本文整理汇总了C++中SSL_CTX_set_options函数的典型用法代码示例。如果您正苦于以下问题:C++ SSL_CTX_set_options函数的具体用法?C++ SSL_CTX_set_options怎么用?C++ SSL_CTX_set_options使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SSL_CTX_set_options函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: SSL_CTX_new
SSL_CTX *SSLSocket::sslCreateCtx(bool client, bool verify, const char *CAfile, const char *CRTfile, const char *KEYfile, void *passwd) {
SSL_CTX *sctx = SSL_CTX_new(client ? SSLv23_client_method() : SSLv23_server_method());
if (sctx == NULL) {
throw SSLSocketException ( "Could not create SSL context." );
}
else {
// Generate a new DH key during each handshake
SSL_CTX_set_options(sctx, SSL_OP_SINGLE_DH_USE);
// The verification contextof certificates is activated
if (verify) SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER, NULL);
// Sets the password of the private key
SSL_CTX_set_default_passwd_cb_userdata(sctx, passwd);
if (!client) {
int s_server_session_id_context = 1;
SSL_CTX_set_session_id_context(sctx, (const unsigned char*) &s_server_session_id_context, sizeof(s_server_session_id_context));
}
if (SSL_CTX_load_verify_locations(sctx, CAfile, NULL) == 0) {
throw CertificateException ( "CA file could not be loaded." );
}
if (SSL_CTX_use_certificate_file(sctx, CRTfile, SSL_FILETYPE_PEM) == 0) {
ERR_print_errors_fp(stderr);
throw CertificateException ( "CRT file could not be loaded." );
}
if (SSL_CTX_use_PrivateKey_file(sctx, KEYfile, SSL_FILETYPE_PEM) == 0) {
throw CertificateException ( "KEY file could not be loaded." );
}
}
return sctx;
}示例2: SSL_CTX_new
/* static */ void
BSecureSocket::Private::_CreateContext()
{
sContext = SSL_CTX_new(SSLv23_method());
// Disable legacy protocols. They have known vulnerabilities.
SSL_CTX_set_options(sContext, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
// Don't bother us with ERROR_WANT_READ.
SSL_CTX_set_mode(sContext, SSL_MODE_AUTO_RETRY);
// Setup certificate verification
BPath certificateStore;
find_directory(B_SYSTEM_DATA_DIRECTORY, &certificateStore);
certificateStore.Append("ssl/CARootCertificates.pem");
// TODO we may want to add a non-packaged certificate directory?
// (would make it possible to store user-added certificate exceptions
// there)
SSL_CTX_load_verify_locations(sContext, certificateStore.Path(), NULL);
SSL_CTX_set_verify(sContext, SSL_VERIFY_PEER, VerifyCallback);
// OpenSSL 1.0.2 and later: use the alternate "trusted first" algorithm to validate certificate
// chains. This makes the validation stop as soon as a recognized certificate is found in the
// chain, instead of validating the whole chain, then seeing if the root certificate is known.
#ifdef X509_V_FLAG_TRUSTED_FIRST
X509_VERIFY_PARAM* verifyParam = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(verifyParam, X509_V_FLAG_TRUSTED_FIRST);
SSL_CTX_set1_param(sContext, verifyParam);
// TODO we need to free this after freeing the SSL context (which we currently never do)
// X509_VERIFY_PARAM_free(verifyParam);
#endif
// Get an unique index number for storing application data in SSL
// structs. We will store a pointer to the BSecureSocket class there.
sDataIndex = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
}示例3: setup_server_ctx
SSL_CTX * setup_server_ctx(void) {
SSL_CTX * ctx;
ctx = SSL_CTX_new(SSLv23_method());
if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
int_error("Error loading CA file and/or directory");
if (SSL_CTX_set_default_verify_paths(ctx) != 1)
int_error("Error loading default CA file and/or directory");
if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
int_error("Error loading certificate from file");
if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
int_error("Error loading private key from file");
// a client cert is required.
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
SSL_CTX_set_verify_depth(ctx, 4);
// SSL_OP_SINGLE_DH_USE causes the private part of the DH key exchange
// to be recomputed for each client connecting.
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1)
int_error("Error setting cipher list (no valid ciphers)");
return ctx;
}示例4: initialize_ctx
SSL_CTX * initialize_ctx(char ask_compression)
{
if (!bio_err)
{
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
/* error write context */
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
}
/* create context */
const SSL_METHOD *meth = SSLv23_method();
SSL_CTX *ctx = SSL_CTX_new(meth);
#ifdef SSL_OP_NO_COMPRESSION
if (!ask_compression)
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
#endif
return ctx;
}示例5: ssl_set_ecdh_curve
void
ssl_set_ecdh_curve(SSL_CTX *ctx, const char *curve)
{
int nid;
EC_KEY *ecdh;
if (curve == NULL)
curve = SSL_ECDH_CURVE;
if ((nid = OBJ_sn2nid(curve)) == 0) {
ssl_error("ssl_set_ecdh_curve");
fatal("ssl_set_ecdh_curve: unknown curve name "
SSL_ECDH_CURVE);
}
if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {
ssl_error("ssl_set_ecdh_curve");
fatal("ssl_set_ecdh_curve: unable to create curve "
SSL_ECDH_CURVE);
}
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
EC_KEY_free(ecdh);
}示例6: tls_ctx_set_options
void
tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
ASSERT(NULL != ctx);
SSL_CTX_set_session_cache_mode (ctx->ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_options (ctx->ctx, SSL_OP_SINGLE_DH_USE);
SSL_CTX_set_default_passwd_cb (ctx->ctx, pem_password_callback);
/* Require peer certificate verification */
#if P2MP_SERVER
if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
{
msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
"--client-cert-not-required may accept clients which do not present "
"a certificate");
}
else
#endif
SSL_CTX_set_verify (ctx->ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
SSL_CTX_set_info_callback (ctx->ctx, info_callback);
}示例7: init_openssl
static void
init_openssl(struct module *module)
{
unsigned char f_randfile[PATH_MAX];
/* In a nutshell, on OS's without a /dev/urandom, the OpenSSL library
* cannot initialize the PRNG and so every attempt to use SSL fails.
* It's actually an OpenSSL FAQ, and according to them, it's up to the
* application coders to seed the RNG. -- William Yodlowsky */
if (RAND_egd(RAND_file_name(f_randfile, sizeof(f_randfile))) < 0) {
/* Not an EGD, so read and write to it */
if (RAND_load_file(f_randfile, -1))
RAND_write_file(f_randfile);
}
SSLeay_add_ssl_algorithms();
context = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(context, SSL_OP_ALL);
SSL_CTX_set_default_verify_paths(context);
socket_SSL_ex_data_idx = SSL_get_ex_new_index(0, NULL,
NULL,
socket_SSL_ex_data_dup,
NULL);
}示例8: PEM_read_bio_DHparams
int SSLContext::initDH( const char * pFile )
{
DH *pDH = NULL;
if ( pFile )
{
BIO *bio;
if ((bio = BIO_new_file(pFile, "r")) != NULL)
{
pDH = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
}
}
if ( !pDH )
{
pDH = getTmpDhParam();
if ( !pDH )
return -1;
}
SSL_CTX_set_tmp_dh( m_pCtx, pDH );
if ( pDH != s_pDH1024 )
DH_free( pDH );
SSL_CTX_set_options( m_pCtx, SSL_OP_SINGLE_DH_USE);
return 0;
}示例9: lws_context_ssl_init_ecdh_curve
static int
lws_context_ssl_init_ecdh_curve(struct lws_context_creation_info *info,
struct lws_vhost *vhost)
{
#if defined(LWS_HAVE_OPENSSL_ECDH_H) && !defined(LWS_WITH_MBEDTLS)
EC_KEY *ecdh;
int ecdh_nid;
const char *ecdh_curve = "prime256v1";
if (info->ecdh_curve)
ecdh_curve = info->ecdh_curve;
ecdh_nid = OBJ_sn2nid(ecdh_curve);
if (NID_undef == ecdh_nid) {
lwsl_err("SSL: Unknown curve name '%s'", ecdh_curve);
return 1;
}
ecdh = EC_KEY_new_by_curve_name(ecdh_nid);
if (NULL == ecdh) {
lwsl_err("SSL: Unable to create curve '%s'", ecdh_curve);
return 1;
}
SSL_CTX_set_tmp_ecdh(vhost->ssl_ctx, ecdh);
EC_KEY_free(ecdh);
SSL_CTX_set_options(vhost->ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
lwsl_notice(" SSL ECDH curve '%s'\n", ecdh_curve);
#else
#if !defined(LWS_WITH_MBEDTLS)
lwsl_notice(" OpenSSL doesn't support ECDH\n");
#endif
#endif
return 0;
}示例10: pthread_self
Node::Node(int recvLength, int prePadding, int postPadding, bool useDefaultLoop) {
nodeData = new NodeData;
nodeData->recvBufferMemoryBlock = new char[recvLength];
nodeData->recvBuffer = nodeData->recvBufferMemoryBlock + prePadding;
nodeData->recvLength = recvLength - prePadding - postPadding;
nodeData->tid = pthread_self();
loop = Loop::createLoop(useDefaultLoop);
// each node has a context
nodeData->netContext = new Context();
nodeData->loop = loop;
nodeData->asyncMutex = &asyncMutex;
int indices = NodeData::getMemoryBlockIndex(NodeData::preAllocMaxSize) + 1;
nodeData->preAlloc = new char*[indices];
for (int i = 0; i < indices; i++) {
nodeData->preAlloc[i] = nullptr;
}
nodeData->clientContext = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(nodeData->clientContext, SSL_OP_NO_SSLv3);
}示例11: SSL_library_init
void
SecureSocket::initContext(bool server)
{
SSL_library_init();
const SSL_METHOD* method;
// load & register all cryptos, etc.
OpenSSL_add_all_algorithms();
// load all error messages
SSL_load_error_strings();
if (CLOG->getFilter() >= kINFO) {
showSecureLibInfo();
}
// SSLv23_method uses TLSv1, with the ability to fall back to SSLv3
if (server) {
method = SSLv23_server_method();
}
else {
method = SSLv23_client_method();
}
// create new context from method
SSL_METHOD* m = const_cast<SSL_METHOD*>(method);
m_ssl->m_context = SSL_CTX_new(m);
// drop SSLv3 support
SSL_CTX_set_options(m_ssl->m_context, SSL_OP_NO_SSLv3);
if (m_ssl->m_context == NULL) {
showError();
}
}示例12: tls_init_options
static void tls_init_options(void)
{
static int passes;
# ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
SSL_CTX_set_options(tls_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
# endif
# ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
# endif
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_SSLv3);
# ifdef SSL_OP_NO_TLSv1
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1);
# endif
# ifdef SSL_OP_NO_TLSv1_1
SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_1);
# endif
# ifdef SSL_OP_NO_TLSv1_2
SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2);
# endif
# ifdef SSL_OP_NO_TLSv1_3
SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_3);
# endif
if (tlsciphersuite != NULL) {
if (SSL_CTX_set_cipher_list(tls_ctx, tlsciphersuite) != 1) {
logfile(LOG_ERR, MSG_TLS_CIPHER_FAILED, tlsciphersuite);
_EXIT(EXIT_FAILURE);
}
}
SSL_CTX_set_info_callback(tls_ctx, ssl_info_cb);
if (passes == 0) {
SSL_CTX_set_tlsext_servername_callback(tls_ctx, ssl_servername_cb);
passes++;
}
SSL_CTX_set_verify_depth(tls_ctx, MAX_CERTIFICATE_DEPTH);
}示例13: context_init
int context_init(SERVICE_OPTIONS *section) { /* init SSL context */
/* create SSL context */
if(section->option.client)
section->ctx=SSL_CTX_new(section->client_method);
else /* server mode */
section->ctx=SSL_CTX_new(section->server_method);
if(!section->ctx) {
sslerror("SSL_CTX_new");
return 1; /* FAILED */
}
SSL_CTX_set_ex_data(section->ctx, index_opt, section); /* for callbacks */
/* load certificate and private key to be verified by the peer server */
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER>=0x0090809fL
/* SSL_CTX_set_client_cert_engine() was introduced in OpenSSL 0.9.8i */
if(section->option.client && section->engine) {
if(SSL_CTX_set_client_cert_engine(section->ctx, section->engine))
s_log(LOG_INFO, "Client certificate engine (%s) enabled",
ENGINE_get_id(section->engine));
else /* no client certificate functionality in this engine */
sslerror("SSL_CTX_set_client_cert_engine"); /* ignore error */
}
#endif
if(auth_init(section))
return 1; /* FAILED */
/* initialize verification of the peer server certificate */
if(verify_init(section))
return 1; /* FAILED */
/* initialize DH/ECDH server mode */
if(!section->option.client) {
#ifndef OPENSSL_NO_TLSEXT
SSL_CTX_set_tlsext_servername_arg(section->ctx, section);
SSL_CTX_set_tlsext_servername_callback(section->ctx, servername_cb);
#endif /* OPENSSL_NO_TLSEXT */
#ifndef OPENSSL_NO_DH
dh_init(section); /* ignore the result (errors are not critical) */
#endif /* OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
ecdh_init(section); /* ignore the result (errors are not critical) */
#endif /* OPENSSL_NO_ECDH */
}
/* setup session cache */
if(!section->option.client) {
unsigned servname_len=(unsigned)strlen(section->servname);
if(servname_len>SSL_MAX_SSL_SESSION_ID_LENGTH)
servname_len=SSL_MAX_SSL_SESSION_ID_LENGTH;
if(!SSL_CTX_set_session_id_context(section->ctx,
(unsigned char *)section->servname, servname_len)) {
sslerror("SSL_CTX_set_session_id_context");
return 1; /* FAILED */
}
}
#ifdef SSL_SESS_CACHE_NO_INTERNAL_STORE
/* the default cache mode is just SSL_SESS_CACHE_SERVER */
SSL_CTX_set_session_cache_mode(section->ctx,
SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE);
#endif
SSL_CTX_sess_set_cache_size(section->ctx, section->session_size);
SSL_CTX_set_timeout(section->ctx, section->session_timeout);
SSL_CTX_sess_set_new_cb(section->ctx, sess_new_cb);
SSL_CTX_sess_set_get_cb(section->ctx, sess_get_cb);
SSL_CTX_sess_set_remove_cb(section->ctx, sess_remove_cb);
/* set info callback */
SSL_CTX_set_info_callback(section->ctx, info_callback);
/* ciphers, options, mode */
if(section->cipher_list)
if(!SSL_CTX_set_cipher_list(section->ctx, section->cipher_list)) {
sslerror("SSL_CTX_set_cipher_list");
return 1; /* FAILED */
}
SSL_CTX_set_options(section->ctx,
(SSL_OPTIONS_TYPE)(section->ssl_options_set));
#if OPENSSL_VERSION_NUMBER>=0x009080dfL
SSL_CTX_clear_options(section->ctx,
(SSL_OPTIONS_TYPE)(section->ssl_options_clear));
s_log(LOG_DEBUG, "SSL options: 0x%08lX (+0x%08lX, -0x%08lX)",
SSL_CTX_get_options(section->ctx),
section->ssl_options_set, section->ssl_options_clear);
#else /* OpenSSL older than 0.9.8m */
s_log(LOG_DEBUG, "SSL options: 0x%08lX (+0x%08lX)",
SSL_CTX_get_options(section->ctx),
section->ssl_options_set);
#endif /* OpenSSL 0.9.8m or later */
/* initialize OpenSSL CONF options */
if(conf_init(section))
return 1; /* FAILED */
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(section->ctx,
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_RELEASE_BUFFERS);
#else
SSL_CTX_set_mode(section->ctx,
//.........这里部分代码省略.........
示例14: mprError
//.........这里部分代码省略.........
mprLog(4, "SSL: %s: Using ciphers %s\n", hostName, ciphers);
SSL_CTX_set_cipher_list(context, ciphers);
//
// Configure the client verification certificate locations
//
if (verifyClient) {
if (caFile == 0 && caPath == 0) {
mprError(MPR_L, MPR_LOG,
"OpenSSL: Must define CA certificates if using client verification");
SSL_CTX_free(context);
context = 0;
return MPR_ERR_BAD_STATE;
}
if (caFile || caPath) {
if ((!SSL_CTX_load_verify_locations(context, caFile, caPath)) ||
(!SSL_CTX_set_default_verify_paths(context))) {
mprError(MPR_L, MPR_LOG,
"OpenSSL: Unable to set certificate locations");
SSL_CTX_free(context);
context = 0;
return MPR_ERR_CANT_ACCESS;
}
if (caFile) {
STACK_OF(X509_NAME) *certNames;
certNames = SSL_load_client_CA_file(caFile);
if (certNames == 0) {
} else {
//
// Define the list of CA certificates to send to the client
// before they send their client certificate for validation
//
SSL_CTX_set_client_CA_list(context, certNames);
}
}
}
mprLog(4, "SSL: %s: is verifying client connections\n", hostName);
if (caFile) {
mprLog(4, "SSL: %s: Using certificates from %s\n", hostName,
caFile);
} else if (caPath) {
mprLog(4, "SSL: %s: Using certificates from directory %s\n",
hostName, caPath);
}
SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verifyX509Certificate);
SSL_CTX_set_verify_depth(context, verifyDepth);
} else {
SSL_CTX_set_verify(context, SSL_VERIFY_NONE, verifyX509Certificate);
}
//
// Define callbacks
//
SSL_CTX_set_tmp_rsa_callback(context, rsaCallback);
SSL_CTX_set_tmp_dh_callback(context, dhCallback);
//
// Enable all buggy client work-arounds
//
SSL_CTX_set_options(context, SSL_OP_ALL);
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
#endif
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_CTX_set_options(context, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#endif
SSL_CTX_set_mode(context, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY);
//
// Select the required protocols
//
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
if (!(protocols & MPR_HTTP_PROTO_SSLV3)) {
SSL_CTX_set_options(context, SSL_OP_NO_SSLv3);
mprLog(4, "SSL: %s: Disabling SSLv3\n", hostName);
}
if (!(protocols & MPR_HTTP_PROTO_TLSV1)) {
SSL_CTX_set_options(context, SSL_OP_NO_TLSv1);
mprLog(4, "SSL: %s: Disabling TLSv1\n", hostName);
}
//
// Ensure we generate a new private key for each connection
//
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
//
// Pre-generate some keys that are slow to compute
//
rsaKey512 = RSA_generate_key(512, RSA_F4, 0, 0);
rsaKey1024 = RSA_generate_key(1024, RSA_F4, 0, 0);
dhKey512 = get_dh512();
dhKey1024 = get_dh1024();
return 0;
}示例15: openconnect_open_https
int openconnect_open_https(struct openconnect_info *vpninfo)
{
method_const SSL_METHOD *ssl3_method;
SSL *https_ssl;
BIO *https_bio;
int ssl_sock;
int err;
if (vpninfo->https_ssl)
return 0;
if (vpninfo->peer_cert) {
X509_free(vpninfo->peer_cert);
vpninfo->peer_cert = NULL;
}
ssl_sock = connect_https_socket(vpninfo);
if (ssl_sock < 0)
return ssl_sock;
ssl3_method = TLSv1_client_method();
if (!vpninfo->https_ctx) {
vpninfo->https_ctx = SSL_CTX_new(ssl3_method);
/* Some servers (or their firewalls) really don't like seeing
extensions. */
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(vpninfo->https_ctx, SSL_OP_NO_TICKET);
#endif
if (vpninfo->cert) {
err = load_certificate(vpninfo);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Loading certificate failed. Aborting.\n"));
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return err;
}
check_certificate_expiry(vpninfo);
}
/* We just want to do:
SSL_CTX_set_purpose(vpninfo->https_ctx, X509_PURPOSE_ANY);
... but it doesn't work with OpenSSL < 0.9.8k because of
problems with inheritance (fixed in v1.1.4.6 of
crypto/x509/x509_vpm.c) so we have to play silly buggers
instead. This trick doesn't work _either_ in < 0.9.7 but
I don't know of _any_ workaround which will, and can't
be bothered to find out either. */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
SSL_CTX_set_cert_verify_callback(vpninfo->https_ctx,
ssl_app_verify_callback, NULL);
#endif
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
#ifdef ANDROID_KEYSTORE
if (vpninfo->cafile && !strncmp(vpninfo->cafile, "keystore:", 9)) {
STACK_OF(X509_INFO) *stack;
X509_STORE *store;
X509_INFO *info;
BIO *b = BIO_from_keystore(vpninfo, vpninfo->cafile);
if (!b) {
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -EINVAL;
}
stack = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL);
BIO_free(b);
if (!stack) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to read certs from CA file '%s'\n"),
vpninfo->cafile);
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -ENOENT;
}
store = SSL_CTX_get_cert_store(vpninfo->https_ctx);
while ((info = sk_X509_INFO_pop(stack))) {
if (info->x509)
X509_STORE_add_cert(store, info->x509);
if (info->crl)
X509_STORE_add_crl(store, info->crl);
X509_INFO_free(info);
}
sk_X509_INFO_free(stack);
} else
#endif
if (vpninfo->cafile) {
if (!SSL_CTX_load_verify_locations(vpninfo->https_ctx, vpninfo->cafile, NULL)) {
vpn_progress(vpninfo, PRG_ERR,
//.........这里部分代码省略.........