diff options
Diffstat (limited to 'lib/server/TLSContext.cpp')
-rw-r--r-- | lib/server/TLSContext.cpp | 72 |
1 files changed, 56 insertions, 16 deletions
diff --git a/lib/server/TLSContext.cpp b/lib/server/TLSContext.cpp index 1a6d4a53..9c01452b 100644 --- a/lib/server/TLSContext.cpp +++ b/lib/server/TLSContext.cpp @@ -10,10 +10,12 @@ #include "Box.h" #define TLS_CLASS_IMPLEMENTATION_CPP +#include <openssl/err.h> #include <openssl/ssl.h> #include "autogen_ConnectionException.h" #include "autogen_ServerException.h" +#include "BoxPortsAndFiles.h" #include "CryptoUtils.h" #include "SSLLib.h" #include "TLSContext.h" @@ -21,7 +23,7 @@ #include "MemLeakFindOn.h" #define MAX_VERIFICATION_DEPTH 2 -#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" +#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" // Macros to allow compatibility with OpenSSL 1.0 and 1.1 APIs. See // https://github.com/charybdis-ircd/charybdis/blob/release/3.5/libratbox/src/openssl_ratbox.h @@ -71,7 +73,8 @@ TLSContext::~TLSContext() // Created: 2003/08/06 // // -------------------------------------------------------------------------- -void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const char *PrivateKeyFile, const char *TrustedCAsFile) +void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const char *PrivateKeyFile, + const char *TrustedCAsFile, int SSLSecurityLevel) { if(mpContext != 0) { @@ -84,29 +87,65 @@ void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const c THROW_EXCEPTION(ServerException, TLSAllocationFailed) } +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL + if(SSLSecurityLevel == -1) + { + BOX_WARNING("SSLSecurityLevel not set. Your connection may not be secure. " + "Please see https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates " + "for details"); + SSLSecurityLevel = 1; // Default for now. Unsafe, but we warned the user. + // TODO: upgrade to level 2 soon. + } + + SSL_CTX_set_security_level(mpContext, SSLSecurityLevel); +#else + if(SSLSecurityLevel != BOX_DEFAULT_SSL_SECURITY_LEVEL) + { + BOX_WARNING("SSLSecurityLevel is set, but this Box Backup is not compiled with " + "OpenSSL 1.1 or higher, so will be ignored (compiled with " + OPENSSL_VERSION_TEXT ")"); + } +#endif + // Setup our identity if(::SSL_CTX_use_certificate_chain_file(mpContext, CertificatesFile) != 1) { - std::string msg = "loading certificates from "; - msg += CertificatesFile; - CryptoUtils::LogError(msg); - THROW_EXCEPTION(ServerException, TLSLoadCertificatesFailed) +#if HAVE_DECL_SSL_R_EE_KEY_TOO_SMALL + int err_reason = ERR_GET_REASON(ERR_peek_error()); + if(err_reason == SSL_R_EE_KEY_TOO_SMALL) + { + THROW_EXCEPTION_MESSAGE(ServerException, TLSServerWeakCertificate, + "Failed to load certificates from " << CertificatesFile << ": " + "key too short for current security level"); + } + else if(err_reason == SSL_R_CA_MD_TOO_WEAK) + { + THROW_EXCEPTION_MESSAGE(ServerException, TLSServerWeakCertificate, + "Failed to load certificates from " << CertificatesFile << ": " + "hash too weak for current security level"); + } + else +#endif // HAVE_DECL_SSL_R_EE_KEY_TOO_SMALL + { + THROW_EXCEPTION_MESSAGE(ServerException, TLSLoadCertificatesFailed, + "Failed to load certificates from " << CertificatesFile << ": " << + CryptoUtils::LogError("loading certificates")); + } } + if(::SSL_CTX_use_PrivateKey_file(mpContext, PrivateKeyFile, SSL_FILETYPE_PEM) != 1) { - std::string msg = "loading private key from "; - msg += PrivateKeyFile; - CryptoUtils::LogError(msg); - THROW_EXCEPTION(ServerException, TLSLoadPrivateKeyFailed) + THROW_EXCEPTION_MESSAGE(ServerException, TLSLoadPrivateKeyFailed, + "Failed to load private key from " << PrivateKeyFile << ": " << + CryptoUtils::LogError("loading private key")); } // Setup the identify of CAs we trust if(::SSL_CTX_load_verify_locations(mpContext, TrustedCAsFile, NULL) != 1) { - std::string msg = "loading CA cert from "; - msg += TrustedCAsFile; - CryptoUtils::LogError(msg); - THROW_EXCEPTION(ServerException, TLSLoadTrustedCAsFailed) + THROW_EXCEPTION_MESSAGE(ServerException, TLSLoadTrustedCAsFailed, + "Failed to load CA certificate from " << TrustedCAsFile << ": " << + CryptoUtils::LogError("loading CA cert")); } // Setup options to require these certificates @@ -117,8 +156,9 @@ void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const c // Setup allowed ciphers if(::SSL_CTX_set_cipher_list(mpContext, CIPHER_LIST) != 1) { - CryptoUtils::LogError("setting cipher list to " CIPHER_LIST); - THROW_EXCEPTION(ServerException, TLSSetCiphersFailed) + THROW_EXCEPTION_MESSAGE(ServerException, TLSSetCiphersFailed, + "Failed to set cipher list to " << CIPHER_LIST << ": " << + CryptoUtils::LogError("setting cipher list")); } } |