本文整理汇总了C++中SSL_CTX_set_client_CA_list函数的典型用法代码示例。如果您正苦于以下问题:C++ SSL_CTX_set_client_CA_list函数的具体用法?C++ SSL_CTX_set_client_CA_list怎么用?C++ SSL_CTX_set_client_CA_list使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SSL_CTX_set_client_CA_list函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: verify_init
/**
* Init verification of transmitted client certs
*/
static int verify_init(ssl_server_connection *ssl_server) {
struct stat stat_buf;
if (!ssl_server->clientpemfile) {
SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_NONE, NULL);
return TRUE;
}
if (stat(ssl_server->clientpemfile, &stat_buf) == -1) {
LogError("%s: Cannot stat the SSL pem path '%s' -- %s\n", prog, Run.httpsslclientpem, STRERROR);
return FALSE;
}
if (S_ISDIR(stat_buf.st_mode)) {
if (!SSL_CTX_load_verify_locations(ssl_server->ctx, NULL , ssl_server->clientpemfile)) {
LogError("%s: Error setting verify directory to %s -- %s\n", prog, Run.httpsslclientpem, SSLERROR);
return FALSE;
}
LogInfo("%s: Loaded SSL client pem directory '%s'\n", prog, ssl_server->clientpemfile);
/* Monit's server cert for cli support */
if (!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile, NULL)) {
LogError("%s: Error loading verify certificates from %s -- %s\n", prog, ssl_server->pemfile, SSLERROR);
return FALSE;
}
LogInfo("%s: Loaded monit's SSL pem server file '%s'\n", prog, ssl_server->pemfile);
} else if (S_ISREG(stat_buf.st_mode)) {
if (!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->clientpemfile, NULL)) {
LogError("%s: Error loading verify certificates from %s -- %s\n", prog, Run.httpsslclientpem, SSLERROR);
return FALSE;
}
LogInfo("%s: Loaded SSL pem client file '%s'\n", prog, ssl_server->clientpemfile);
/* Monits server cert for cli support ! */
if (!SSL_CTX_load_verify_locations(ssl_server->ctx, ssl_server->pemfile, NULL)) {
LogError("%s: Error loading verify certificates from %s -- %s\n", prog, ssl_server->pemfile, SSLERROR);
return FALSE;
}
LogInfo("%s: Loaded monit's SSL pem server file '%s'\n", prog, ssl_server->pemfile);
SSL_CTX_set_client_CA_list(ssl_server->ctx, SSL_load_client_CA_file(ssl_server->clientpemfile));
} else {
LogError("%s: SSL client pem path is no file or directory %s\n", prog, ssl_server->clientpemfile);
return FALSE;
}
SSL_CTX_set_verify(ssl_server->ctx, SSL_VERIFY_PEER, verify_callback);
return TRUE;
}示例2: ssl_ca_certificate
int ssl_ca_certificate(struct ssl_t *ssl, const char *cafile, int depth)
{
STACK_OF(X509_NAME) *list;
SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ssl_verify_callback);
SSL_CTX_set_verify_depth(ssl->ctx, depth);
if (SSL_CTX_load_verify_locations(ssl->ctx, cafile, NULL) == 0) {
hlog(LOG_ERR, "Failed to load trusted CA list from \"%s\"", cafile);
ssl_error(LOG_ERR, "SSL_CTX_load_verify_locations");
return -1;
}
list = SSL_load_client_CA_file(cafile);
if (list == NULL) {
hlog(LOG_ERR, "Failed to load client CA file from \"%s\"", cafile);
ssl_error(LOG_ERR, "SSL_load_client_CA_file");
return -1;
}
/*
* before 0.9.7h and 0.9.8 SSL_load_client_CA_file()
* always leaved an error in the error queue
*/
ERR_clear_error();
SSL_CTX_set_client_CA_list(ssl->ctx, list);
ssl->validate = 1;
return 0;
}示例3: SSL_CONF_CTX_finish
int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx)
{
/* See if any certificates are missing private keys */
size_t i;
CERT *c = NULL;
if (cctx->ctx)
c = cctx->ctx->cert;
else if (cctx->ssl)
c = cctx->ssl->cert;
if (c && cctx->flags & SSL_CONF_FLAG_REQUIRE_PRIVATE) {
for (i = 0; i < SSL_PKEY_NUM; i++) {
const char *p = cctx->cert_filename[i];
/*
* If missing private key try to load one from certificate file
*/
if (p && !c->pkeys[i].privatekey) {
if (!cmd_PrivateKey(cctx, p))
return 0;
}
}
}
if (cctx->canames) {
if (cctx->ssl)
SSL_set_client_CA_list(cctx->ssl, cctx->canames);
else if (cctx->ctx)
SSL_CTX_set_client_CA_list(cctx->ctx, cctx->canames);
else
sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
cctx->canames = NULL;
}
return 1;
}示例4: mono_btls_ssl_ctx_set_client_ca_list
int
mono_btls_ssl_ctx_set_client_ca_list (MonoBtlsSslCtx *ctx, int count, int *sizes, const void **data)
{
STACK_OF(X509_NAME) *name_list;
int i;
name_list = sk_X509_NAME_new_null ();
if (!name_list)
return 0;
for (i = 0; i < count; i++) {
X509_NAME *name;
const unsigned char *ptr = (const unsigned char*)data[i];
name = d2i_X509_NAME (NULL, &ptr, sizes[i]);
if (!name) {
sk_X509_NAME_pop_free (name_list, X509_NAME_free);
return 0;
}
sk_X509_NAME_push (name_list, name);
}
// Takes ownership of the list.
SSL_CTX_set_client_CA_list (ctx->ctx, name_list);
return 1;
}示例5: swSSL_set_client_certificate
int swSSL_set_client_certificate(SSL_CTX *ctx, char *cert_file, int depth)
{
STACK_OF(X509_NAME) *list;
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, swSSL_verify_callback);
SSL_CTX_set_verify_depth(ctx, depth);
if (SSL_CTX_load_verify_locations(ctx, cert_file, NULL) == 0)
{
swWarn("SSL_CTX_load_verify_locations(\"%s\") failed.", cert_file);
return SW_ERR;
}
ERR_clear_error();
list = SSL_load_client_CA_file(cert_file);
if (list == NULL)
{
swWarn("SSL_load_client_CA_file(\"%s\") failed.", cert_file);
return SW_ERR;
}
ERR_clear_error();
SSL_CTX_set_client_CA_list(ctx, list);
return SW_OK;
}示例6: load_ca_list
/**
* @brief Load CA list from file
* @param d domain
* @return 0 if not configured or on success, -1 on error
*/
static int load_ca_list(tls_domain_t* d)
{
int i;
int procs_no;
if (!d->ca_file.s || !d->ca_file.len) {
DBG("%s: No CA list configured\n", tls_domain_str(d));
return 0;
}
if (fix_shm_pathname(&d->ca_file) < 0)
return -1;
procs_no=get_max_procs();
for(i = 0; i < procs_no; i++) {
if (SSL_CTX_load_verify_locations(d->ctx[i], d->ca_file.s, 0) != 1) {
ERR("%s: Unable to load CA list '%s'\n", tls_domain_str(d),
d->ca_file.s);
TLS_ERR("load_ca_list:");
return -1;
}
SSL_CTX_set_client_CA_list(d->ctx[i],
SSL_load_client_CA_file(d->ca_file.s));
if (SSL_CTX_get_client_CA_list(d->ctx[i]) == 0) {
ERR("%s: Error while setting client CA list\n", tls_domain_str(d));
TLS_ERR("load_ca_list:");
return -1;
}
}
return 0;
}示例7: _hssl_server_context_init
static herror_t
_hssl_server_context_init(void)
{
log_verbose3("enabled=%i, certificate=%p", enabled, certificate);
if (!enabled || !certificate)
return H_OK;
if (!(context = SSL_CTX_new(SSLv23_method())))
{
log_error1("Cannot create SSL context");
return herror_new("_hssl_server_context_init", HSSL_ERROR_CONTEXT,
"Unable to create SSL context");
}
if (!(SSL_CTX_use_certificate_file(context, certificate, SSL_FILETYPE_PEM)))
{
log_error2("Cannot read certificate file: \"%s\"", certificate);
SSL_CTX_free(context);
return herror_new("_hssl_server_context_init", HSSL_ERROR_CERTIFICATE,
"Unable to use SSL certificate \"%s\"", certificate);
}
SSL_CTX_set_default_passwd_cb(context, _hssl_password_callback);
if (!(SSL_CTX_use_PrivateKey_file(context, certificate, SSL_FILETYPE_PEM)))
{
log_error2("Cannot read key file: \"%s\"", certificate);
SSL_CTX_free(context);
return herror_new("_hssl_server_context_init", HSSL_ERROR_PEM,
"Unable to use private key");
}
if (ca_list != NULL && *ca_list != '\0')
{
if (!(SSL_CTX_load_verify_locations(context, ca_list, NULL)))
{
SSL_CTX_free(context);
log_error2("Cannot read CA list: \"%s\"", ca_list);
return herror_new("_hssl_server_context_init", HSSL_ERROR_CA_LIST,
"Unable to read certification authorities \"%s\"");
}
SSL_CTX_set_client_CA_list(context, SSL_load_client_CA_file(ca_list));
log_verbose1("Certification authority contacted");
}
SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
_hssl_cert_verify_callback);
log_verbose1("Certificate verification callback registered");
SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
_hssl_superseed();
return H_OK;
}示例8: pn_ssl_domain_set_peer_authentication
int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
const pn_ssl_verify_mode_t mode,
const char *trusted_CAs)
{
if (!domain) return -1;
switch (mode) {
case PN_SSL_VERIFY_PEER:
case PN_SSL_VERIFY_PEER_NAME:
if (!domain->has_ca_db) {
pn_transport_logf(NULL, "Error: cannot verify peer without a trusted CA configured.\n"
" Use pn_ssl_domain_set_trusted_ca_db()");
return -1;
}
if (domain->mode == PN_SSL_MODE_SERVER) {
// openssl requires that server connections supply a list of trusted CAs which is
// sent to the client
if (!trusted_CAs) {
pn_transport_logf(NULL, "Error: a list of trusted CAs must be provided.");
return -1;
}
if (!domain->has_certificate) {
pn_transport_logf(NULL, "Error: Server cannot verify peer without configuring a certificate.\n"
" Use pn_ssl_domain_set_credentials()");
}
if (domain->trusted_CAs) free(domain->trusted_CAs);
domain->trusted_CAs = pn_strdup( trusted_CAs );
STACK_OF(X509_NAME) *cert_names;
cert_names = SSL_load_client_CA_file( domain->trusted_CAs );
if (cert_names != NULL)
SSL_CTX_set_client_CA_list(domain->ctx, cert_names);
else {
pn_transport_logf(NULL, "Error: Unable to process file of trusted CAs: %s", trusted_CAs);
return -1;
}
}
SSL_CTX_set_verify( domain->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
SSL_CTX_set_verify_depth(domain->ctx, 1);
#endif
break;
case PN_SSL_ANONYMOUS_PEER: // hippie free love mode... :)
SSL_CTX_set_verify( domain->ctx, SSL_VERIFY_NONE, NULL );
break;
default:
pn_transport_logf(NULL, "Invalid peer authentication mode given." );
return -1;
}
domain->verify_mode = mode;
return 0;
}示例9: SSL_load_client_CA_file
void SSLContext::loadClientCAList(const char* path) {
auto clientCAs = SSL_load_client_CA_file(path);
if (clientCAs == nullptr) {
LOG(ERROR) << "Unable to load ca file: " << path;
return;
}
SSL_CTX_set_client_CA_list(ctx_, clientCAs);
}示例10: MakeSSLContext
/**
* Initializes an SSL context using the specified certificates.
*
* @param pubkey The public key.
* @param privkey The matching private key.
* @param cakey CA certificate chain file.
* @returns An SSL context.
*/
shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& privkey, const String& cakey)
{
InitializeOpenSSL();
shared_ptr<SSL_CTX> sslContext = shared_ptr<SSL_CTX>(SSL_CTX_new(TLSv1_method()), SSL_CTX_free);
SSL_CTX_set_mode(sslContext.get(), 0);
if (!SSL_CTX_use_certificate_chain_file(sslContext.get(), pubkey.CStr())) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_use_certificate_chain_file")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(pubkey));
}
if (!SSL_CTX_use_PrivateKey_file(sslContext.get(), privkey.CStr(), SSL_FILETYPE_PEM)) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_use_PrivateKey_file")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(privkey));
}
if (!SSL_CTX_check_private_key(sslContext.get())) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_check_private_key")
<< errinfo_openssl_error(ERR_get_error()));
}
if (!SSL_CTX_load_verify_locations(sslContext.get(), cakey.CStr(), NULL)) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_load_verify_locations")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(cakey));
}
STACK_OF(X509_NAME) *cert_names;
cert_names = SSL_load_client_CA_file(cakey.CStr());
if (cert_names == NULL) {
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_load_client_CA_file")
<< errinfo_openssl_error(ERR_get_error())
<< boost::errinfo_file_name(cakey));
}
SSL_CTX_set_client_CA_list(sslContext.get(), cert_names);
return sslContext;
}示例11: ssl_cca
int ssl_cca(SSL_CTX *ctx,const char *certfile)
{
STACK_OF(X509_NAME) *x;
if (!certfile) return 1;
x = SSL_load_client_CA_file(certfile);
if (!x) return 0;
SSL_CTX_set_client_CA_list(ctx,x);
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,0);
return 1;
}示例12: ocaml_ssl_ctx_set_client_CA_list_from_file
CAMLprim value ocaml_ssl_ctx_set_client_CA_list_from_file(value context, value vfilename)
{
CAMLparam2(context, vfilename);
SSL_CTX *ctx = Ctx_val(context);
char *filename = String_val(vfilename);
STACK_OF(X509_NAME) *cert_names;
caml_enter_blocking_section();
cert_names = SSL_load_client_CA_file(filename);
if (cert_names != 0)
SSL_CTX_set_client_CA_list(ctx, cert_names);
else
{
caml_leave_blocking_section();
caml_raise_constant(*caml_named_value("ssl_exn_certificate_error"));
}
caml_leave_blocking_section();
CAMLreturn(Val_unit);
}示例13: mailstream_ssl_set_client_certicate
int mailstream_ssl_set_client_certicate(struct mailstream_ssl_context * ssl_context,
char * filename)
{
#ifdef USE_SSL
#ifdef USE_GNUTLS
/* not implemented */
return -1;
#else
SSL_CTX * ctx = (SSL_CTX *)ssl_context->openssl_ssl_ctx;
STACK_OF(X509_NAME) *cert_names;
cert_names = SSL_load_client_CA_file(filename);
if (cert_names != NULL) {
SSL_CTX_set_client_CA_list(ctx, cert_names);
return 0;
}
else {
return -1;
}
#endif /* USE_GNUTLS */
#else
return -1;
#endif /* USE_SSL */
}示例14: ssl_init_ctx_verify
static void ssl_init_ctx_verify(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
modssl_ctx_t *mctx)
{
SSL_CTX *ctx = mctx->ssl_ctx;
int verify = SSL_VERIFY_NONE;
STACK_OF(X509_NAME) *ca_list;
if (mctx->auth.verify_mode == SSL_CVERIFY_UNSET) {
mctx->auth.verify_mode = SSL_CVERIFY_NONE;
}
if (mctx->auth.verify_depth == UNSET) {
mctx->auth.verify_depth = 1;
}
/*
* Configure callbacks for SSL context
*/
if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
verify |= SSL_VERIFY_PEER_STRICT;
}
if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
(mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{
verify |= SSL_VERIFY_PEER;
}
SSL_CTX_set_verify(ctx, verify, ssl_callback_SSLVerify);
/*
* Configure Client Authentication details
*/
if (mctx->auth.ca_cert_file || mctx->auth.ca_cert_path) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"Configuring client authentication");
if (!SSL_CTX_load_verify_locations(ctx,
MODSSL_PCHAR_CAST mctx->auth.ca_cert_file,
MODSSL_PCHAR_CAST mctx->auth.ca_cert_path))
{
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to configure verify locations "
"for client authentication");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_die();
}
if (mctx->pks && (mctx->pks->ca_name_file || mctx->pks->ca_name_path)) {
ca_list = ssl_init_FindCAList(s, ptemp,
mctx->pks->ca_name_file,
mctx->pks->ca_name_path);
} else
ca_list = ssl_init_FindCAList(s, ptemp,
mctx->auth.ca_cert_file,
mctx->auth.ca_cert_path);
if (!ca_list) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"Unable to determine list of acceptable "
"CA certificates for client authentication");
ssl_die();
}
SSL_CTX_set_client_CA_list(ctx, (STACK *)ca_list);
}
/*
* Give a warning when no CAs were configured but client authentication
* should take place. This cannot work.
*/
if (mctx->auth.verify_mode == SSL_CVERIFY_REQUIRE) {
ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx);
if (sk_X509_NAME_num(ca_list) == 0) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
"Init: Oops, you want to request client "
"authentication, but no CAs are known for "
"verification!? [Hint: SSLCACertificate*]");
}
}示例15: SSL_library_init
//.........这里部分代码省略.........
SSL_CTX_set_default_passwd_cb(ctx, cbtls_password);
}
/*
* Load our keys and certificates
*
* If certificates are of type PEM then we can make use
* of cert chain authentication using openssl api call
* SSL_CTX_use_certificate_chain_file. Please see how
* the cert chain needs to be given in PEM from
* openSSL.org
*/
if (type == SSL_FILETYPE_PEM) {
if (!(SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file %s", conf->certificate_file);
return NULL;
}
} else if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file %s", conf->certificate_file);
return NULL;
}
/* Load the CAs we trust */
if (conf->ca_file || conf->ca_path) {
if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list %s",conf->ca_file );
return NULL;
}
}
if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
if (!(SSL_CTX_use_PrivateKey_file(ctx, conf->private_key_file, type))) {
radlog(L_ERR, "rlm_eap: SSL error %s", ERR_error_string(ERR_get_error(), NULL));
radlog(L_ERR, "rlm_eap_tls: Error reading private key file %s", conf->private_key_file);
return NULL;
}
/*
* Check if the loaded private key is the right one
*/
if (!SSL_CTX_check_private_key(ctx)) {
radlog(L_ERR, "rlm_eap_tls: Private key does not match the certificate public key");
return NULL;
}
/*
* Set ctx_options
*/
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
#ifdef SSL_OP_NO_TICKET
ctx_options |= SSL_OP_NO_TICKET ;
#endif
/*
* SSL_OP_SINGLE_DH_USE must be used in order to prevent
* small subgroup attacks and forward secrecy. Always
* using
*
* SSL_OP_SINGLE_DH_USE has an impact on the computer
* time needed during negotiation, but it is not very
* large.
*/