summaryrefslogtreecommitdiff
path: root/lib/server/TLSContext.cpp
diff options
context:
space:
mode:
authorReinhard Tartler <siretart@tauware.de>2019-05-28 07:20:50 -0400
committerReinhard Tartler <siretart@tauware.de>2019-05-28 07:20:50 -0400
commit6017757bc079f4446aa77bc5c0855c52741280f4 (patch)
tree41bfcfc2aab37312ef73bf9b30867a235c8117f3 /lib/server/TLSContext.cpp
parent1b839d11810d6202f9b6f41db8f0ec3197e6a867 (diff)
New upstream version 0.13~~git20190527.g039c4a1
Diffstat (limited to 'lib/server/TLSContext.cpp')
-rw-r--r--lib/server/TLSContext.cpp72
1 files changed, 56 insertions, 16 deletions
diff --git a/lib/server/TLSContext.cpp b/lib/server/TLSContext.cpp
index 1a6d4a53..9c01452b 100644
--- a/lib/server/TLSContext.cpp
+++ b/lib/server/TLSContext.cpp
@@ -10,10 +10,12 @@
#include "Box.h"
#define TLS_CLASS_IMPLEMENTATION_CPP
+#include <openssl/err.h>
#include <openssl/ssl.h>
#include "autogen_ConnectionException.h"
#include "autogen_ServerException.h"
+#include "BoxPortsAndFiles.h"
#include "CryptoUtils.h"
#include "SSLLib.h"
#include "TLSContext.h"
@@ -21,7 +23,7 @@
#include "MemLeakFindOn.h"
#define MAX_VERIFICATION_DEPTH 2
-#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
+#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
// Macros to allow compatibility with OpenSSL 1.0 and 1.1 APIs. See
// https://github.com/charybdis-ircd/charybdis/blob/release/3.5/libratbox/src/openssl_ratbox.h
@@ -71,7 +73,8 @@ TLSContext::~TLSContext()
// Created: 2003/08/06
//
// --------------------------------------------------------------------------
-void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const char *PrivateKeyFile, const char *TrustedCAsFile)
+void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const char *PrivateKeyFile,
+ const char *TrustedCAsFile, int SSLSecurityLevel)
{
if(mpContext != 0)
{
@@ -84,29 +87,65 @@ void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const c
THROW_EXCEPTION(ServerException, TLSAllocationFailed)
}
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+ if(SSLSecurityLevel == -1)
+ {
+ BOX_WARNING("SSLSecurityLevel not set. Your connection may not be secure. "
+ "Please see https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates "
+ "for details");
+ SSLSecurityLevel = 1; // Default for now. Unsafe, but we warned the user.
+ // TODO: upgrade to level 2 soon.
+ }
+
+ SSL_CTX_set_security_level(mpContext, SSLSecurityLevel);
+#else
+ if(SSLSecurityLevel != BOX_DEFAULT_SSL_SECURITY_LEVEL)
+ {
+ BOX_WARNING("SSLSecurityLevel is set, but this Box Backup is not compiled with "
+ "OpenSSL 1.1 or higher, so will be ignored (compiled with "
+ OPENSSL_VERSION_TEXT ")");
+ }
+#endif
+
// Setup our identity
if(::SSL_CTX_use_certificate_chain_file(mpContext, CertificatesFile) != 1)
{
- std::string msg = "loading certificates from ";
- msg += CertificatesFile;
- CryptoUtils::LogError(msg);
- THROW_EXCEPTION(ServerException, TLSLoadCertificatesFailed)
+#if HAVE_DECL_SSL_R_EE_KEY_TOO_SMALL
+ int err_reason = ERR_GET_REASON(ERR_peek_error());
+ if(err_reason == SSL_R_EE_KEY_TOO_SMALL)
+ {
+ THROW_EXCEPTION_MESSAGE(ServerException, TLSServerWeakCertificate,
+ "Failed to load certificates from " << CertificatesFile << ": "
+ "key too short for current security level");
+ }
+ else if(err_reason == SSL_R_CA_MD_TOO_WEAK)
+ {
+ THROW_EXCEPTION_MESSAGE(ServerException, TLSServerWeakCertificate,
+ "Failed to load certificates from " << CertificatesFile << ": "
+ "hash too weak for current security level");
+ }
+ else
+#endif // HAVE_DECL_SSL_R_EE_KEY_TOO_SMALL
+ {
+ THROW_EXCEPTION_MESSAGE(ServerException, TLSLoadCertificatesFailed,
+ "Failed to load certificates from " << CertificatesFile << ": " <<
+ CryptoUtils::LogError("loading certificates"));
+ }
}
+
if(::SSL_CTX_use_PrivateKey_file(mpContext, PrivateKeyFile, SSL_FILETYPE_PEM) != 1)
{
- std::string msg = "loading private key from ";
- msg += PrivateKeyFile;
- CryptoUtils::LogError(msg);
- THROW_EXCEPTION(ServerException, TLSLoadPrivateKeyFailed)
+ THROW_EXCEPTION_MESSAGE(ServerException, TLSLoadPrivateKeyFailed,
+ "Failed to load private key from " << PrivateKeyFile << ": " <<
+ CryptoUtils::LogError("loading private key"));
}
// Setup the identify of CAs we trust
if(::SSL_CTX_load_verify_locations(mpContext, TrustedCAsFile, NULL) != 1)
{
- std::string msg = "loading CA cert from ";
- msg += TrustedCAsFile;
- CryptoUtils::LogError(msg);
- THROW_EXCEPTION(ServerException, TLSLoadTrustedCAsFailed)
+ THROW_EXCEPTION_MESSAGE(ServerException, TLSLoadTrustedCAsFailed,
+ "Failed to load CA certificate from " << TrustedCAsFile << ": " <<
+ CryptoUtils::LogError("loading CA cert"));
}
// Setup options to require these certificates
@@ -117,8 +156,9 @@ void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const c
// Setup allowed ciphers
if(::SSL_CTX_set_cipher_list(mpContext, CIPHER_LIST) != 1)
{
- CryptoUtils::LogError("setting cipher list to " CIPHER_LIST);
- THROW_EXCEPTION(ServerException, TLSSetCiphersFailed)
+ THROW_EXCEPTION_MESSAGE(ServerException, TLSSetCiphersFailed,
+ "Failed to set cipher list to " << CIPHER_LIST << ": " <<
+ CryptoUtils::LogError("setting cipher list"));
}
}