tcp::SSLContext Class Reference

Encapsulates an openSSL SSL_CTX record. More...

#include <tcpssl.h>

Public Member Functions
	SSLContext (SSLMode mode)
	Constructor. More...
virtual	~SSLContext ()
	Destructor.
void	setOptions (bool verifypeer=false, bool compression=true, bool tlsonly=false)
	Sets default options for all SSL objects created from this context. More...
bool	useDefaultVerifyPaths ()
	Use the default operating system certificate store for validation. More...
bool	setVerifyPaths (const char *cafile=NULL, const char *capath=NULL)
	Use the specified CA certificate or certificate directory. More...
bool	setVerifyPaths (string &cafile, string &capath)
bool	setCertificateAndKey (const char *certfile, const char *keyfile)
	Sets the certificate filename and key filename. More...
void	setPrivateKeyPassword (string value)
	Sets the value of the private key password.
virtual int	passwordCallback (char *buf, int size, int rwflag)
	Called when a password to decrypt a private key is required. More...

Protected Attributes
SSL_CTX *	ctx_
	The openSSL context object.
SSLMode	mode_
	The mode of the context object is passed to SSL objects created from this context.

Friends
class	SSL

Detailed Description

Encapsulates an openSSL SSL_CTX record.

Definition at line 41 of file tcpssl.h.

Constructor & Destructor Documentation

SSLContext()

tcp::SSLContext::SSLContext

(

SSLMode

mode

)

Constructor.

Parameters

mode	[in] Is this context record for client connections or a server

Definition at line 242 of file tcpssl.cpp.

                                   : mode_(mode)
{
  initSSLLibrary();
  const SSL_METHOD *meth = (mode == SSLMode::SERVER) ? TLS_server_method() : TLS_client_method();
  unsigned long ssl_err = ERR_get_error();
  if (meth == NULL) {
    print_error_string(ssl_err, "TLS_method");
    return;
  }
  ctx_ = SSL_CTX_new(meth);
  ssl_err = ERR_get_error();
  if (ctx_ == NULL) {
    print_error_string(ssl_err, "SSL_CTX_new");
    return;
  }
}

Here is the call graph for this function:

Member Function Documentation

passwordCallback()

int tcp::SSLContext::passwordCallback ( char *  buf, int  size, int  rwflag  )

virtual

Called when a password to decrypt a private key is required.

Descendant classes may want to override this to provide a more secure means of storing the private key password. The default behavior is to return the value of keypass_.

Remarks

See the openSSL function SSL_CTX_set_default_passwd_cb for more details

This must be public because it is called from the passwordCallback() function

This password callback function only applies to private keys assigned to this SSL_CTX object, it is not 'inherited' from any SSL objects created from it.

Definition at line 382 of file tcpssl.cpp.

{
  (void)rwflag;
  if (!keypass_.empty()) {
    int lsize = max<int>(size,keypass_.length());
    strncpy(buf,keypass_.c_str(),lsize);
    return lsize;
  } else {
    return 0;
  }
}

setCertificateAndKey()

bool tcp::SSLContext::setCertificateAndKey	(	const char *	certfile,
		const char *	keyfile
	)

Sets the certificate filename and key filename.

Sets the certificate and key file for all SSL connections created from this context. This is primarily intended for servers but clients may want to connect to more than one server using the same certificate and key. This default certificate and key set can be overriden for a specific connection using the equivelant method from the SSL class.

Parameters

certfile	[in] The filename of a certificate chain in PEM (or CRT) format
keyfile	[in] The filename of a private key in PEM (or CRT) format

Returns

True of the certificate and key were successfully set, false otherwise. Check cerr log for details.

Remarks

If the keyfile requires a password to decrypt, passwordCallback will be called to provide that password.

Definition at line 340 of file tcpssl.cpp.

{
  long res = 1;
  unsigned long ssl_err = 0;
 
  if ((certfile && !keyfile) || (!certfile && keyfile)) {
    cerr << "Error: Both a certificate and a private key file are required" << endl;
    return false;
  }  
 
  if (certfile && keyfile) {
    res = SSL_CTX_use_certificate_file(ctx_, certfile,  SSL_FILETYPE_PEM);
    ssl_err = ERR_get_error();
    if ( res != 1) {
      print_error_string(ssl_err,"SSL_CTX_use_certificate_file");
      return false;
    }
 
    res = SSL_CTX_use_PrivateKey_file(ctx_, keyfile, SSL_FILETYPE_PEM);
    ssl_err = ERR_get_error();
    if (res != 1) {
      print_error_string(ssl_err,"SSL_CTX_use_PrivateKey_file");
      return false;
    }
 
    /* Make sure the key and certificate file match. */
    res = SSL_CTX_check_private_key(ctx_);
    ssl_err = ERR_get_error();
    if ( res != 1) {
      print_error_string(ssl_err,"SSL_CTX_check_private_key");
      return false;
    }
 
    SSL_CTX_set_default_passwd_cb(ctx_,&ctx_password_callback);
    SSL_CTX_set_default_passwd_cb_userdata(ctx_,this);
    
    return true;
  } else {
    return false;
  }
}

setOptions()

void tcp::SSLContext::setOptions	(	bool	verifypeer = false,
		bool	compression = true,
		bool	tlsonly = false
	)

Sets default options for all SSL objects created from this context.

Parameters

verifypeer	[in] If true, the server/client will validate the peer certificate
compression	[in] Set to false to disable SSL compression
tlsonly	[in] if true, disable the SSLv2 and SSLv3 protocols. This is recommended.

Remarks

Logs error information to cerr but does not return error information.

Definition at line 264 of file tcpssl.cpp.

{
  long flags = 0;
    
  if (verifypeer) {
    if (mode_ == SSLMode::SERVER) {
      SSL_CTX_set_verify(ctx_, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, verify_callback);
    } else {
      SSL_CTX_set_verify(ctx_, SSL_VERIFY_PEER, verify_callback);
    }
  } else {
    SSL_CTX_set_verify(ctx_, SSL_VERIFY_NONE, NULL);
  }
  SSL_CTX_set_verify_depth(ctx_, 4);
  
  if (tlsonly) {
    flags = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
    SSL_CTX_set_min_proto_version(ctx_,TLS1_VERSION);
  } else {
    flags = SSL_OP_ALL;
  }
 
  if (!compression) {
    flags |= SSL_OP_NO_COMPRESSION;
  }  
 
  SSL_CTX_set_options(ctx_, flags);
  
  printSSLErrors();  
}

setVerifyPaths()

bool tcp::SSLContext::setVerifyPaths	(	const char *	cafile = NULL,
		const char *	capath = NULL
	)

Use the specified CA certificate or certificate directory.

Provide one or the other or set both to NULL to use the operating system certificate store

Parameters

cafile	[in] The filename of a CA certificate chain in PEM (or CRT) format
capath	[in] The path of a directory containing CA certificates that are considered valid

Returns

True if the CA filename or CA path were set successfully, false otherwise. Check cerr log for details.

Definition at line 315 of file tcpssl.cpp.

{
  long res = 1;
  unsigned long ssl_err = 0;
 
  if (cafile || capath) {
    res = SSL_CTX_load_verify_locations(ctx_, cafile, capath); 
    ssl_err = ERR_get_error();
    if (res == 0) {
      print_error_string(ssl_err,"SSL_CTX_load_verify_locations");
      return false;
    }
  } else {
    res = SSL_CTX_set_default_verify_paths(ctx_);
    ssl_err = ERR_get_error();
    if (res == 0) {
      print_error_string(ssl_err,"SSL_CTX_set_default_verify_paths");
      return false;
    }
  }
  
  printSSLErrors();
  return true;
}

Here is the call graph for this function:

useDefaultVerifyPaths()

bool tcp::SSLContext::useDefaultVerifyPaths ( )

inline

Use the default operating system certificate store for validation.

Returns

True if the CA filename or CA path were set successfully, false otherwise. Check cerr log for details.

Definition at line 62 of file tcpssl.h.

{ return setVerifyPaths(NULL,NULL); }

---

The documentation for this class was generated from the following files:

• include/tcpssl.h
• src/tcpssl.cpp