summaryrefslogtreecommitdiff
path: root/cpp/src/Ice/SslSystemOpenSSL.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'cpp/src/Ice/SslSystemOpenSSL.cpp')
-rw-r--r--cpp/src/Ice/SslSystemOpenSSL.cpp418
1 files changed, 279 insertions, 139 deletions
diff --git a/cpp/src/Ice/SslSystemOpenSSL.cpp b/cpp/src/Ice/SslSystemOpenSSL.cpp
index b7013614d4b..c3ac40dd945 100644
--- a/cpp/src/Ice/SslSystemOpenSSL.cpp
+++ b/cpp/src/Ice/SslSystemOpenSSL.cpp
@@ -28,20 +28,23 @@
#include <openssl/err.h>
#include <openssl/e_os.h>
#include <openssl/rand.h>
-#include <Ice/OpenSSL.h>
+#include <Ice/OpenSSL.h>
#include <Ice/SslSystem.h>
#include <Ice/SecurityException.h>
#include <Ice/SslConnectionOpenSSLClient.h>
#include <Ice/SslConnectionOpenSSLServer.h>
-#include <Ice/SslConfig.h>
-#include <Ice/SslRSAKeyPair.h>
-#include <Ice/SslJanitors.h>
+#include <Ice/SslConfig.h>
+#include <Ice/SslRSAKeyPair.h>
+#include <Ice/SslRSAPublicKey.h>
+#include <Ice/SslJanitors.h>
#include <Ice/SslCertificateVerifierOpenSSL.h>
#include <Ice/TraceLevels.h>
#include <Ice/Logger.h>
using namespace std;
+using IceInternal::TraceLevelsPtr;
+using Ice::LoggerPtr;
namespace IceSecurity
{
@@ -84,7 +87,7 @@ unsigned char System::_tempDiffieHellman512g[] =
// will initialize these. NOTE: If we SHOULD have multiple loggers
// going on simultaneously, this will definitely cause a problem.
TraceLevelsPtr System::_globalTraceLevels = 0;
-Ice::LoggerPtr System::_globalLogger = 0;
+LoggerPtr System::_globalLogger = 0;
}
@@ -103,7 +106,7 @@ tmpRSACallback(SSL *s, int isExport, int keyLength)
{
IceSecurity::Ssl::SystemPtr sslSystem = IceSecurity::Ssl::Factory::getSystemFromHandle(s);
- IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0;
+ IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0;
openSslSystem = dynamic_cast<IceSecurity::Ssl::OpenSSL::System*>(sslSystem.get());
RSA* rsaKey = openSslSystem->getRSAKey(s, isExport, keyLength);
@@ -116,7 +119,7 @@ tmpDHCallback(SSL *s, int isExport, int keyLength)
{
IceSecurity::Ssl::SystemPtr sslSystem = IceSecurity::Ssl::Factory::getSystemFromHandle(s);
- IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0;
+ IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0;
openSslSystem = dynamic_cast<IceSecurity::Ssl::OpenSSL::System*>(sslSystem.get());
DH* dh = openSslSystem->getDHParams(s, isExport, keyLength);
@@ -128,18 +131,30 @@ tmpDHCallback(SSL *s, int isExport, int keyLength)
int
verifyCallback(int ok, X509_STORE_CTX *ctx)
{
- // Tricky method to get access to our connection. I would use SSL_get_ex_data() to get
- // the Connection object, if only I had some way to retrieve the index of the object
- // in this function. Hence, we have to invent our own reference system here.
- SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
- IceSecurity::Ssl::OpenSSL::ConnectionPtr connection = 0;
- connection = IceSecurity::Ssl::OpenSSL::Connection::getConnection(ssl);
- assert(connection);
-
- // Call the connection, get it to perform the verification.
+ // Tricky method to get access to our connection. I would use SSL_get_ex_data() to get
+ // the Connection object, if only I had some way to retrieve the index of the object
+ // in this function. Hence, we have to invent our own reference system here.
+ SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+ IceSecurity::Ssl::OpenSSL::ConnectionPtr connection = 0;
+ connection = IceSecurity::Ssl::OpenSSL::Connection::getConnection(ssl);
+ assert(connection);
+
+ // Call the connection, get it to perform the verification.
return connection->verifyCertificate(ok, ctx);
}
+// TODO: This is a complete hack to get this working again with the CA certificate.
+// Of course, this will have to be rewritten to handle this in the same manner
+// as the verifyCallback does.
+// -ASN
+int
+passwordCallback(char* buffer, int bufferSize, int rwFlag, void* userData)
+{
+ strncpy(buffer, "demo", bufferSize);
+ buffer[bufferSize - 1] = '\0';
+ return strlen(buffer);
+}
+
// This code duplicates functionality that existed in the BIO library of
// OpenSSL, but outputs to a Logger compatible source (ostringstream).
void
@@ -236,21 +251,21 @@ bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret)
{
ostringstream outStringStream;
+ outStringStream << "PTC ";
+
if (cmd == (BIO_CB_READ|BIO_CB_RETURN))
{
- outStringStream << "PTC ";
outStringStream << "read from " << hex << (void *)bio << " [" << hex << (void *)argp;
outStringStream << "] (" << dec << argi << " bytes => " << ret << " (0x";
outStringStream << hex << ret << "))";
- dump(outStringStream, argp,(int)ret);
+// dump(outStringStream, argp,(int)ret);
}
else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN))
{
- outStringStream << "PTC ";
outStringStream << "write to " << hex << (void *)bio << " [" << hex << (void *)argp;
outStringStream << "] (" << dec << argi << " bytes => " << ret << " (0x";
outStringStream << hex << ret << "))";
- dump(outStringStream, argp,(int)ret);
+ // dump(outStringStream, argp,(int)ret);
}
if (cmd == (BIO_CB_READ|BIO_CB_RETURN) || cmd == (BIO_CB_WRITE|BIO_CB_RETURN))
@@ -352,48 +367,50 @@ IceSecurity::Ssl::OpenSSL::System::shutdown()
iDH++;
}
}
-
-void
-IceSecurity::Ssl::OpenSSL::System::setTrace(const TraceLevelsPtr& traceLevels)
-{
- // Note: Due to a known bug with VC++, I cannot simply call the base-class
- // implementation here, I get a C2352 error about calling a static function.
- _traceLevels = traceLevels;
-
- DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());
- DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());
-
- if (clientVerifier)
- {
- clientVerifier->setTraceLevels(traceLevels);
- }
-
- if (serverVerifier)
- {
- serverVerifier->setTraceLevels(traceLevels);
- }
-}
-
-void
-IceSecurity::Ssl::OpenSSL::System::setLogger(const LoggerPtr& logger)
-{
- // Note: Due to a known bug with VC++, I cannot simply call the base-class
- // implementation here, I get a C2352 error about calling a static function.
- _logger = logger;
-
- DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());
- DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());
-
- if (clientVerifier)
- {
- clientVerifier->setLogger(logger);
- }
-
- if (serverVerifier)
- {
- serverVerifier->setLogger(logger);
- }
-}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setTrace(const TraceLevelsPtr& traceLevels)
+{
+ // Note: Due to a known bug with VC++, I cannot simply call the base-class
+ // implementation here, I get a C2352 error about calling a static function.
+ // Bug# Q153801
+ _traceLevels = traceLevels;
+
+ DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());
+ DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());
+
+ if (clientVerifier)
+ {
+ clientVerifier->setTraceLevels(traceLevels);
+ }
+
+ if (serverVerifier)
+ {
+ serverVerifier->setTraceLevels(traceLevels);
+ }
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setLogger(const LoggerPtr& logger)
+{
+ // Note: Due to a known bug with VC++, I cannot simply call the base-class
+ // implementation here, I get a C2352 error about calling a static function.
+ // Bug# Q153801
+ _logger = logger;
+
+ DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());
+ DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());
+
+ if (clientVerifier)
+ {
+ clientVerifier->setLogger(logger);
+ }
+
+ if (serverVerifier)
+ {
+ serverVerifier->setLogger(logger);
+ }
+}
bool
IceSecurity::Ssl::OpenSSL::System::isConfigLoaded()
@@ -429,8 +446,8 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
// Walk the parse tree, get the Client configuration.
if (sslConfig.loadClientConfig(clientGeneral, clientCertAuth, clientBaseCerts))
{
- if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
- {
+ if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+ {
ostringstream s;
s << endl;
@@ -438,11 +455,14 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
s << "------------------------------" << endl;
s << clientGeneral << endl << endl;
+ s << "CA File: " << clientCertAuth.getCAFileName() << endl;
+ s << "CA Path: " << clientCertAuth.getCAPath() << endl;
+
s << "Base Certificates - Client" << endl;
s << "--------------------------" << endl;
s << clientBaseCerts << endl;
- _logger->trace(_traceLevels->securityCat, s.str());
+ _logger->trace(_traceLevels->securityCat, s.str());
}
initClient(clientGeneral, clientCertAuth, clientBaseCerts);
@@ -456,8 +476,8 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
// Walk the parse tree, get the Server configuration.
if (sslConfig.loadServerConfig(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts))
{
- if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
- {
+ if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+ {
ostringstream s;
s << endl;
@@ -465,6 +485,9 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
s << "------------------------------" << endl;
s << serverGeneral << endl << endl;
+ s << "CA File: " << serverCertAuth.getCAFileName() << endl;
+ s << "CA Path: " << serverCertAuth.getCAPath() << endl;
+
s << "Base Certificates - Server" << endl;
s << "--------------------------" << endl;
s << serverBaseCerts << endl << endl;
@@ -473,11 +496,13 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig()
s << "--------------------------" << endl;
s << serverTempCerts << endl;
- _logger->trace(_traceLevels->securityCat, s.str());
+ _logger->trace(_traceLevels->securityCat, s.str());
}
initServer(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts);
}
+
+ _configLoaded = true;
}
RSA*
@@ -597,6 +622,99 @@ IceSecurity::Ssl::OpenSSL::System::getDHParams(SSL *s, int isExport, int keyLeng
return dh_tmp;
}
+IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr
+IceSecurity::Ssl::OpenSSL::System::certificateVerifierTypeCheck(const IceSecurity::Ssl::CertificateVerifierPtr& verifier)
+{
+ // IceSecurity::Ssl::CertificateVerifier* passedVerifier = verifier.get();
+ // IceSecurity::Ssl::OpenSSL::CertificateVerifier* castVerifier;
+ // castVerifier = dynamic_cast<IceSecurity::Ssl::OpenSSL::CertificateVerifier*>(passedVerifier);
+
+ IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr castVerifier;
+ castVerifier = IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr::dynamicCast(verifier);
+
+ if (!castVerifier.get())
+ {
+ IceSecurity::Ssl::CertificateVerifierTypeException cvtEx(__FILE__, __LINE__);
+ throw cvtEx;
+ }
+
+ return castVerifier;
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setServerCertificateVerifier(const IceSecurity::Ssl::CertificateVerifierPtr& serverVerifier)
+{
+ _serverVerifier = certificateVerifierTypeCheck(serverVerifier);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setClientCertificateVerifier(const IceSecurity::Ssl::CertificateVerifierPtr& clientVerifier)
+{
+ _clientVerifier = certificateVerifierTypeCheck(clientVerifier);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setServerCertAuthorityCertificate(const string& caCertString)
+{
+ if (_sslServerContext == 0)
+ {
+ ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Server context has not been set up - ";
+ contextEx._message += "please specify an SSL server configuration file.";
+
+ throw contextEx;
+ }
+
+ assert(_sslClientContext);
+
+ RSAPublicKey pubKey(caCertString);
+
+ X509_STORE* certStore = SSL_CTX_get_cert_store(_sslServerContext);
+
+ int addedCertAuthorityCert = X509_STORE_add_cert(certStore, pubKey.getX509PublicKey());
+
+ assert(addedCertAuthorityCert != 0);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setClientCertAuthorityCertificate(const string& caCertString)
+{
+ if (_sslClientContext == 0)
+ {
+ ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Client context has not been set up - ";
+ contextEx._message += "please specify an SSL client configuration file.";
+
+ throw contextEx;
+ }
+
+ assert(_sslClientContext);
+
+ RSAPublicKey pubKey(caCertString);
+
+ X509_STORE* certStore = SSL_CTX_get_cert_store(_sslClientContext);
+
+ int addedCertAuthorityCert = X509_STORE_add_cert(certStore, pubKey.getX509PublicKey());
+
+ assert(addedCertAuthorityCert != 0);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setServerRSAKeysBase64(const std::string& privateKey, const std::string& publicKey)
+{
+ assert(_sslServerContext);
+ addKeyCert(_sslServerContext, privateKey, publicKey);
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setClientRSAKeysBase64(const std::string& privateKey, const std::string& publicKey)
+{
+ assert(_sslClientContext);
+ addKeyCert(_sslClientContext, privateKey, publicKey);
+}
+
//
// Protected
//
@@ -610,12 +728,12 @@ IceSecurity::Ssl::OpenSSL::System::System()
_randSeeded = 0;
_sslServerContext = 0;
_sslClientContext = 0;
-
- // Here we create a default verifier, which does very little other
- // than check the verification depth. This can be overridden.
- _clientVerifier = new DefaultCertificateVerifier();
- _serverVerifier = _clientVerifier;
-
+
+ // Here we create a default verifier, which does very little other
+ // than check the verification depth. This can be overridden.
+ _clientVerifier = new DefaultCertificateVerifier();
+ _serverVerifier = _clientVerifier;
+
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
@@ -666,7 +784,7 @@ IceSecurity::Ssl::OpenSSL::System::initClient(GeneralConfig& general,
// Set the certificate verification mode.
SSL_CTX_set_verify(_sslClientContext, general.getVerifyMode(), verifyCallback);
- // Set the certificate verify depth to 10 deep.
+ // Set the certificate verify depth
SSL_CTX_set_verify_depth(_sslClientContext, general.getVerifyDepth());
// Process the RSA Certificate
@@ -747,8 +865,8 @@ IceSecurity::Ssl::OpenSSL::System::initServer(GeneralConfig& general,
SSL_CTX_set_verify(_sslServerContext, general.getVerifyMode(), verifyCallback);
// Set the certificate verify depth
- SSL_CTX_set_verify_depth(_sslServerContext, general.getVerifyDepth());
-
+ SSL_CTX_set_verify_depth(_sslServerContext, general.getVerifyDepth());
+
// Set the default context for the SSL system (can be overridden if needed) [SERVER ONLY].
SSL_CTX_set_session_id_context(_sslServerContext,
reinterpret_cast<const unsigned char *>(_sessionContext.c_str()),
@@ -789,15 +907,15 @@ IceSecurity::Ssl::OpenSSL::System::getSslMethod(SslProtocol sslVersion)
default :
{
- if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
- {
- string errorString;
-
- errorString = "SSL Version ";
- errorString += sslVersion;
- errorString += " not supported - defaulting to SSL_V23.";
- _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
- }
+ if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ string errorString;
+
+ errorString = "SSL Version ";
+ errorString += sslVersion;
+ errorString += " not supported - defaulting to SSL_V23.";
+ _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+ }
sslMethod = SSLv23_method();
}
@@ -845,10 +963,10 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext,
if (privateKey.getFileName().empty())
{
- if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
- }
+ if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+ }
privKeyFile = publicFile;
privKeyFileType = publicEncoding;
@@ -896,21 +1014,21 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext,
if (privKey.empty())
{
- if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
- }
+ if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+ }
privKey = publicKey;
}
-
- // Make a key pair based on the Base64 encoded strings
- RSAKeyPair keyPair(privateKey, publicKey);
-
- // Janitors to ensure that everything gets cleaned up properly
- RSAJanitor rsaJanitor(keyPair.getRSAPrivateKey());
- X509Janitor x509Janitor(keyPair.getX509PublicKey());
-
+
+ // Make a key pair based on the Base64 encoded strings
+ RSAKeyPair keyPair(privateKey, publicKey);
+
+ // Janitors to ensure that everything gets cleaned up properly
+ RSAJanitor rsaJanitor(keyPair.getRSAPrivateKey());
+ X509Janitor x509Janitor(keyPair.getX509PublicKey());
+
// Set which Public Key file to use.
if (SSL_CTX_use_certificate(sslContext, x509Janitor.get()) <= 0)
{
@@ -928,6 +1046,8 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext,
throw contextEx;
}
+ x509Janitor.clear();
+
// Set which Private Key file to use.
if (SSL_CTX_use_RSAPrivateKey(sslContext, rsaJanitor.get()) <= 0)
{
@@ -944,7 +1064,9 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext,
throw contextEx;
}
-
+
+ rsaJanitor.clear();
+
// Check to see if the Private and Public keys that have been
// set against the SSL context match up.
if (!SSL_CTX_check_private_key(sslContext))
@@ -1032,7 +1154,7 @@ IceSecurity::Ssl::OpenSSL::System::sslGetErrors()
}
void
-IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(Connection* connection)
+IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(IceSecurity::Ssl::OpenSSL::Connection* connection)
{
connection->setTrace(_traceLevels);
connection->setLogger(_logger);
@@ -1044,8 +1166,7 @@ IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(Connection* connection)
if (!value.empty())
{
- // const_cast<int&>(handshakeReadTimeout) = atoi(value.c_str());
- handshakeReadTimeout = atoi(value.c_str());
+ handshakeReadTimeout = atoi(value.c_str());
}
else
{
@@ -1073,19 +1194,13 @@ IceSecurity::Ssl::OpenSSL::System::createConnection(SSL_CTX* sslContext, int soc
BIO_set_callback_arg(SSL_get_rbio(sslConnection), 0);
}
- // TODO: Remove?
- // Map the SSL Connection to this SslSystem
- // This is required for the OpenSSL callbacks
- // to work properly.
- // Factory::addSystemHandle(sslConnection, this);
-
return sslConnection;
}
void
IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, CertificateAuthority& certAuth)
-{
- assert(sslContext);
+{
+ assert(sslContext);
string caFile = certAuth.getCAFileName();
string caPath = certAuth.getCAPath();
@@ -1097,7 +1212,7 @@ void
IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, const char* caFile, const char* caPath)
{
assert(sslContext);
-
+
// The following checks are required to send the expected values to the OpenSSL library.
// It does not like receiving "", but prefers NULLs.
if ((caFile != 0) && (strlen(caFile) == 0))
@@ -1110,15 +1225,27 @@ IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, const char*
caPath = 0;
}
+ // SSL_CTX_set_default_passwd_cb(sslContext, passwordCallback);
+
// Check the Certificate Authority file(s).
- if ((!SSL_CTX_load_verify_locations(sslContext, caFile, caPath)) ||
- (!SSL_CTX_set_default_verify_paths(sslContext)))
+ int loadVerifyRet = SSL_CTX_load_verify_locations(sslContext, caFile, caPath);
+
+ if (!loadVerifyRet)
+ {
+ if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN Unable to load Certificate Authorities.");
+ }
+ }
+ else
{
- // Non Fatal.
- if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat, "WRN Unable to load/verify Certificate Authorities.");
- }
+ int setDefaultVerifyPathsRet = SSL_CTX_set_default_verify_paths(sslContext);
+
+
+ if (!setDefaultVerifyPathsRet && (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS))
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN Unable to verify Certificate Authorities.");
+ }
}
}
@@ -1126,22 +1253,33 @@ void
IceSecurity::Ssl::OpenSSL::System::loadAndCheckCAFiles(SSL_CTX* sslContext, CertificateAuthority& certAuth)
{
assert(sslContext);
-
+
string caFile = certAuth.getCAFileName();
string caPath = certAuth.getCAPath();
// Check the Certificate Authority file(s).
loadCAFiles(sslContext, caFile.c_str(), caPath.c_str());
- if (!caPath.empty())
+ // NOTE: This might require some cleaning up.
+ string caCertBase64 = _properties->getProperty("Ice.Security.Ssl.Overrides.Server.CACertificate");
+ if (!caCertBase64.empty())
+ {
+ setServerCertAuthorityCertificate(caCertBase64);
+ }
+
+ // TODO: Check this if things stop working
+ if (!caFile.empty())
{
STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str());
- if ((certNames == 0) && (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS))
+ if (certNames == 0)
{
- string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n";
- errorString += sslGetErrors();
- _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+ if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n";
+ errorString += sslGetErrors();
+ _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+ }
}
else
{
@@ -1153,7 +1291,7 @@ IceSecurity::Ssl::OpenSSL::System::loadAndCheckCAFiles(SSL_CTX* sslContext, Cert
DH*
IceSecurity::Ssl::OpenSSL::System::loadDHParam(const char* dhfile)
{
- assert(dhfile);
+ assert(dhfile);
DH* ret = 0;
BIO* bio;
@@ -1207,6 +1345,8 @@ IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertific
string dhFile;
int encoding = 0;
+ // TODO: This just looks plain wrong. RSA instead of DH params??? -ASN
+
if (baseCerts.getDHParams().getKeySize() != 0)
{
dhFile = baseCerts.getDHParams().getFileName();
@@ -1229,11 +1369,11 @@ IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertific
if (dh == 0)
{
- if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat,
- "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key.");
- }
+ if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat,
+ "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key.");
+ }
dh = getTempDH512();
}
@@ -1249,12 +1389,12 @@ IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertific
void
IceSecurity::Ssl::OpenSSL::System::setCipherList(SSL_CTX* sslContext, const string& cipherList)
{
- if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(sslContext, cipherList.c_str())) &&
+ if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(sslContext, cipherList.c_str())) &&
(_traceLevels->security >= IceSecurity::SECURITY_WARNINGS))
{
string errorString = "WRN Error setting cipher list " + cipherList + " - using default list.\n";
errorString += sslGetErrors();
- _logger->trace(_traceLevels->securityCat, errorString);
+ _logger->trace(_traceLevels->securityCat, errorString);
}
}
@@ -1335,11 +1475,11 @@ IceSecurity::Ssl::OpenSSL::System::initRandSystem(const string& randBytesFiles)
{
long randBytesLoaded = 0;
- if (!seedRand() && randBytesFiles.empty() && !RAND_status() &&
+ if (!seedRand() && randBytesFiles.empty() && !RAND_status() &&
(_traceLevels->security >= IceSecurity::SECURITY_WARNINGS))
{
- _logger->trace(_traceLevels->securityCat,
- "WRN There is a lack of random data, consider specifying a random data file.");
+ _logger->trace(_traceLevels->securityCat,
+ "WRN There is a lack of random data, consider specifying a random data file.");
}
if (!randBytesFiles.empty())
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-04 05:49:51 +0000