📄 sslcontext.cpp
字号:
"Common.SSLContext.COULD_NOT_SET_CIPHER_LIST", "Could not set the cipher list"); throw SSLException(parms); }#endif // // set overall SSL Context flags // SSL_CTX_set_quiet_shutdown(sslContext, 1); SSL_CTX_set_mode(sslContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF); int options = SSL_OP_ALL;#ifndef PEGASUS_ENABLE_SSLV2 //SSLv2 is disabled by default options |= SSL_OP_NO_SSLv2;#endif SSL_CTX_set_options(sslContext, options); if (_verifyPeer) { // ATTN: We might still need a flag to specify // SSL_VERIFY_FAIL_IF_NO_PEER_CERT // If SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ON, SSL will immediately be // terminated if the client sends no certificate or sends an // untrusted certificate. The callback function is not called in // this case; the handshake is simply terminated. // This value has NO effect in from a client perspective if (_certificateVerifyFunction != NULL) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: certificate verification callback specified"); SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, prepareForCallback); } else { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Trust Store specified"); SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, prepareForCallback); } } else { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Trust Store and certificate verification callback " "are NOT specified"); SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL); } // // Check if there is CA certificate file or directory specified. If // specified, and is not empty, load the certificates from the Trust store. // if (_trustStore != String::EMPTY) { // // The truststore may be a single file of CA certificates OR // a directory containing multiple CA certificates. // Check which one it is, and call the load_verify_locations function // with the appropriate parameter. Note: It is possible to have both // options, in which case the CA file takes precedence over the CA path. // However, since there is currently only one trust parameter to the // SSL functions, only allow one choice here. // if (FileSystem::isDirectory(_trustStore)) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Truststore is a directory"); // // load certificates from the trust store // PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Loading certificates from the trust store: " + _trustStore); if ((!SSL_CTX_load_verify_locations( sslContext, NULL, _trustStore.getCString())) || (!SSL_CTX_set_default_verify_paths(sslContext))) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Could not load certificates from the trust " "store: " + _trustStore); MessageLoaderParms parms( "Common.SSLContext.COULD_NOT_LOAD_CERTIFICATES", "Could not load certificates in to trust store."); PEG_METHOD_EXIT(); throw SSLException(parms); } } else if (FileSystem::exists(_trustStore)) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Truststore is a file"); // // Get size of the trust store file: // Uint32 fileSize = 0; FileSystem::getFileSize(_trustStore, fileSize); if (fileSize > 0) { // // load certificates from the trust store // PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Loading certificates from the trust store: " + _trustStore); if ((!SSL_CTX_load_verify_locations( sslContext, _trustStore.getCString(), NULL)) || (!SSL_CTX_set_default_verify_paths(sslContext))) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Could not load certificates from the " "trust store: " + _trustStore); MessageLoaderParms parms( "Common.SSLContext.COULD_NOT_LOAD_CERTIFICATES", "Could not load certificates in to trust store."); PEG_METHOD_EXIT(); throw SSLException(parms); } } else { // // no certificates found in the trust store // PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: No certificates to load from the trust " "store: " + _trustStore); } } } if (_crlPath != String::EMPTY) { // need to save this -- can we make it static since there's only // one CRL for cimserver? X509_LOOKUP* pLookup; _crlStore = X509_STORE_new(); // the validity of the crlstore was checked in ConfigManager // during server startup if (FileSystem::isDirectory(_crlPath)) { Tracer::trace(TRC_SSL, Tracer::LEVEL3, "---> SSL: CRL store is a directory in %s", (const char*)_crlPath.getCString()); if ((pLookup = X509_STORE_add_lookup( _crlStore, X509_LOOKUP_hash_dir())) == NULL) { MessageLoaderParms parms( "Common.SSLContext.COULD_NOT_LOAD_CRLS", "Could not load certificate revocation list."); X509_STORE_free(_crlStore); PEG_METHOD_EXIT(); throw SSLException(parms); } X509_LOOKUP_add_dir( pLookup, (const char*)_crlPath.getCString(), X509_FILETYPE_PEM); PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Successfully configured CRL directory"); } else { Tracer::trace(TRC_SSL, Tracer::LEVEL3, "---> SSL: CRL store is the file %s", (const char*)_crlPath.getCString()); if ((pLookup = X509_STORE_add_lookup( _crlStore, X509_LOOKUP_file())) == NULL) { MessageLoaderParms parms( "Common.SSLContext.COULD_NOT_LOAD_CRLS", "Could not load certificate revocation list."); X509_STORE_free(_crlStore); PEG_METHOD_EXIT(); throw SSLException(parms); } X509_LOOKUP_load_file( pLookup, (const char*)_crlPath.getCString(), X509_FILETYPE_PEM); PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL3, "---> SSL: Successfully configured CRL file"); } } Boolean keyLoaded = false; // // Check if there is a certificate file (file containing server // certificate) specified. If specified, validate and load the // certificate. // if (_certPath != String::EMPTY) { // // load the specified server certificates // PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Loading server certificate from: " + _certPath); if (SSL_CTX_use_certificate_file(sslContext, _certPath.getCString(), SSL_FILETYPE_PEM) <=0) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: No server certificate found in " + _certPath); MessageLoaderParms parms( "Common.SSLContext.COULD_NOT_GET_SERVER_CERTIFICATE", "Could not get server certificate."); PEG_METHOD_EXIT(); throw SSLException(parms); } // // If there is no key file (file containing server // private key) specified, then try loading the key from the // certificate file. // As of 2.4, if a keyfile is specified, its location is verified // during server startup and will throw an error if the path is invalid. // if (_keyPath == String::EMPTY) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: loading private key from: " + _certPath); // // load the private key and check for validity // if (!_verifyPrivateKey(sslContext, _certPath)) { MessageLoaderParms parms( "Common.SSLContext.COULD_NOT_GET_PRIVATE_KEY", "Could not get private key."); PEG_METHOD_EXIT(); throw SSLException(parms); } keyLoaded = true; } } // // Check if there is a key file (file containing server // private key) specified and the key was not already loaded. // If specified, validate and load the key. // if (_keyPath != String::EMPTY && !keyLoaded) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: loading private key from: " + _keyPath); // // load given private key and check for validity // if (!_verifyPrivateKey(sslContext, _keyPath)) { MessageLoaderParms parms( "Common.SSLContext.COULD_NOT_GET_PRIVATE_KEY", "Could not get private key."); PEG_METHOD_EXIT(); throw SSLException(parms); } keyLoaded = true; } PEG_METHOD_EXIT(); return sslContext;}Boolean SSLContextRep::_verifyPrivateKey(SSL_CTX *ctx, const String& keyPath){ PEG_METHOD_ENTER(TRC_SSL, "_verifyPrivateKey()"); if (SSL_CTX_use_PrivateKey_file( ctx, keyPath.getCString(), SSL_FILETYPE_PEM) <= 0) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: no private key found in " + String(keyPath)); PEG_METHOD_EXIT(); return false; } if (!SSL_CTX_check_private_key(ctx)) { PEG_TRACE_STRING(TRC_SSL, Tracer::LEVEL2, "---> SSL: Private and public key do not match"); PEG_METHOD_EXIT(); return false; } PEG_METHOD_EXIT(); return true;}SSL_CTX* SSLContextRep::getContext() const{ return _sslContext;}String SSLContextRep::getTrustStore() const{ return _trustStore;}String SSLContextRep::getCertPath() const{ return _certPath;}String SSLContextRep::getKeyPath() const{ return _keyPath;}#ifdef PEGASUS_USE_DEPRECATED_INTERFACESString SSLContextRep::getTrustStoreUserName() const{ return String::EMPTY;}#endifString SSLContextRep::getCRLPath() const{ return _crlPath;}X509_STORE* SSLContextRep::getCRLStore() const{ return _crlStore;}void SSLContextRep::setCRLStore(X509_STORE* store){ _crlStore = store;}Boolean SSLContextRep::isPeerVerificationEnabled() const{ return _verifyPeer;}SSLCertificateVerifyFunction* SSLContextRep::getSSLCertificateVerifyFunction() const{ return _certificateVerifyFunction;}#else//// these definitions are used if ssl is not available//SSLContextRep::SSLContextRep( const String& trustStore, const String& certPath, const String& keyPath, const String& crlPath, SSLCertificateVerifyFunction* verifyCert, const String& randomFile){}SSLContextRep::SSLContextRep(const SSLContextRep& sslContextRep) {}SSLContextRep::~SSLContextRep() {}SSL_CTX* SSLContextRep::_makeSSLContext() { return 0; }Boolean SSLContextRep::_verifyPrivateKey( SSL_CTX *ctx, const String& keyPath){ return false;}SSL_CTX* SSLContextRep::getContext() const { return 0; }String SSLContextRep::getTrustStore() const { return String::EMPTY; }String SSLContextRep::getCertPath() const { return String::EMPTY; }String SSLContextRep::getKeyPath() const { return String::EMPTY; }#ifdef PEGASUS_USE_DEPRECATED_INTERFACESString SSLContextRep::getTrustStoreUserName() const { return String::EMPTY; }#endifString SSLContextRep::getCRLPath() const { return String::EMPTY; }X509_STORE* SSLContextRep::getCRLStore() const { return NULL; }void SSLContextRep::setCRLStore(X509_STORE* store) { }Boolean SSLContextRep::isPeerVerificationEnabled() const { return false; }SSLCertificateVerifyFunction* SSLContextRep::getSSLCertificateVerifyFunction() const{ return NULL;}void SSLContextRep::init_ssl() {}void SSLContextRep::free_ssl() {}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -