|
| ACE_SSL_Context (void) |
| Constructor. More...
|
|
| ~ACE_SSL_Context (void) |
| Destructor. More...
|
|
int | set_mode (int mode=ACE_SSL_Context::SSLv23) |
|
int | get_mode (void) const |
|
SSL_CTX * | context (void) |
| Get the SSL context. More...
|
|
int | private_key_type (void) const |
| Get the file name and file format used for the private key. More...
|
|
const char * | private_key_file_name (void) const |
|
int | private_key (const char *file_name, int type=SSL_FILETYPE_PEM) |
| Set the private key file. More...
|
|
int | verify_private_key (void) |
| Verify that the private key is valid. More...
|
|
int | certificate_type (void) const |
| Get the file name and file format used for the certificate file. More...
|
|
const char * | certificate_file_name (void) const |
|
int | certificate (const char *file_name, int type=SSL_FILETYPE_PEM) |
| Set the certificate file. More...
|
|
int | certificate (X509 *cert) |
| Load certificate from memory rather than a file. More...
|
|
int | filter_versions (const char *filter) |
| Parse the string and filter crypto versions accordingly. More...
|
|
bool | check_host (const ACE_INET_Addr &host, SSL *peerssl) |
| verify the peer cert matches the host More...
|
|
int | load_trusted_ca (const char *ca_file=0, const char *ca_dir=0, bool use_env_defaults=true) |
|
int | have_trusted_ca (void) const |
|
void | set_verify_peer (int strict=0, int once=1, int depth=0) |
|
void | default_verify_mode (int mode) |
|
int | default_verify_mode (void) const |
|
void | default_verify_callback (extern_C_CallBackVerify_t) |
|
extern_C_CallBackVerify_t | default_verify_callback (void) const |
|
|
When using DSS-based certificates, Diffie-Hellman keys need to be exchanged. These must be provided in the form of DH key generation parameters loaded in, or as fixed keys hardcoded into the code itself. ACE_SSL supports loaded parameters.
|
int | dh_params (const char *file_name, int type=SSL_FILETYPE_PEM) |
|
const char * | dh_params_file_name () const |
|
int | dh_params_file_type () const |
|
A wrapper for the OpenSSL SSL_CTX related functions.
This class provides a wrapper for the SSL_CTX data structure. Since most applications have a single SSL_CTX structure, this class can be used as a singleton.
int ACE_SSL_Context::load_trusted_ca |
( |
const char * |
ca_file = 0 , |
|
|
const char * |
ca_dir = 0 , |
|
|
bool |
use_env_defaults = true |
|
) |
| |
Load the location of the trusted certification authority certificates. Note that CA certificates are stored in PEM format as a sequence of certificates in ca_file or as a set of individual certificates in ca_dir (or both).
Note this method is called by set_mode() to load the default environment settings for ca_file and ca_dir, if any. This allows for automatic service configuration (and backward compatibility with previous versions).
Note that the underlying SSL function will add valid file and directory names to the load location lists maintained as part of the SSL_CTX table. It therefore doesn't make sense to keep a copy of the file and path name of the most recently added ca_file or ca_path.
- Parameters
-
[in] | ca_file | CA file pathname. Passed to SSL_CTX_load_verify_locations() if not 0. If 0, behavior depends on the value of use_env_defaults. |
[in] | ca_dir | CA directory pathname. Passed to SSL_CTX_load_verify_locations() if not 0. If 0, behavior depends on the value of use_env_defaults. |
[in] | use_env_defaults | If false, the specified ca_file argument is passed to SSL_CTX_load_verify_locations() , regardless of its value. If true (the default), additional defaults can be applied to either ca_file, ca_dir, or both. The following additional defaults are applied when the ca_file argument is 0:
- The
SSL_CERT_FILE environment variable will be queried for a file name to use as the ca_file argument. The environment variable name to query can be changed by supplying a ACE_SSL_CERT_FILE_ENV configuration item when building ACE.
- If there is no
SSL_CERT_FILE in the current environment, the file specified by the ACE_DEFAULT_SSL_CERT_FILE ACE configuration item will be used. The default value is "cert.pem" on Windows and "/etc/ssl/cert.pem" on all other platforms. The following additional defaults are applied when the ca_dir argument is 0:
- The
SSL_CERT_DIR environment variable will be queried for a file name to use as the ca_dir argument. The environment variable name to query can be changed by supplying a ACE_SSL_CERT_DIR_ENV configuration item when building ACE.
- If there is no
SSL_CERT_DIR in the current environment, the directory specified by the ACE_DEFAULT_SSL_CERT_DIR ACE configuration item will be used. The default value is "certs" on Windows and "/etc/ssl/certs" on all other platforms.
|
- Returns
- 0 for success or -1 on error.
- See also
- OpenSSL manual SSL_CTX_load_verify_locations(3) for a detailed description of the CA file and directory requirements and processing.
void ACE_SSL_Context::set_verify_peer |
( |
int |
strict = 0 , |
|
|
int |
once = 1 , |
|
|
int |
depth = 0 |
|
) |
| |
- Todo:
- Complete this documentation where elipses(...) are used
Use this method when certificate chain verification is required. The default server behaviour is SSL_VERIFY_NONE i.e. client certicates are requested for verified. This method can be used to configure server to request client certificates and perform the certificate verification. If <strict> is set true the client connection is rejected when certificate verification fails. Otherwise the session is accepted with a warning, which is the default behaviour. If <once> is set true (default), certificates are requested only once per session. The last parameter <depth> can be used to set the verification depth.
Note for verification to work correctly there should be a valid CA name list set using load_trusted_ca().
- See also
- OpenSSL documentation of SSL_CTX_set_verify(3) for details of the verification process.
-
OpenSSL documentation ... set_verify_depth(3) ...
Note that this method overrides the use of the default_verify_mode() method.