diff options
author | Ed Tanous <ed.tanous@intel.com> | 2017-03-13 23:39:49 +0300 |
---|---|---|
committer | Ed Tanous <ed.tanous@intel.com> | 2017-03-13 23:41:09 +0300 |
commit | c4771fb4cecd77272a72f3265d19096c83e5e8e9 (patch) | |
tree | 0193c46e782b4856871002c0b3d96d95f5d7bfe0 /include/ssl_key_handler.hpp | |
parent | 9b65f1fdcfcaaa22719a83be26dbcb5dbe855b0c (diff) | |
download | bmcweb-c4771fb4cecd77272a72f3265d19096c83e5e8e9.tar.xz |
incremental
Diffstat (limited to 'include/ssl_key_handler.hpp')
-rw-r--r-- | include/ssl_key_handler.hpp | 88 |
1 files changed, 81 insertions, 7 deletions
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp index 69987b98fa..6e09cbe201 100644 --- a/include/ssl_key_handler.hpp +++ b/include/ssl_key_handler.hpp @@ -11,6 +11,8 @@ #include <openssl/rsa.h> #include <openssl/ssl.h> +#include <boost/asio.hpp> + #include <g3log/g3log.hpp> namespace ensuressl { @@ -40,7 +42,7 @@ inline bool verify_openssl_key_cert(const std::string &filepath) { RSA *rsa = EVP_PKEY_get1_RSA(pkey); if (rsa){ if (RSA_check_key(rsa) == 1) { - private_key_valid = true; + //private_key_valid = true; } else { LOG(WARNING) << "Key not valid error number " << ERR_get_error(); } @@ -53,7 +55,7 @@ inline bool verify_openssl_key_cert(const std::string &filepath) { EC_KEY* ec = EVP_PKEY_get1_EC_KEY(pkey); if (ec){ if (EC_KEY_check_key(ec) == 1) { - //private_key_valid = true; + private_key_valid = true; } else { LOG(WARNING) << "Key not valid error number " << ERR_get_error(); } @@ -92,11 +94,11 @@ inline void generate_ssl_certificate(const std::string &filepath) { LOG(WARNING) << "Generating new keys"; init_openssl(); - LOG(WARNING) << "Generating RSA key"; - EVP_PKEY *pRsaPrivKey = create_rsa_key(); + //LOG(WARNING) << "Generating RSA key"; + //EVP_PKEY *pRsaPrivKey = create_rsa_key(); - //LOG(WARNING) << "Generating EC key"; - //EVP_PKEY *pRsaPrivKey = create_ec_key(); + LOG(WARNING) << "Generating EC key"; + EVP_PKEY *pRsaPrivKey = create_ec_key(); LOG(WARNING) << "Generating x509 Certificate"; // Use this code to directly generate a certificate @@ -149,7 +151,7 @@ inline void generate_ssl_certificate(const std::string &filepath) { EVP_PKEY_free(pRsaPrivKey); pRsaPrivKey = NULL; } - + // cleanup_openssl(); } @@ -241,4 +243,76 @@ inline void ensure_openssl_key_present_and_valid(const std::string &filepath) { generate_ssl_certificate(filepath); } } + + +boost::asio::ssl::context get_ssl_context(std::string ssl_pem_file){ + boost::asio::ssl::context m_ssl_context{boost::asio::ssl::context::sslv23}; + m_ssl_context.set_options(boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::no_sslv3 | + boost::asio::ssl::context::single_dh_use | boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); + + // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer); + m_ssl_context.use_certificate_file(ssl_pem_file, boost::asio::ssl::context::pem); + m_ssl_context.use_private_key_file(ssl_pem_file, boost::asio::ssl::context::pem); + + // Set up EC curves to auto (boost asio doesn't have a method for this) + // There is a pull request to add this. Once this is included in an asio drop, use the right way + // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue + if (SSL_CTX_set_ecdh_auto(m_ssl_context.native_handle(), 1) != 1) { + CROW_LOG_ERROR << "Error setting tmp ecdh list\n"; + } + + // From mozilla "compatibility" + std::string ciphers = + "ECDHE-ECDSA-CHACHA20-POLY1305:" + "ECDHE-RSA-CHACHA20-POLY1305:" + "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256:" + "ECDHE-ECDSA-AES256-GCM-SHA384:" + "ECDHE-RSA-AES256-GCM-SHA384:" + "DHE-RSA-AES128-GCM-SHA256:" + "DHE-RSA-AES256-GCM-SHA384:" + "ECDHE-ECDSA-AES128-SHA256:" + "ECDHE-RSA-AES128-SHA256:" + "ECDHE-ECDSA-AES128-SHA:" + "ECDHE-RSA-AES256-SHA384:" + "ECDHE-RSA-AES128-SHA:" + "ECDHE-ECDSA-AES256-SHA384:" + "ECDHE-ECDSA-AES256-SHA:" + "ECDHE-RSA-AES256-SHA:" + "DHE-RSA-AES128-SHA256:" + "DHE-RSA-AES128-SHA:" + "DHE-RSA-AES256-SHA256:" + "DHE-RSA-AES256-SHA:" + "ECDHE-ECDSA-DES-CBC3-SHA:" + "ECDHE-RSA-DES-CBC3-SHA:" + "EDH-RSA-DES-CBC3-SHA:" + "AES128-GCM-SHA256:" + "AES256-GCM-SHA384:" + "AES128-SHA256:" + "AES256-SHA256:" + "AES128-SHA:" + "AES256-SHA:" + "DES-CBC3-SHA:" + "!DSS"; + + // From mozilla "modern" + std::string modern_ciphers = + "ECDHE-ECDSA-AES256-GCM-SHA384:" + "ECDHE-RSA-AES256-GCM-SHA384:" + "ECDHE-ECDSA-CHACHA20-POLY1305:" + "ECDHE-RSA-CHACHA20-POLY1305:" + "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256:" + "ECDHE-ECDSA-AES256-SHA384:" + "ECDHE-RSA-AES256-SHA384:" + "ECDHE-ECDSA-AES128-SHA256:" + "ECDHE-RSA-AES128-SHA256"; + + std::string lighttp_ciphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL"; + + if (SSL_CTX_set_cipher_list(m_ssl_context.native_handle(), ciphers.c_str()) != 1) { + CROW_LOG_ERROR << "Error setting cipher list\n"; + } + return m_ssl_context; +} }
\ No newline at end of file |