1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
// --------------------------------------------------------------------------
//
// File
// Name: TLSContext.h
// Purpose: TLS (SSL) context for connections
// Created: 2003/08/06
//
// --------------------------------------------------------------------------
#include "Box.h"
#define TLS_CLASS_IMPLEMENTATION_CPP
#include <openssl/ssl.h>
#include "TLSContext.h"
#include "ServerException.h"
#include "SSLLib.h"
#include "TLSContext.h"
#include "MemLeakFindOn.h"
#define MAX_VERIFICATION_DEPTH 2
#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
// --------------------------------------------------------------------------
//
// Function
// Name: TLSContext::TLSContext()
// Purpose: Constructor
// Created: 2003/08/06
//
// --------------------------------------------------------------------------
TLSContext::TLSContext()
: mpContext(0)
{
}
// --------------------------------------------------------------------------
//
// Function
// Name: TLSContext::~TLSContext()
// Purpose: Destructor
// Created: 2003/08/06
//
// --------------------------------------------------------------------------
TLSContext::~TLSContext()
{
if(mpContext != 0)
{
::SSL_CTX_free(mpContext);
}
}
// --------------------------------------------------------------------------
//
// Function
// Name: TLSContext::Initialise(bool, const char *, const char *, const char *)
// Purpose: Initialise the context, loading in the specified certificate and private key files
// Created: 2003/08/06
//
// --------------------------------------------------------------------------
void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const char *PrivateKeyFile, const char *TrustedCAsFile)
{
mpContext = ::SSL_CTX_new(AsServer?TLSv1_server_method():TLSv1_client_method());
if(mpContext == NULL)
{
THROW_EXCEPTION(ServerException, TLSAllocationFailed)
}
// Setup our identity
if(::SSL_CTX_use_certificate_chain_file(mpContext, CertificatesFile) != 1)
{
SSLLib::LogError("Load certificates");
THROW_EXCEPTION(ServerException, TLSLoadCertificatesFailed)
}
if(::SSL_CTX_use_PrivateKey_file(mpContext, PrivateKeyFile, SSL_FILETYPE_PEM) != 1)
{
SSLLib::LogError("Load private key");
THROW_EXCEPTION(ServerException, TLSLoadPrivateKeyFailed)
}
// Setup the identify of CAs we trust
if(::SSL_CTX_load_verify_locations(mpContext, TrustedCAsFile, NULL) != 1)
{
SSLLib::LogError("Load CA cert");
THROW_EXCEPTION(ServerException, TLSLoadTrustedCAsFailed)
}
// Setup options to require these certificates
::SSL_CTX_set_verify(mpContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
// and a sensible maximum depth
::SSL_CTX_set_verify_depth(mpContext, MAX_VERIFICATION_DEPTH);
// Setup allowed ciphers
if(::SSL_CTX_set_cipher_list(mpContext, CIPHER_LIST) != 1)
{
SSLLib::LogError("Set cipher list");
THROW_EXCEPTION(ServerException, TLSSetCiphersFailed)
}
}
// --------------------------------------------------------------------------
//
// Function
// Name: TLSContext::GetRawContext()
// Purpose: Get the raw context for OpenSSL API
// Created: 2003/08/06
//
// --------------------------------------------------------------------------
SSL_CTX *TLSContext::GetRawContext() const
{
if(mpContext == 0)
{
THROW_EXCEPTION(ServerException, TLSContextNotInitialised)
}
return mpContext;
}
|