numerichost)
SSL_set_tlsext_host_name(c->ssl, host);
while (1) {
ret = c->listen ? SSL_accept(c->ssl) : SSL_connect(c->ssl);
if (ret > 0)
break;
if (ret == 0) {
av_log(h, AV_LOG_ERROR, "Unable to negotiate TLS/SSL session\n");
ret = AVERROR(EIO);
goto fail;
}
if ((ret = do_tls_poll(h, ret)) < 0)
goto fail;
}
#endif
return 0;
fail:
TLS_free(c);
if (c->tcp)
ffurl_close(c->tcp);
ff_tls_deinit();
return ret;
}示例9: main
//.........这里部分代码省略.........
}
if (badop)
{
bad:
sv_usage();
goto end;
}
if (cipher == NULL && OPENSSL_issetugid() == 0)
cipher=getenv("SSL_CIPHER");
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
c_ctx=SSL_CTX_new(ssl_method);
s_ctx=SSL_CTX_new(ssl_method);
if ((c_ctx == NULL) || (s_ctx == NULL))
{
ERR_print_errors(bio_err);
goto end;
}
SSL_CTX_set_session_cache_mode(s_ctx,
SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER);
SSL_CTX_set_session_cache_mode(c_ctx,
SSL_SESS_CACHE_NO_AUTO_CLEAR|SSL_SESS_CACHE_SERVER);
if (!SSL_CTX_use_certificate_file(s_ctx,scert,SSL_FILETYPE_PEM))
{
ERR_print_errors(bio_err);
}
else if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx,scert,SSL_FILETYPE_PEM))
{
ERR_print_errors(bio_err);
goto end;
}
if (client_auth)
{
SSL_CTX_use_certificate_file(c_ctx,ccert,
SSL_FILETYPE_PEM);
SSL_CTX_use_RSAPrivateKey_file(c_ctx,ccert,
SSL_FILETYPE_PEM);
}
if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(c_ctx)))
{
fprintf(stderr,"SSL_load_verify_locations\n");
ERR_print_errors(bio_err);
goto end;
}
if (client_auth)
{
fprintf(stderr,"client authentication\n");
SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
}
if (server_auth)
{
fprintf(stderr,"server authentication\n");
SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
verify_callback);
}
thread_setup();
do_threads(s_ctx,c_ctx);
thread_cleanup();
end:
if (c_ctx != NULL)
{
fprintf(stderr,"Client SSL_CTX stats then free it\n");
print_stats(stderr,c_ctx);
SSL_CTX_free(c_ctx);
}
if (s_ctx != NULL)
{
fprintf(stderr,"Server SSL_CTX stats then free it\n");
print_stats(stderr,s_ctx);
if (cache_stats)
{
fprintf(stderr,"-----\n");
lh_stats(SSL_CTX_sessions(s_ctx),stderr);
fprintf(stderr,"-----\n");
/* lh_node_stats(SSL_CTX_sessions(s_ctx),stderr);
fprintf(stderr,"-----\n"); */
lh_node_usage_stats(SSL_CTX_sessions(s_ctx),stderr);
fprintf(stderr,"-----\n");
}
SSL_CTX_free(s_ctx);
fprintf(stderr,"done free\n");
}
exit(ret);
return(0);
}示例10: rd_kafka_transport_ssl_ctx_init
/**
* Once per rd_kafka_t handle initialization of OpenSSL
*
* Locality: application thread
*
* NOTE: rd_kafka_wrlock() MUST be held
*/
int rd_kafka_transport_ssl_ctx_init (rd_kafka_t *rk,
char *errstr, size_t errstr_size) {
int r;
SSL_CTX *ctx;
call_once(&rd_kafka_ssl_init_once, rd_kafka_transport_ssl_init);
ctx = SSL_CTX_new(SSLv23_client_method());
if (!ctx)
goto fail;
/* Key file password callback */
SSL_CTX_set_default_passwd_cb(ctx, rd_kafka_transport_ssl_passwd_cb);
SSL_CTX_set_default_passwd_cb_userdata(ctx, rk);
/* Ciphers */
if (rk->rk_conf.ssl.cipher_suites) {
rd_kafka_dbg(rk, SECURITY, "SSL",
"Setting cipher list: %s",
rk->rk_conf.ssl.cipher_suites);
if (!SSL_CTX_set_cipher_list(ctx,
rk->rk_conf.ssl.cipher_suites)) {
rd_snprintf(errstr, errstr_size,
"No recognized ciphers");
goto fail;
}
}
if (rk->rk_conf.ssl.ca_location) {
/* CA certificate location, either file or directory. */
int is_dir = rd_kafka_path_is_dir(rk->rk_conf.ssl.ca_location);
rd_kafka_dbg(rk, SECURITY, "SSL",
"Loading CA certificate(s) from %s %s",
is_dir ? "directory":"file",
rk->rk_conf.ssl.ca_location);
r = SSL_CTX_load_verify_locations(ctx,
!is_dir ?
rk->rk_conf.ssl.
ca_location : NULL,
is_dir ?
rk->rk_conf.ssl.
ca_location : NULL);
if (r != 1)
goto fail;
}
if (rk->rk_conf.ssl.cert_location) {
rd_kafka_dbg(rk, SECURITY, "SSL",
"Loading certificate from file %s",
rk->rk_conf.ssl.cert_location);
r = SSL_CTX_use_certificate_chain_file(ctx,
rk->rk_conf.ssl.cert_location);
if (r != 1)
goto fail;
}
if (rk->rk_conf.ssl.key_location) {
rd_kafka_dbg(rk, SECURITY, "SSL",
"Loading private key file from %s",
rk->rk_conf.ssl.key_location);
r = SSL_CTX_use_PrivateKey_file(ctx,
rk->rk_conf.ssl.key_location,
SSL_FILETYPE_PEM);
if (r != 1)
goto fail;
}
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
rk->rk_conf.ssl.ctx = ctx;
return 0;
fail:
rd_kafka_ssl_error(rk, NULL, errstr, errstr_size);
SSL_CTX_free(ctx);
return -1;
}示例11: new_VioSSLAcceptorFd
/*
TODO:
Add option --verify to mysqld to be able to change verification mode
*/
struct st_VioSSLAcceptorFd*
new_VioSSLAcceptorFd(const char *key_file,
const char *cert_file,
const char *ca_file,
const char *ca_path,
const char *cipher)
{
int verify = (SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE);
struct st_VioSSLAcceptorFd* ptr;
int result;
DH *dh=NULL;
DBUG_ENTER("new_VioSSLAcceptorFd");
DBUG_PRINT("enter",
("key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s, cipher=%s",
key_file, cert_file, ca_path, ca_file, cipher));
ptr= ((struct st_VioSSLAcceptorFd*)
my_malloc(sizeof(struct st_VioSSLAcceptorFd),MYF(0)));
ptr->ssl_context=0;
ptr->ssl_method=0;
/* FIXME: constants! */
ptr->session_id_context= ptr;
if (!ssl_algorithms_added)
{
DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()"));
ssl_algorithms_added = TRUE;
OpenSSL_add_all_algorithms();
}
if (!ssl_error_strings_loaded)
{
DBUG_PRINT("info", ("todo: SSL_load_error_strings()"));
ssl_error_strings_loaded = TRUE;
SSL_load_error_strings();
}
ptr->ssl_method= TLSv1_server_method();
ptr->ssl_context= SSL_CTX_new(ptr->ssl_method);
if (ptr->ssl_context == 0)
{
DBUG_PRINT("error", ("SSL_CTX_new failed"));
report_errors();
goto ctor_failure;
}
if (cipher)
{
result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher);
DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result));
}
/* SSL_CTX_set_quiet_shutdown(ctx,1); */
SSL_CTX_sess_set_cache_size(ptr->ssl_context,128);
/* DH? */
SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
SSL_CTX_set_session_id_context(ptr->ssl_context,
(const uchar*) &(ptr->session_id_context),
sizeof(ptr->session_id_context));
/*
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
*/
if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1)
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
goto ctor_failure;
}
if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file, ca_path) == 0)
{
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
if (SSL_CTX_set_default_verify_paths(ptr->ssl_context)==0)
{
DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
report_errors();
goto ctor_failure;
}
}
/* DH stuff */
dh=get_dh512();
SSL_CTX_set_tmp_dh(ptr->ssl_context,dh);
DH_free(dh);
DBUG_RETURN(ptr);
ctor_failure:
DBUG_PRINT("exit", ("there was an error"));
my_free((gptr) ptr,MYF(0));
DBUG_RETURN(0);
}示例12: new_VioSSLConnectorFd
struct st_VioSSLConnectorFd *
new_VioSSLConnectorFd(const char* key_file,
const char* cert_file,
const char* ca_file,
const char* ca_path,
const char* cipher)
{
int verify = SSL_VERIFY_NONE;
struct st_VioSSLConnectorFd* ptr;
int result;
DH *dh=NULL;
DBUG_ENTER("new_VioSSLConnectorFd");
DBUG_PRINT("enter",
("key_file=%s, cert_file=%s, ca_path=%s, ca_file=%s, cipher=%s",
key_file, cert_file, ca_path, ca_file, cipher));
if (!(ptr=((struct st_VioSSLConnectorFd*)
my_malloc(sizeof(struct st_VioSSLConnectorFd),MYF(0)))))
DBUG_RETURN(0);
ptr->ssl_context= 0;
ptr->ssl_method= 0;
/* FIXME: constants! */
if (!ssl_algorithms_added)
{
DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()"));
ssl_algorithms_added = TRUE;
OpenSSL_add_all_algorithms();
}
if (!ssl_error_strings_loaded)
{
DBUG_PRINT("info", ("todo:SSL_load_error_strings()"));
ssl_error_strings_loaded = TRUE;
SSL_load_error_strings();
}
ptr->ssl_method = TLSv1_client_method();
ptr->ssl_context = SSL_CTX_new(ptr->ssl_method);
DBUG_PRINT("info", ("ssl_context: %p",ptr->ssl_context));
if (ptr->ssl_context == 0)
{
DBUG_PRINT("error", ("SSL_CTX_new failed"));
report_errors();
goto ctor_failure;
}
/*
SSL_CTX_set_options
SSL_CTX_set_info_callback
*/
if (cipher)
{
result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher);
DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result));
}
SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1)
{
DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
report_errors();
goto ctor_failure;
}
if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file,ca_path) == 0)
{
DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
if (SSL_CTX_set_default_verify_paths(ptr->ssl_context) == 0)
{
DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
report_errors();
goto ctor_failure;
}
}
/* DH stuff */
dh=get_dh512();
SSL_CTX_set_tmp_dh(ptr->ssl_context,dh);
DH_free(dh);
DBUG_RETURN(ptr);
ctor_failure:
DBUG_PRINT("exit", ("there was an error"));
my_free((gptr)ptr,MYF(0));
DBUG_RETURN(0);
}示例13: tlso_ctx_init
/*
* initialize a new TLS context
*/
static int
tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
{
tlso_ctx *ctx = (tlso_ctx *)lo->ldo_tls_ctx;
int i;
if ( is_server ) {
SSL_CTX_set_session_id_context( ctx,
(const unsigned char *) "OpenLDAP", sizeof("OpenLDAP")-1 );
}
#ifdef SSL_OP_NO_TLSv1
#ifdef SSL_OP_NO_TLSv1_1
#ifdef SSL_OP_NO_TLSv1_2
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
SSL_OP_NO_TLSv1_2 );
else
#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_1)
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 );
else
#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_0)
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1);
else
#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
if ( lo->ldo_tls_ciphersuite &&
!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
{
Debug( LDAP_DEBUG_ANY,
"TLS: could not set cipher list %s.\n",
lo->ldo_tls_ciphersuite, 0, 0 );
tlso_report_error();
return -1;
}
if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
if ( !SSL_CTX_load_verify_locations( ctx,
lt->lt_cacertfile, lt->lt_cacertdir ) ||
!SSL_CTX_set_default_verify_paths( ctx ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",
lo->ldo_tls_cacertfile ? lo->ldo_tls_cacertfile : "",
lo->ldo_tls_cacertdir ? lo->ldo_tls_cacertdir : "",
0 );
tlso_report_error();
return -1;
}
if ( is_server ) {
STACK_OF(X509_NAME) *calist;
/* List of CA names to send to a client */
calist = tlso_ca_list( lt->lt_cacertfile, lt->lt_cacertdir );
if ( !calist ) {
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load client CA list (file:`%s',dir:`%s').\n",
lo->ldo_tls_cacertfile ? lo->ldo_tls_cacertfile : "",
lo->ldo_tls_cacertdir ? lo->ldo_tls_cacertdir : "",
0 );
tlso_report_error();
return -1;
}
SSL_CTX_set_client_CA_list( ctx, calist );
}
}
if ( lo->ldo_tls_certfile &&
!SSL_CTX_use_certificate_file( ctx,
lt->lt_certfile, SSL_FILETYPE_PEM ) )
{
Debug( LDAP_DEBUG_ANY,
"TLS: could not use certificate `%s'.\n",
lo->ldo_tls_certfile,0,0);
tlso_report_error();
return -1;
}
/* Key validity is checked automatically if cert has already been set */
if ( lo->ldo_tls_keyfile &&
!SSL_CTX_use_PrivateKey_file( ctx,
lt->lt_keyfile, SSL_FILETYPE_PEM ) )
{
Debug( LDAP_DEBUG_ANY,
"TLS: could not use key file `%s'.\n",
lo->ldo_tls_keyfile,0,0);
tlso_report_error();
//.........这里部分代码省略.........
示例14: OpenSSL_add_all_algorithms
bool ClientHandler::sslInit() {
int ret = 0;
OpenSSL_add_all_algorithms();
SSL_library_init() ;
SSL_load_error_strings();
if ( (ssl_method = TLSv1_server_method()) == NULL ) {
errError("_server_method() error");
return false;
}
if((ssl_ctx = SSL_CTX_new(ssl_method)) == NULL) {
errError("16.12.2011 22:15:09 SSL_CTX_new() error");
return false;
}
if(SSL_CTX_use_certificate_file(ssl_ctx, sslCertificateFile, SSL_FILETYPE_PEM) != 1) {
errError("17.12.2011 00:12:29 SSL_CTX_use_certificate_file() error");
return false;
}
if(SSL_CTX_use_PrivateKey_file(ssl_ctx, sslPrivateKeyFile, SSL_FILETYPE_PEM) != 1) {
errError("17.12.2011 00:12:33 SSL_CTX_use_PrivateKey_file() error");
return false;
}
// ==== BEGIN CLIENT CERT VERIFICATION
if (verifyPeerCertificate) {
STACK_OF(X509_NAME) *list = NULL;
if (SSL_CTX_load_verify_locations(ssl_ctx, sslClientCertificateFile, NULL) != 1) {
errError("22.10.2012 23:37:46 SSL_CTX_load_verify_locations() error");
return false;
}
if ((list = SSL_load_client_CA_file( sslClientCertificateFile )) == NULL ) {
errError("23.10.2012 16:00:51 SSL_load_client_CA_file() error");
return false;
}
SSL_CTX_set_client_CA_list(ssl_ctx, list);
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT , NULL);
}
// ==== END CLIENT CERT VERIFICATION
if ((ssl = SSL_new(ssl_ctx)) == NULL ) {
errError("16.12.2011 22:15:15 SSL_new() error");
return false;
}
if(!SSL_CTX_check_private_key(ssl_ctx)) {
errError("16.12.2011 22:15:22 SSL_CTX_check_private_key() error");
return false;
}
if(SSL_set_fd(ssl, connectionSocket) != 1) {
errError("17.12.2011 01:57:52 SSL_set_fd() error");
return false;
}
if ((ret = SSL_accept(ssl)) <= 0) {
int savedErrno = errno;
errError("16.12.2011 22:15:33 SSL_accept() error");
sslError(ret,savedErrno);
return false;
}
return true;
}示例15: tls_client_setup
int
tls_client_setup( int use_randfile, int authlevel, char *caFile, char *caDir, char *cert, char *privatekey )
{
extern SSL_CTX *ctx;
int ssl_mode = 0;
/* Setup SSL */
SSL_load_error_strings();
SSL_library_init();
if ( use_randfile ) {
if ( _randfile( ) != 0 ) {
return( -1 );
}
}
if (( ctx = SSL_CTX_new( SSLv23_client_method())) == NULL ) {
fprintf( stderr, "SSL_CTX_new: %s\n",
ERR_error_string( ERR_get_error(), NULL ));
return( -1 );
}
if ( authlevel == 2 ) {
if ( SSL_CTX_use_PrivateKey_file( ctx, privatekey,
SSL_FILETYPE_PEM ) != 1 ) {
fprintf( stderr, "SSL_CTX_use_PrivateKey_file: %s: %s\n",
privatekey, ERR_error_string( ERR_get_error(), NULL ));
return( -1 );
}
if ( SSL_CTX_use_certificate_chain_file( ctx, cert ) != 1 ) {
fprintf( stderr, "SSL_CTX_use_certificate_chain_file: %s: %s\n",
cert, ERR_error_string( ERR_get_error(), NULL ));
return( -1 );
}
/* Verify that private key matches cert */
if ( SSL_CTX_check_private_key( ctx ) != 1 ) {
fprintf( stderr, "SSL_CTX_check_private_key: %s\n",
ERR_error_string( ERR_get_error(), NULL ));
return( -1 );
}
}
/* Set default CA location of not specified */
if ( caFile == NULL && caDir == NULL ) {
caFile = _RADMIND_TLS_CA;
}
/* Load CA */
if ( caFile != NULL ) {
if ( SSL_CTX_load_verify_locations( ctx, caFile, NULL ) != 1 ) {
fprintf( stderr, "SSL_CTX_load_verify_locations: %s: %s\n",
caFile, ERR_error_string( ERR_get_error(), NULL ));
return( -1 );
}
}
if ( caDir != NULL ) {
if ( SSL_CTX_load_verify_locations( ctx, NULL, caDir ) != 1 ) {
fprintf( stderr, "SSL_CTX_load_verify_locations: %s: %s\n",
caDir, ERR_error_string( ERR_get_error(), NULL ));
return( -1 );
}
}
/* Set level of security expecations */
ssl_mode = SSL_VERIFY_PEER;
SSL_CTX_set_verify( ctx, ssl_mode, NULL );
return( 0 );
}