#include "conf.h"
#include "log.h"
+#include "memory.h"
#include "ssl.h"
/*
static SSL_CTX *context;
static EVP_PKEY *pkey;
+static char const * ciphers = "EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES+TLSv1.2:EECDH+AES:AESGCM:AES:!aNULL:!DHE:!kECDH";
+
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
static int SSL_add_ext(X509 * crt, int nid, char *value) {
return 1;
}
-static X509 *SSL_readcert(char *certfile)
-{
- FILE *fp;
- X509 *x509;
-
- /* open the certificate file */
- fp = fopen(certfile, "r");
- if (fp == NULL) {
- Log_warn("Unable to open the X509 file %s for reading.", certfile);
- return NULL;
- }
-
- /* allocate memory for the cert structure */
- x509 = X509_new();
-
- if (PEM_read_X509(fp, &x509, NULL, NULL) == 0) {
- /* error reading the x509 information - check the error stack */
- Log_warn("Error trying to read X509 info.");
- fclose(fp);
- X509_free(x509);
- return NULL;
- }
- fclose(fp);
- return x509;
-}
-
static RSA *SSL_readprivatekey(char *keyfile)
{
FILE *fp;
char *key = (char *)getStrConf(KEY);
if (context) {
- bool did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt);
+ bool_t did_load_cert = SSL_CTX_use_certificate_chain_file(context, crt);
rsa = SSL_readprivatekey(key);
if (!rsa || !did_load_cert) {
int i, offset = 0, cipherstringlen = 0;
STACK_OF(SSL_CIPHER) *cipherlist = NULL, *cipherlist_new = NULL;
SSL_CIPHER *cipher;
- char *cipherstring;
+ char *cipherstring = NULL;
SSL_library_init();
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
context = SSL_CTX_new(SSLv23_server_method());
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3);
+ SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (context == NULL)
{
ERR_print_errors_fp(stderr);
abort();
}
+ SSL_CTX_set_cipher_list(context, ciphers);
+
+ EC_KEY *ecdhkey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set_tmp_ecdh(context, ecdhkey);
+ EC_KEY_free(ecdhkey);
+
char const * sslCAPath = getStrConf(CAPATH);
if(sslCAPath != NULL)
{
Log_debug("%s", SSL_CIPHER_get_name(cipher));
cipherstringlen += strlen(SSL_CIPHER_get_name(cipher)) + 1;
}
- cipherstring = malloc(cipherstringlen + 1);
- if (cipherstring == NULL)
- Log_fatal("Out of memory");
+ cipherstring = Memory_safeMalloc(1, cipherstringlen + 1);
for (i = 0; (cipher = sk_SSL_CIPHER_value(cipherlist_new, i)) != NULL; i++) {
offset += sprintf(cipherstring + offset, "%s:", SSL_CIPHER_get_name(cipher));
}
if (cipherlist_new)
sk_SSL_CIPHER_free(cipherlist_new);
- if (strlen(cipherstring) == 0)
+ if (!cipherstring || !*cipherstring)
Log_fatal("No suitable ciphers found!");
if (SSL_CTX_set_cipher_list(context, cipherstring) == 0)
}
len = i2d_X509(x509, NULL);
- buf = malloc(len);
- if (buf == NULL) {
- Log_fatal("malloc");
- }
+ buf = Memory_safeMalloc(1, len);
p = buf;
i2d_X509(x509, &p);
* it for something special
*/
if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+ X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256);
Log_warn("issuer= %s", buf);
}
return 1;