Fix SSL errors

This commit is contained in:
jbajic 2022-03-02 16:35:14 +01:00 committed by János Benjamin Antal
parent 695bb343f1
commit 770ea1189a

View File

@ -10,6 +10,9 @@
// licenses/APL.txt. // licenses/APL.txt.
#include "communication/context.hpp" #include "communication/context.hpp"
#include <boost/asio/ssl/context.hpp>
#include <boost/asio/ssl/verify_mode.hpp>
#include <boost/system/detail/error_code.hpp>
#include "utils/logging.hpp" #include "utils/logging.hpp"
@ -75,39 +78,29 @@ bool ClientContext::use_ssl() { return use_ssl_; }
ServerContext::ServerContext(const std::string &key_file, const std::string &cert_file, const std::string &ca_file, ServerContext::ServerContext(const std::string &key_file, const std::string &cert_file, const std::string &ca_file,
bool verify_peer) { bool verify_peer) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L ctx_.emplace(boost::asio::ssl::context::tls_server);
auto *ctx = SSL_CTX_new(SSLv23_server_method()); ctx_->set_default_verify_paths();
#else // TODO: add support for encrypted private keys
auto *ctx = SSL_CTX_new(TLS_server_method()); // TODO: add certificate revocation list (CRL)
#endif boost::system::error_code ec;
// TODO (mferencevic): add support for encrypted private keys ctx_->use_certificate_chain_file(cert_file, ec);
// TODO (mferencevic): add certificate revocation list (CRL) MG_ASSERT(!ec, "Couldn't load server certificate from file: {}", cert_file);
MG_ASSERT(SSL_CTX_use_certificate_file(ctx, cert_file.c_str(), SSL_FILETYPE_PEM) == 1, ctx_->use_private_key_file(key_file, boost::asio::ssl::context::pem, ec);
"Couldn't load server certificate from file: {}", cert_file); MG_ASSERT(!ec, "Couldn't load server private key from file: {}", key_file);
MG_ASSERT(SSL_CTX_use_PrivateKey_file(ctx, key_file.c_str(), SSL_FILETYPE_PEM) == 1,
"Couldn't load server private key from file: {}", key_file);
// Disable legacy SSL support. Other options can be seen here: ctx_->set_options(SSL_OP_NO_SSLv3, ec);
// https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html MG_ASSERT(!ec, "Setting options to SSL context failed!");
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
if (ca_file != "") { if (!ca_file.empty()) {
// Load the certificate authority file. // Load the certificate authority file.
MG_ASSERT(SSL_CTX_load_verify_locations(ctx, ca_file.c_str(), nullptr) == 1, boost::system::error_code ec;
"Couldn't load certificate authority from file: {}", ca_file); ctx_->load_verify_file(ca_file, ec);
MG_ASSERT(!ec, "Couldn't load certificate authority from file: {}", ca_file);
if (verify_peer) { if (verify_peer) {
// Add the CA to list of accepted CAs that is sent to the client.
STACK_OF(X509_NAME) *ca_names = SSL_load_client_CA_file(ca_file.c_str());
MG_ASSERT(ca_names != nullptr, "Couldn't load certificate authority from file: {}", ca_file);
// `ca_names` doesn' need to be free'd because we pass it to
// `SSL_CTX_set_client_CA_list`:
// https://mta.openssl.org/pipermail/openssl-users/2015-May/001363.html
SSL_CTX_set_client_CA_list(ctx, ca_names);
// Enable verification of the client certificate. // Enable verification of the client certificate.
// NOLINTNEXTLINE(hicpp-signed-bitwise) ctx_->set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert, ec);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr); MG_ASSERT(!ec, "Setting SSL verification mode failed!");
} }
} }
} }