本文整理汇总了C++中SSL_CTX_set_verify函数的典型用法代码示例。如果您正苦于以下问题:C++ SSL_CTX_set_verify函数的具体用法?C++ SSL_CTX_set_verify怎么用?C++ SSL_CTX_set_verify使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SSL_CTX_set_verify函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: _usage
SSLContext::SSLContext(
Usage usage,
const std::string& privateKeyFile,
const std::string& certificateFile,
const std::string& caLocation,
VerificationMode verificationMode,
int verificationDepth,
bool loadDefaultCAs,
const std::string& cipherList):
_usage(usage),
_mode(verificationMode),
_sslContext(0),
_extendedVerificationErrorDetails(true)
{
crypto::initializeEngine();
createSSLContext();
int errCode = 0;
if (!caLocation.empty())
{
if (fs::isdir(caLocation))
errCode = SSL_CTX_load_verify_locations(_sslContext, 0, fs::transcode(caLocation).c_str());
else
errCode = SSL_CTX_load_verify_locations(_sslContext, fs::transcode(caLocation).c_str(), 0);
if (errCode != 1)
{
std::string msg = getLastError();
SSL_CTX_free(_sslContext);
throw std::runtime_error(std::string("SSL Error: Cannot load CA file/directory at ") + caLocation + ": " + msg);
}
}
if (loadDefaultCAs)
{
errCode = SSL_CTX_set_default_verify_paths(_sslContext);
if (errCode != 1)
{
std::string msg = getLastError();
SSL_CTX_free(_sslContext);
throw std::runtime_error("SSL Error: Cannot load default CA certificates: " + msg);
}
}
if (!privateKeyFile.empty())
{
errCode = SSL_CTX_use_PrivateKey_file(_sslContext, fs::transcode(privateKeyFile).c_str(), SSL_FILETYPE_PEM);
if (errCode != 1)
{
std::string msg = getLastError();
SSL_CTX_free(_sslContext);
throw std::runtime_error(std::string("SSL Error: Error loading private key from file ") + privateKeyFile + ": " + msg);
}
}
if (!certificateFile.empty())
{
errCode = SSL_CTX_use_certificate_chain_file(_sslContext, fs::transcode(certificateFile).c_str());
if (errCode != 1)
{
std::string errMsg = getLastError();
SSL_CTX_free(_sslContext);
throw std::runtime_error(std::string("SSL Error: Error loading certificate from file ") + certificateFile + ": " + errMsg); //, errMsg);
}
}
if (isForServerUse())
SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyServerCallback);
else
SSL_CTX_set_verify(_sslContext, verificationMode, &SSLManager::verifyClientCallback);
SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str());
SSL_CTX_set_verify_depth(_sslContext, verificationDepth);
SSL_CTX_set_mode(_sslContext, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF);
}示例2: _mosquitto_socket_connect
/* Create a socket and connect it to 'ip' on port 'port'.
* Returns -1 on failure (ip is NULL, socket creation/connection error)
* Returns sock number on success.
*/
int _mosquitto_socket_connect(struct mosquitto *mosq, const char *host, uint16_t port, const char *bind_address, bool blocking)
{
mosq_sock_t sock = INVALID_SOCKET;
int rc;
#ifdef WITH_TLS
int ret;
BIO *bio;
#endif
if(!mosq || !host || !port) return MOSQ_ERR_INVAL;
rc = _mosquitto_try_connect(mosq, host, port, &sock, bind_address, blocking);
if(rc > 0) return rc;
#ifdef WITH_TLS
if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
if(!mosq->tls_version || !strcmp(mosq->tls_version, "tlsv1.2")){
mosq->ssl_ctx = SSL_CTX_new(TLSv1_2_client_method());
}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
mosq->ssl_ctx = SSL_CTX_new(TLSv1_1_client_method());
}else if(!strcmp(mosq->tls_version, "tlsv1")){
mosq->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
}else{
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
COMPAT_CLOSE(sock);
return MOSQ_ERR_INVAL;
}
#else
if(!mosq->tls_version || !strcmp(mosq->tls_version, "tlsv1")){
mosq->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
}else{
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
COMPAT_CLOSE(sock);
return MOSQ_ERR_INVAL;
}
#endif
if(!mosq->ssl_ctx){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
COMPAT_CLOSE(sock);
return MOSQ_ERR_TLS;
}
#if OPENSSL_VERSION_NUMBER >= 0x10000000
/* Disable compression */
SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION);
#endif
#ifdef SSL_MODE_RELEASE_BUFFERS
/* Use even less memory per SSL connection. */
SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
if(mosq->tls_ciphers){
ret = SSL_CTX_set_cipher_list(mosq->ssl_ctx, mosq->tls_ciphers);
if(ret == 0){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set TLS ciphers. Check cipher list \"%s\".", mosq->tls_ciphers);
COMPAT_CLOSE(sock);
return MOSQ_ERR_TLS;
}
}
if(mosq->tls_cafile || mosq->tls_capath){
ret = SSL_CTX_load_verify_locations(mosq->ssl_ctx, mosq->tls_cafile, mosq->tls_capath);
if(ret == 0){
#ifdef WITH_BROKER
if(mosq->tls_cafile && mosq->tls_capath){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\" and bridge_capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
}else if(mosq->tls_cafile){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile);
}else{
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath);
}
#else
if(mosq->tls_cafile && mosq->tls_capath){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\" and capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
}else if(mosq->tls_cafile){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile);
}else{
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
}
#endif
COMPAT_CLOSE(sock);
return MOSQ_ERR_TLS;
}
if(mosq->tls_cert_reqs == 0){
SSL_CTX_set_verify(mosq->ssl_ctx, SSL_VERIFY_NONE, NULL);
}else{
SSL_CTX_set_verify(mosq->ssl_ctx, SSL_VERIFY_PEER, _mosquitto_server_certificate_verify);
}
if(mosq->tls_pw_callback){
SSL_CTX_set_default_passwd_cb(mosq->ssl_ctx, mosq->tls_pw_callback);
SSL_CTX_set_default_passwd_cb_userdata(mosq->ssl_ctx, mosq);
}
if(mosq->tls_certfile){
ret = SSL_CTX_use_certificate_chain_file(mosq->ssl_ctx, mosq->tls_certfile);
//.........这里部分代码省略.........
示例3: printf
int CSSLClient::SSLConnect(SWL_socket_t sockfd, bool bVerifyPeer, const char *pHost, const char *pCertFile, \
const char *pPriteKeyFile, const char *pCAPath, const char *pCAFile, const char *pPassWd)
{
s_Lock.Lock();
if (!s_bHasInitial)
{
printf("ssl not initial\n");
s_Lock.UnLock();
return -1;
}
s_Lock.UnLock();
if (pCertFile!=NULL && pPriteKeyFile!=NULL)
{
if (pCAPath)
{
if(SSL_CTX_load_verify_locations(s_SSLCTX, pCAFile, NULL) <= 0)
{
printf("Failed to set CA location...\n");
return -1;
}
}
if (SSL_CTX_use_certificate_file(s_SSLCTX, pCertFile, SSL_FILETYPE_PEM) <= 0)
{
printf("%s %s %d failed\n", __FILE__, __FUNCTION__, __LINE__);
int errNum = ERR_get_error();
printf("%s:%s:%d, ssl connect error:%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_reason_error_string(errNum));
printf("%s:%s:%d, error function=%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_func_error_string(errNum));
return -1;
}
if (pPassWd)
{
SSL_CTX_set_default_passwd_cb_userdata(s_SSLCTX, (void*)pPassWd);
}
if (SSL_CTX_use_PrivateKey_file(s_SSLCTX, pPriteKeyFile, SSL_FILETYPE_PEM) <= 0)
{
printf("%s %s %d failed\n", __FILE__, __FUNCTION__, __LINE__);
int errNum = ERR_get_error();
printf("%s:%s:%d, ssl connect error:%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_reason_error_string(errNum));
printf("%s:%s:%d, error function=%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_func_error_string(errNum));
return -1;
}
if (!SSL_CTX_check_private_key(s_SSLCTX))
{
printf("%s %s %d failed\n", __FILE__, __FUNCTION__, __LINE__);
int errNum = ERR_get_error();
printf("%s:%s:%d, ssl connect error:%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_reason_error_string(errNum));
printf("%s:%s:%d, error function=%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_func_error_string(errNum));
return -1;
}
}
if (NULL == m_pSSL)
{
if (bVerifyPeer)
{
SSL_CTX_set_verify(s_SSLCTX, SSL_VERIFY_PEER, VerifyCallBack);
}
m_pSSL = SSL_new(s_SSLCTX);
if (NULL == m_pSSL)
{
printf("ssl new err\n");
return -1;
}
}
if (1 != SSL_set_fd(m_pSSL, sockfd))
{
int errNum = ERR_get_error();
printf("%s:%s:%d, ssl connect error:%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_reason_error_string(errNum));
printf("%s:%s:%d, error function=%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_func_error_string(errNum));
return -1;
}
SSL_set_connect_state(m_pSSL);
unsigned long reTry = 0;
int ret = 0, err = 0;
while(reTry++ < SSL_SOCKET_CONNECT_RETRIES)
{
if((ret = SSL_connect(m_pSSL)) == 1)
{
break;
}
err = SSL_get_error(m_pSSL, ret);
if(SSL_ERROR_WANT_CONNECT == err || SSL_ERROR_WANT_READ == err || SSL_ERROR_WANT_WRITE == err)
{
PUB_Sleep(10); // wait a while
}
else
{
printf("SSL_connect Err : %d\n", err);
int errNum = ERR_get_error();
printf("%s:%s:%d, ssl connect error:%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_reason_error_string(errNum));
printf("%s:%s:%d, error function=%s\n", __FUNCTION__, __FILE__, __LINE__, ERR_func_error_string(errNum));
FreeRsource();
return -1;
}
}
if (reTry >= SSL_SOCKET_CONNECT_RETRIES)
//.........这里部分代码省略.........
示例4: tls_init
//.........这里部分代码省略.........
}
/*
* Initialize with DH parameters if supplied
*/
if (srv->dhFile) {
if (init_dh(ctx, (unsigned char *) srv->dhFile) == FALSE) {
LOG(SPOCP_ERR) traceLog(LOG_ERR,"Error initializing DH");
SSL_CTX_free(ctx);
return 0;
} else
LOG(SPOCP_ERR) traceLog(LOG_ERR,"Initializing DH OK");
}
/*
* and a RSA key too
*/
if (generate_eph_rsa_key(ctx, 512) == FALSE) {
LOG(SPOCP_ERR) traceLog(LOG_ERR,"Error initializing RSA key");
SSL_CTX_free(ctx);
return 0;
} else
LOG(SPOCP_ERR) traceLog(LOG_ERR,"Initializing RSA key OK");
/*
* Set up certificates and keys
*/
if (srv->certificateFile != NULL) {
LOG(SPOCP_INFO) traceLog(LOG_INFO,"Reading Certificate File");
if (!SSL_CTX_use_certificate_chain_file
(ctx, srv->certificateFile)) {
LOG(SPOCP_ERR)
traceLog(LOG_ERR,"Error in SSL_CTX_use_certificate_file");
SSL_CTX_free(ctx);
return 0;
}
}
if (srv->privateKey != NULL) {
if (srv->passwd) {
SSL_CTX_set_default_passwd_cb_userdata(ctx,
(void *) srv->
passwd);
SSL_CTX_set_default_passwd_cb(ctx, password_cb);
}
LOG(SPOCP_INFO) traceLog(LOG_INFO,"Reading Private Key File");
r = SSL_CTX_use_PrivateKey_file(ctx, srv->privateKey,
SSL_FILETYPE_PEM);
if (r == 0) {
e = ERR_get_error();
ERR_error_string_n(e, errorstr, 1024);
LOG(SPOCP_ERR)
traceLog(LOG_ERR,"Error in SSL_CTX_use_PrivateKey_file");
LOG(SPOCP_ERR) traceLog(LOG_ERR,"%s", errorstr);
SSL_CTX_free(ctx);
return 0;
}
}
if (srv->caList != NULL) {
LOG(SPOCP_INFO) traceLog(LOG_INFO,"Reading Trusted CAs File");
if (!SSL_CTX_load_verify_locations(ctx, srv->caList, 0)) {
LOG(SPOCP_ERR)
traceLog(LOG_ERR,"Error in SSL_CTX_load_verify_locations");
SSL_CTX_free(ctx);
return 0;
}
}
if (srv->clientcert == NONE)
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback_ok);
else {
int i = SSL_VERIFY_PEER;
if (srv->clientcert == HARD)
i |= SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify(ctx, i, verify_callback);
}
SSL_CTX_set_verify_depth(ctx, srv->sslverifydepth);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) {
LOG(SPOCP_ERR) traceLog(LOG_ERR,"No valid ciphers in cipherlist");
SSL_CTX_free(ctx);
return 0;
}
LOG(SPOCP_DEBUG) traceLog(LOG_DEBUG,"Initialised TLS");
return ctx;
}示例5: server_test
//.........这里部分代码省略.........
if (sendPskIdentityHint == 1)
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL && !usePskPlus) {
const char *defaultCipherList;
#if defined(HAVE_AESGCM) && !defined(NO_DH)
defaultCipherList = "DHE-PSK-AES128-GCM-SHA256";
needDH = 1;
#elif defined(HAVE_NULL_CIPHER)
defaultCipherList = "PSK-NULL-SHA256";
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 2");
}
#endif
}
if (useAnon) {
#ifdef HAVE_ANON
CyaSSL_CTX_allow_anon_cipher(ctx);
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "ADH-AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 4");
}
#endif
}
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
/* if not using PSK, verify peer with certs
if using PSK Plus then verify peer certs except PSK suites */
if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
((usePskPlus)? SSL_VERIFY_FAIL_EXCEPT_PSK :
SSL_VERIFY_FAIL_IF_NO_PEER_CERT),0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from wolfSSL home dir");
#ifdef WOLFSSL_TRUST_PEER_CERT
if (trustCert) {
if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert,
SSL_FILETYPE_PEM)) != SSL_SUCCESS) {
err_sys("can't load trusted peer cert file");
}
}
#endif /* WOLFSSL_TRUST_PEER_CERT */
}
#endif
#if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 3");
}
#endif
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
#endif
#ifdef USE_WINDOWS_API
if (port == 0) {示例6: server_test
//.........这里部分代码省略.........
"Please run from CyaSSL home dir");
}
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!useNtruKey && !usePsk) {
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" CyaSSL home dir");
}
#endif
if (usePsk) {
#ifndef NO_PSK
SSL_CTX_set_psk_server_callback(ctx, my_psk_server_cb);
SSL_CTX_use_psk_identity_hint(ctx, "cyassl server");
if (cipherList == NULL) {
const char *defaultCipherList;
#ifdef HAVE_NULL_CIPHER
defaultCipherList = "PSK-NULL-SHA256";
#else
defaultCipherList = "PSK-AES128-CBC-SHA256";
#endif
if (SSL_CTX_set_cipher_list(ctx, defaultCipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 2");
}
#endif
}
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
/* if not using PSK, verify peer with certs */
if (doCliCertCheck && usePsk == 0) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS)
err_sys("can't load ca file, Please run from CyaSSL home dir");
}
#endif
#ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS)
err_sys("server can't set cipher list 3");
}
#endif
#ifdef HAVE_SNI
if (sniHostName) {
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
else
CyaSSL_CTX_SNI_SetOptions(ctx, CYASSL_SNI_HOST_NAME,
CYASSL_SNI_ABORT_ON_MISMATCH);
}
#endif
ssl = SSL_new(ctx);
if (ssl == NULL)
err_sys("unable to get SSL");示例7: cyassl_connect_step1
//.........这里部分代码省略.........
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
"none",
SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath):
"none");
}
/* Load the client certificate, and private key */
if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
int file_type = do_file_type(SSL_SET_OPTION(cert_type));
if(SSL_CTX_use_certificate_file(BACKEND->ctx, SSL_SET_OPTION(cert),
file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");
return CURLE_SSL_CONNECT_ERROR;
}
file_type = do_file_type(SSL_SET_OPTION(key_type));
if(SSL_CTX_use_PrivateKey_file(BACKEND->ctx, SSL_SET_OPTION(key),
file_type) != 1) {
failf(data, "unable to set private key");
return CURLE_SSL_CONNECT_ERROR;
}
}
#endif /* !NO_FILESYSTEM */
/* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue
* anyway. In the latter case the result of the verification is checked with
* SSL_get_verify_result() below. */
SSL_CTX_set_verify(BACKEND->ctx,
SSL_CONN_CONFIG(verifypeer)?SSL_VERIFY_PEER:
SSL_VERIFY_NONE,
NULL);
#ifdef HAVE_SNI
if(sni) {
struct in_addr addr4;
#ifdef ENABLE_IPV6
struct in6_addr addr6;
#endif
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
size_t hostname_len = strlen(hostname);
if((hostname_len < USHRT_MAX) &&
(0 == Curl_inet_pton(AF_INET, hostname, &addr4)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, hostname, &addr6)) &&
#endif
(CyaSSL_CTX_UseSNI(BACKEND->ctx, CYASSL_SNI_HOST_NAME, hostname,
(unsigned short)hostname_len) != 1)) {
infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n");
}
}
#endif
#ifdef HAVE_SUPPORTED_CURVES
/* CyaSSL/wolfSSL does not send the supported ECC curves ext automatically:
https://github.com/wolfSSL/wolfssl/issues/366
The supported curves below are those also supported by OpenSSL 1.0.2 and
in the same order. */
CyaSSL_CTX_UseSupportedCurve(BACKEND->ctx, 0x17); /* secp256r1 */示例8: OpenSSL_add_ssl_algorithms
static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id,
const char *CAfile, const char *cert,
const char *key, const char *dcert,
const char *dkey, const char *cipher_list,
const char *dh_file,
const char *dh_special, int tmp_rsa,
int ctx_options, int out_state,
int out_verify, int verify_mode,
unsigned int verify_depth)
{
SSL_CTX *ctx = NULL, *ret = NULL;
const SSL_METHOD *meth;
ENGINE *e = NULL;
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
meth = (server_mode ? SSLv23_server_method() : SSLv23_client_method());
if (meth == NULL)
goto err;
if (engine_id) {
ENGINE_load_builtin_engines();
if ((e = ENGINE_by_id(engine_id)) == NULL) {
fprintf(stderr, "Error obtaining '%s' engine, openssl "
"errors follow\n", engine_id);
goto err;
}
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
fprintf(stderr, "Error assigning '%s' engine, openssl "
"errors follow\n", engine_id);
goto err;
}
ENGINE_free(e);
}
if ((ctx = SSL_CTX_new(meth)) == NULL)
goto err;
/* cacert */
if (CAfile) {
if (!X509_STORE_load_locations(SSL_CTX_get_cert_store(ctx),
CAfile, NULL)) {
fprintf(stderr, "Error loading CA cert(s) in '%s'\n", CAfile);
goto err;
}
fprintf(stderr, "Info, operating with CA cert(s) in '%s'\n", CAfile);
} else
fprintf(stderr, "Info, operating without a CA cert(-list)\n");
if (!SSL_CTX_set_default_verify_paths(ctx)) {
fprintf(stderr, "Error setting default verify paths\n");
goto err;
}
/* cert and key */
if ((cert || key) && !ctx_set_cert(ctx, cert, key))
goto err;
/* dcert and dkey */
if ((dcert || dkey) && !ctx_set_cert(ctx, dcert, dkey))
goto err;
/* temporary RSA key generation */
if (tmp_rsa)
SSL_CTX_set_tmp_rsa_callback(ctx, cb_generate_tmp_rsa);
/* cipher_list */
if (cipher_list) {
if (!SSL_CTX_set_cipher_list(ctx, cipher_list)) {
fprintf(stderr, "Error setting cipher list '%s'\n", cipher_list);
goto err;
}
fprintf(stderr, "Info, set cipher list '%s'\n", cipher_list);
} else
fprintf(stderr, "Info, operating with default cipher list\n");
/* dh_file & dh_special */
if ((dh_file || dh_special) && !ctx_set_dh(ctx, dh_file, dh_special))
goto err;
/* ctx_options */
SSL_CTX_set_options(ctx, ctx_options);
/* out_state (output of SSL handshake states to screen). */
if (out_state)
cb_ssl_info_set_output(stderr);
/* out_verify */
if (out_verify > 0) {
cb_ssl_verify_set_output(stderr);
cb_ssl_verify_set_level(out_verify);
}
/* verify_depth */
cb_ssl_verify_set_depth(verify_depth);
/* Success! (includes setting verify_mode) */
SSL_CTX_set_info_callback(ctx, cb_ssl_info);
SSL_CTX_set_verify(ctx, verify_mode, cb_ssl_verify);
ret = ctx;
err:
if (!ret) {
ERR_print_errors_fp(stderr);
if (ctx)
SSL_CTX_free(ctx);
//.........这里部分代码省略.........
示例9: SSLv23_method
LQ_EXTERN_C void* LQ_CALL LqConnSslCreate
(
const void* MethodSSL, /* Example SSLv23_method()*/
const char* CertFile, /* Example: "server.pem"*/
const char* KeyFile, /*Example: "server.key"*/
const char* CipherList,
int TypeCertFile, /*SSL_FILETYPE_ASN1 (The file is in abstract syntax notation 1 (ASN.1) format.) or SSL_FILETYPE_PEM (The file is in base64 privacy enhanced mail (PEM) format.)*/
const char* CAFile,
const char* DhpFile
) {
#ifdef HAVE_OPENSSL
static const unsigned char dh1024_p[] = {
0xB1,0x0B,0x8F,0x96,0xA0,0x80,0xE0,0x1D,0xDE,0x92,0xDE,0x5E,
0xAE,0x5D,0x54,0xEC,0x52,0xC9,0x9F,0xBC,0xFB,0x06,0xA3,0xC6,
0x9A,0x6A,0x9D,0xCA,0x52,0xD2,0x3B,0x61,0x60,0x73,0xE2,0x86,
0x75,0xA2,0x3D,0x18,0x98,0x38,0xEF,0x1E,0x2E,0xE6,0x52,0xC0,
0x13,0xEC,0xB4,0xAE,0xA9,0x06,0x11,0x23,0x24,0x97,0x5C,0x3C,
0xD4,0x9B,0x83,0xBF,0xAC,0xCB,0xDD,0x7D,0x90,0xC4,0xBD,0x70,
0x98,0x48,0x8E,0x9C,0x21,0x9A,0x73,0x72,0x4E,0xFF,0xD6,0xFA,
0xE5,0x64,0x47,0x38,0xFA,0xA3,0x1A,0x4F,0xF5,0x5B,0xCC,0xC0,
0xA1,0x51,0xAF,0x5F,0x0D,0xC8,0xB4,0xBD,0x45,0xBF,0x37,0xDF,
0x36,0x5C,0x1A,0x65,0xE6,0x8C,0xFD,0xA7,0x6D,0x4D,0xA7,0x08,
0xDF,0x1F,0xB2,0xBC,0x2E,0x4A,0x43,0x71,
};
static const unsigned char dh1024_g[] = {
0xA4,0xD1,0xCB,0xD5,0xC3,0xFD,0x34,0x12,0x67,0x65,0xA4,0x42,
0xEF,0xB9,0x99,0x05,0xF8,0x10,0x4D,0xD2,0x58,0xAC,0x50,0x7F,
0xD6,0x40,0x6C,0xFF,0x14,0x26,0x6D,0x31,0x26,0x6F,0xEA,0x1E,
0x5C,0x41,0x56,0x4B,0x77,0x7E,0x69,0x0F,0x55,0x04,0xF2,0x13,
0x16,0x02,0x17,0xB4,0xB0,0x1B,0x88,0x6A,0x5E,0x91,0x54,0x7F,
0x9E,0x27,0x49,0xF4,0xD7,0xFB,0xD7,0xD3,0xB9,0xA9,0x2E,0xE1,
0x90,0x9D,0x0D,0x22,0x63,0xF8,0x0A,0x76,0xA6,0xA2,0x4C,0x08,
0x7A,0x09,0x1F,0x53,0x1D,0xBF,0x0A,0x01,0x69,0xB6,0xA2,0x8A,
0xD6,0x62,0xA4,0xD1,0x8E,0x73,0xAF,0xA3,0x2D,0x77,0x9D,0x59,
0x18,0xD0,0x8B,0xC8,0x85,0x8F,0x4D,0xCE,0xF9,0x7C,0x2A,0x24,
0x85,0x5E,0x6E,0xEB,0x22,0xB3,0xB2,0xE5,
};
SSL_CTX* NewCtx = NULL;
bool r = false;
static bool IsLoaded = false;
if(MethodSSL == NULL)
MethodSSL = SSLv23_server_method();
do {
if(!IsLoaded) {
IsLoaded = true;
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
}
if((NewCtx = SSL_CTX_new((const SSL_METHOD*)MethodSSL)) == NULL)
break;
SSL_CTX_set_read_ahead(NewCtx, 1);
SSL_CTX_set_verify(NewCtx, SSL_VERIFY_NONE, NULL);
if(CipherList != NULL) {
if(SSL_CTX_set_cipher_list(NewCtx, CipherList) == 1)
SSL_CTX_set_options(NewCtx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
if(CAFile != NULL) {
if(!SSL_CTX_load_verify_locations(NewCtx, CAFile, NULL)) {
SSL_CTX_free(NewCtx);
NewCtx = NULL;
break;
}
}
if((SSL_CTX_use_certificate_file(NewCtx, CertFile, TypeCertFile) <= 0) ||
(SSL_CTX_use_PrivateKey_file(NewCtx, KeyFile, TypeCertFile) <= 0)) {
SSL_CTX_free(NewCtx);
NewCtx = NULL;
break;
}
if(SSL_CTX_check_private_key(NewCtx) != 1) {
SSL_CTX_free(NewCtx);
NewCtx = NULL;
break;
}
if(DhpFile != NULL) {
BIO *bio = BIO_new_file(DhpFile, "r");
if(bio) {
DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if(dh) {
SSL_CTX_set_tmp_dh(NewCtx, dh);
SSL_CTX_set_options(NewCtx, SSL_OP_SINGLE_DH_USE);
DH_free(dh);
}
}
} else {
DH *dh = DH_new();
//.........这里部分代码省略.........
示例10: network_init
//.........这里部分代码省略.........
} else {
/* Default curve */
nid = OBJ_sn2nid("prime256v1");
}
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: Unable to create curve", s->ssl_ec_curve->ptr);
return -1;
}
SSL_CTX_set_tmp_ecdh(s->ssl_ctx,ecdh);
SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_ECDH_USE);
EC_KEY_free(ecdh);
#endif
#endif
if (!buffer_is_empty(s->ssl_ca_file)) {
if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
return -1;
}
if (s->ssl_verifyclient) {
STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
if (!certs) {
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
}
if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
SSL_CTX_set_verify(
s->ssl_ctx,
SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
NULL
);
SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
}
} else if (s->ssl_verifyclient) {
log_error_write(
srv, __FILE__, __LINE__, "s",
"SSL: You specified ssl.verifyclient.activate but no ca_file"
);
}
if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
return -1;
}
if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
return -1;
}
if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
"Private key does not match the certificate public key, reason:",
ERR_error_string(ERR_get_error(), NULL),
s->ssl_pemfile);
return -1;
}示例11: _mosquitto_socket_connect
//.........这里部分代码省略.........
if(mosq->tls_ciphers){
ret = SSL_CTX_set_cipher_list(mosq->ssl_ctx, mosq->tls_ciphers);
if(ret == 0){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set TLS ciphers. Check cipher list \"%s\".", mosq->tls_ciphers);
COMPAT_CLOSE(sock);
return MOSQ_ERR_TLS;
}
}
if(mosq->tls_cafile || mosq->tls_capath){
ret = SSL_CTX_load_verify_locations(mosq->ssl_ctx, mosq->tls_cafile, mosq->tls_capath);
if(ret == 0){
#ifdef WITH_BROKER
if(mosq->tls_cafile && mosq->tls_capath){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\" and bridge_capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
}else if(mosq->tls_cafile){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile);
}else{
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath);
}
#else
if(mosq->tls_cafile && mosq->tls_capath){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\" and capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
}else if(mosq->tls_cafile){
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile);
}else{
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
}
#endif
COMPAT_CLOSE(sock);
return MOSQ_ERR_TLS;
}
if(mosq->tls_cert_reqs == 0){
SSL_CTX_set_verify(mosq->ssl_ctx, SSL_VERIFY_NONE, NULL);
}else{
SSL_CTX_set_verify(mosq->ssl_ctx, SSL_VERIFY_PEER, NULL);
}
if(mosq->tls_pw_callback){
SSL_CTX_set_default_passwd_cb(mosq->ssl_ctx, mosq->tls_pw_callback);
SSL_CTX_set_default_passwd_cb_userdata(mosq->ssl_ctx, mosq);
}
if(mosq->tls_certfile){
ret = SSL_CTX_use_certificate_file(mosq->ssl_ctx, mosq->tls_certfile, SSL_FILETYPE_PEM);
if(ret != 1){
#ifdef WITH_BROKER
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client certificate, check bridge_certfile \"%s\".", mosq->tls_certfile);
#else
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client certificate \"%s\".", mosq->tls_certfile);
#endif
COMPAT_CLOSE(sock);
return MOSQ_ERR_TLS;
}
}
if(mosq->tls_keyfile){
ret = SSL_CTX_use_PrivateKey_file(mosq->ssl_ctx, mosq->tls_keyfile, SSL_FILETYPE_PEM);
if(ret != 1){
#ifdef WITH_BROKER
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client key file, check bridge_keyfile \"%s\".", mosq->tls_keyfile);
#else
_mosquitto_log_printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client key file \"%s\".", mosq->tls_keyfile);
#endif
COMPAT_CLOSE(sock);
return MOSQ_ERR_TLS;
}示例12: tls_log_mask
TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
{
long off = 0;
int cachable;
int scache_timeout;
SSL_CTX *client_ctx;
TLS_APPL_STATE *app_ctx;
int log_mask;
/*
* Convert user loglevel to internal logmask.
*/
log_mask = tls_log_mask(props->log_param, props->log_level);
if (log_mask & TLS_LOG_VERBOSE)
msg_info("initializing the client-side TLS engine");
/*
* Load (mostly cipher related) TLS-library internal main.cf parameters.
*/
tls_param_init();
/*
* Detect mismatch between compile-time headers and run-time library.
*/
tls_check_version();
/*
* Initialize the OpenSSL library by the book! To start with, we must
* initialize the algorithms. We want cleartext error messages instead of
* just error codes, so we load the error_strings.
*/
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
/*
* Create an application data index for SSL objects, so that we can
* attach TLScontext information; this information is needed inside
* tls_verify_certificate_callback().
*/
if (TLScontext_index < 0) {
if ((TLScontext_index = SSL_get_ex_new_index(0, 0, 0, 0, 0)) < 0) {
msg_warn("Cannot allocate SSL application data index: "
"disabling TLS support");
return (0);
}
}
/*
* If the administrator specifies an unsupported digest algorithm, fail
* now, rather than in the middle of a TLS handshake.
*/
if (!tls_validate_digest(props->mdalg)) {
msg_warn("disabling TLS support");
return (0);
}
/*
* Initialize the PRNG (Pseudo Random Number Generator) with some seed
* from external and internal sources. Don't enable TLS without some real
* entropy.
*/
if (tls_ext_seed(var_tls_daemon_rand_bytes) < 0) {
msg_warn("no entropy for TLS key generation: disabling TLS support");
return (0);
}
tls_int_seed();
/*
* The SSL/TLS specifications require the client to send a message in the
* oldest specification it understands with the highest level it
* understands in the message. RFC2487 is only specified for TLSv1, but
* we want to be as compatible as possible, so we will start off with a
* SSLv2 greeting allowing the best we can offer: TLSv1. We can restrict
* this with the options setting later, anyhow.
*
* OpenSSL 1.1.0-dev deprecates SSLv23_client_method() in favour of
* TLS_client_method(), with the change in question signalled via a new
* TLS_ANY_VERSION macro.
*/
ERR_clear_error();
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && defined(TLS_ANY_VERSION)
client_ctx = SSL_CTX_new(TLS_client_method());
#else
client_ctx = SSL_CTX_new(SSLv23_client_method());
#endif
if (client_ctx == 0) {
msg_warn("cannot allocate client SSL_CTX: disabling TLS support");
tls_print_errors();
return (0);
}
/*
* See the verify callback in tls_verify.c
*/
SSL_CTX_set_verify_depth(client_ctx, props->verifydepth + 1);
/*
* Protocol selection is destination dependent, so we delay the protocol
* selection options to the per-session SSL object.
//.........这里部分代码省略.........
示例13: verify_init
int verify_init(SERVICE_OPTIONS *section) {
if(section->verify_level<0)
return 1; /* no certificate verification */
if(section->verify_level>1 && !section->ca_file && !section->ca_dir) {
s_log(LOG_ERR,
"Either CApath or CAfile has to be used for authentication");
return 0;
}
section->revocation_store=X509_STORE_new();
if(!section->revocation_store) {
sslerror("X509_STORE_new");
return 0;
}
if(section->ca_file) {
if(!SSL_CTX_load_verify_locations(section->ctx,
section->ca_file, NULL)) {
s_log(LOG_ERR, "Error loading verify certificates from %s",
section->ca_file);
sslerror("SSL_CTX_load_verify_locations");
return 0;
}
/* list of trusted CAs for the client to choose the right cert */
SSL_CTX_set_client_CA_list(section->ctx,
SSL_load_client_CA_file(section->ca_file));
s_log(LOG_DEBUG, "Loaded verify certificates from %s",
section->ca_file);
if(!load_file_lookup(section->revocation_store, section->ca_file))
return 0;
}
if(section->ca_dir) {
if(!SSL_CTX_load_verify_locations(section->ctx,
NULL, section->ca_dir)) {
s_log(LOG_ERR, "Error setting verify directory to %s",
section->ca_dir);
sslerror("SSL_CTX_load_verify_locations");
return 0;
}
s_log(LOG_DEBUG, "Verify directory set to %s", section->ca_dir);
add_dir_lookup(section->revocation_store, section->ca_dir);
}
if(section->crl_file)
if(!load_file_lookup(section->revocation_store, section->crl_file))
return 0;
if(section->crl_dir) {
section->revocation_store->cache=0; /* don't cache CRLs */
add_dir_lookup(section->revocation_store, section->crl_dir);
}
SSL_CTX_set_verify(section->ctx, section->verify_level==SSL_VERIFY_NONE ?
SSL_VERIFY_PEER : section->verify_level, verify_callback);
if(section->ca_dir && section->verify_use_only_my)
s_log(LOG_NOTICE, "Peer certificate location %s", section->ca_dir);
return 1; /* OK */
}示例14: Curl_ossl_connect
//.........这里部分代码省略.........
/* tell SSL where to find CA certificates that are used to verify
the servers certificate. */
if (!SSL_CTX_load_verify_locations(connssl->ctx, data->set.ssl.CAfile,
data->set.ssl.CApath)) {
if (data->set.ssl.verifypeer) {
/* Fail if we insist on successfully verifying the server. */
failf(data,"error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s\n",
data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
data->set.ssl.CApath ? data->set.ssl.CApath : "none");
return CURLE_SSL_CACERT;
}
else {
/* Just continue with a warning if no strict certificate verification
is required. */
infof(data, "error setting certificate verify locations,"
" continuing anyway:\n");
}
}
else {
/* Everything is fine. */
infof(data, "successfully set certificate verify locations:\n");
}
infof(data,
" CAfile: %s\n"
" CApath: %s\n",
data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
data->set.ssl.CApath ? data->set.ssl.CApath : "none");
}
/* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue
* anyway. In the latter case the result of the verification is checked with
* SSL_get_verify_result() below. */
SSL_CTX_set_verify(connssl->ctx,
data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
cert_verify_callback);
/* give application a chance to interfere with SSL set up. */
if(data->set.ssl.fsslctx) {
retcode = (*data->set.ssl.fsslctx)(data, connssl->ctx,
data->set.ssl.fsslctxp);
if(retcode) {
failf(data,"error signaled by ssl ctx callback");
return retcode;
}
}
/* Lets make an SSL structure */
connssl->handle = SSL_new(connssl->ctx);
if (!connssl->handle) {
failf(data, "SSL: couldn't create a context (handle)!");
return CURLE_OUT_OF_MEMORY;
}
SSL_set_connect_state(connssl->handle);
connssl->server_cert = 0x0;
/* Check if there's a cached ID we can/should use here! */
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
/* we got a session id, use it! */
if (!SSL_set_session(connssl->handle, ssl_sessionid)) {
failf(data, "SSL: SSL_set_session failed: %s",
ERR_error_string(ERR_get_error(),NULL));
return CURLE_SSL_CONNECT_ERROR;
}
/* Informational message */示例15: ERR_clear_error
TLS_APPL_STATE *tls_client_create(const TLS_CLIENT_INIT_PROPS *props)
{
const char *myname = "tls_client_create";
long off = 0;
int cachable;
SSL_CTX *client_ctx;
TLS_APPL_STATE *app_ctx;
/*
* The SSL/TLS specifications require the client to send a message in the
* oldest specification it understands with the highest level it
* understands in the message. RFC2487 is only specified for TLSv1, but
* we want to be as compatible as possible, so we will start off with a
* SSLv2 greeting allowing the best we can offer: TLSv1. We can restrict
* this with the options setting later, anyhow.
*/
ERR_clear_error();
if ((client_ctx = SSL_CTX_new(SSLv23_client_method())) == 0) {
acl_msg_warn("%s: cannot allocate client SSL_CTX: disabling TLS support", myname);
tls_print_errors();
return (0);
}
/*
* See the verify callback in tls_verify.c
*/
SSL_CTX_set_verify_depth(client_ctx, props->verifydepth + 1);
/*
* Protocol selection is destination dependent, so we delay the protocol
* selection options to the per-session SSL object.
*/
off |= tls_bug_bits();
SSL_CTX_set_options(client_ctx, off);
/*
* Set the call-back routine for verbose logging.
*/
if (props->log_level >= 2)
SSL_CTX_set_info_callback(client_ctx, tls_info_callback);
/*
* Load the CA public key certificates for both the client cert and for
* the verification of server certificates. As provided by OpenSSL we
* support two types of CA certificate handling: One possibility is to
* add all CA certificates to one large CAfile, the other possibility is
* a directory pointed to by CApath, containing separate files for each
* CA with softlinks named after the hash values of the certificate. The
* first alternative has the advantage that the file is opened and read
* at startup time, so that you don't have the hassle to maintain another
* copy of the CApath directory for chroot-jail.
*/
if (tls_set_ca_certificate_info(client_ctx, props->CAfile, props->CApath) < 0) {
/* tls_set_ca_certificate_info() already logs a warning. */
SSL_CTX_free(client_ctx); /* 200411 */
return (0);
}
/*
* We do not need a client certificate, so the certificates are only
* loaded (and checked) if supplied. A clever client would handle
* multiple client certificates and decide based on the list of
* acceptable CAs, sent by the server, which certificate to submit.
* OpenSSL does however not do this and also has no call-back hooks to
* easily implement it.
*
* Load the client public key certificate and private key from file and
* check whether the cert matches the key. We can use RSA certificates
* ("cert") DSA certificates ("dcert") or ECDSA certificates ("eccert").
* All three can be made available at the same time. The CA certificates
* for all three are handled in the same setup already finished. Which
* one is used depends on the cipher negotiated (that is: the first
* cipher listed by the client which does match the server). The client
* certificate is presented after the server chooses the session cipher,
* so we will just present the right cert for the chosen cipher (if it
* uses certificates).
*/
if (tls_set_my_certificate_key_info(client_ctx,
props->cert_file,
props->key_file,
props->dcert_file,
props->dkey_file,
props->eccert_file,
props->eckey_file) < 0) {
/* tls_set_my_certificate_key_info() already logs a warning. */
SSL_CTX_free(client_ctx); /* 200411 */
return (0);
}
/*
* According to the OpenSSL documentation, temporary RSA key is needed
* export ciphers are in use. We have to provide one, so well, we just do
* it.
*/
SSL_CTX_set_tmp_rsa_callback(client_ctx, tls_tmp_rsa_cb);
/*
* Finally, the setup for the server certificate checking, done "by the
* book".
*/
//.........这里部分代码省略.........