incremental

author: Ed Tanous <ed.tanous@intel.com> 2017-03-13 23:39:49 +0300
committer: Ed Tanous <ed.tanous@intel.com> 2017-03-13 23:41:09 +0300
commit: c4771fb4cecd77272a72f3265d19096c83e5e8e9 (patch)
tree: 0193c46e782b4856871002c0b3d96d95f5d7bfe0 /include/ssl_key_handler.hpp
parent: 9b65f1fdcfcaaa22719a83be26dbcb5dbe855b0c (diff)
download: bmcweb-c4771fb4cecd77272a72f3265d19096c83e5e8e9.tar.xz
1 files changed, 81 insertions, 7 deletions
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 69987b98fa..6e09cbe201 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -11,6 +11,8 @@
 #include <openssl/rsa.h>
 #include <openssl/ssl.h>
 
+#include <boost/asio.hpp>
+
 #include <g3log/g3log.hpp>
 
 namespace ensuressl {
@@ -40,7 +42,7 @@ inline bool verify_openssl_key_cert(const std::string &filepath) {
           RSA *rsa = EVP_PKEY_get1_RSA(pkey);
           if (rsa){
             if (RSA_check_key(rsa) == 1) {
-              private_key_valid = true;
+              //private_key_valid = true;
             } else {
               LOG(WARNING) << "Key not valid error number " << ERR_get_error();
             }
@@ -53,7 +55,7 @@ inline bool verify_openssl_key_cert(const std::string &filepath) {
           EC_KEY* ec = EVP_PKEY_get1_EC_KEY(pkey);
           if (ec){
             if (EC_KEY_check_key(ec) == 1) {
-              //private_key_valid = true;
+              private_key_valid = true;
             } else {
               LOG(WARNING) << "Key not valid error number " << ERR_get_error();
             }
@@ -92,11 +94,11 @@ inline void generate_ssl_certificate(const std::string &filepath) {
   LOG(WARNING) << "Generating new keys";
   init_openssl();
 
-  LOG(WARNING) << "Generating RSA key";
-  EVP_PKEY *pRsaPrivKey = create_rsa_key();
+  //LOG(WARNING) << "Generating RSA key";
+  //EVP_PKEY *pRsaPrivKey = create_rsa_key();
 
-  //LOG(WARNING) << "Generating EC key";
-  //EVP_PKEY *pRsaPrivKey = create_ec_key();
+  LOG(WARNING) << "Generating EC key";
+  EVP_PKEY *pRsaPrivKey = create_ec_key();
 
   LOG(WARNING) << "Generating x509 Certificate";
   // Use this code to directly generate a certificate
@@ -149,7 +151,7 @@ inline void generate_ssl_certificate(const std::string &filepath) {
     EVP_PKEY_free(pRsaPrivKey);
     pRsaPrivKey = NULL;
   }
-
+  
   // cleanup_openssl();
 }
 
@@ -241,4 +243,76 @@ inline void ensure_openssl_key_present_and_valid(const std::string &filepath) {
     generate_ssl_certificate(filepath);
   }
 }
+
+
+boost::asio::ssl::context get_ssl_context(std::string ssl_pem_file){
+  boost::asio::ssl::context m_ssl_context{boost::asio::ssl::context::sslv23};
+  m_ssl_context.set_options(boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::no_sslv3 |
+                            boost::asio::ssl::context::single_dh_use | boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1);
+
+  // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer);
+  m_ssl_context.use_certificate_file(ssl_pem_file, boost::asio::ssl::context::pem);
+  m_ssl_context.use_private_key_file(ssl_pem_file, boost::asio::ssl::context::pem);
+
+  // Set up EC curves to auto (boost asio doesn't have a method for this)
+  // There is a pull request to add this.  Once this is included in an asio drop, use the right way
+  // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue
+  if (SSL_CTX_set_ecdh_auto(m_ssl_context.native_handle(), 1) != 1) {
+    CROW_LOG_ERROR << "Error setting tmp ecdh list\n";
+  }
+
+  // From mozilla "compatibility"
+  std::string ciphers =
+      "ECDHE-ECDSA-CHACHA20-POLY1305:"
+      "ECDHE-RSA-CHACHA20-POLY1305:"
+      "ECDHE-ECDSA-AES128-GCM-SHA256:"
+      "ECDHE-RSA-AES128-GCM-SHA256:"
+      "ECDHE-ECDSA-AES256-GCM-SHA384:"
+      "ECDHE-RSA-AES256-GCM-SHA384:"
+      "DHE-RSA-AES128-GCM-SHA256:"
+      "DHE-RSA-AES256-GCM-SHA384:"
+      "ECDHE-ECDSA-AES128-SHA256:"
+      "ECDHE-RSA-AES128-SHA256:"
+      "ECDHE-ECDSA-AES128-SHA:"
+      "ECDHE-RSA-AES256-SHA384:"
+      "ECDHE-RSA-AES128-SHA:"
+      "ECDHE-ECDSA-AES256-SHA384:"
+      "ECDHE-ECDSA-AES256-SHA:"
+      "ECDHE-RSA-AES256-SHA:"
+      "DHE-RSA-AES128-SHA256:"
+      "DHE-RSA-AES128-SHA:"
+      "DHE-RSA-AES256-SHA256:"
+      "DHE-RSA-AES256-SHA:"
+      "ECDHE-ECDSA-DES-CBC3-SHA:"
+      "ECDHE-RSA-DES-CBC3-SHA:"
+      "EDH-RSA-DES-CBC3-SHA:"
+      "AES128-GCM-SHA256:"
+      "AES256-GCM-SHA384:"
+      "AES128-SHA256:"
+      "AES256-SHA256:"
+      "AES128-SHA:"
+      "AES256-SHA:"
+      "DES-CBC3-SHA:"
+      "!DSS";
+
+  // From mozilla "modern"
+  std::string modern_ciphers =
+      "ECDHE-ECDSA-AES256-GCM-SHA384:"
+      "ECDHE-RSA-AES256-GCM-SHA384:"
+      "ECDHE-ECDSA-CHACHA20-POLY1305:"
+      "ECDHE-RSA-CHACHA20-POLY1305:"
+      "ECDHE-ECDSA-AES128-GCM-SHA256:"
+      "ECDHE-RSA-AES128-GCM-SHA256:"
+      "ECDHE-ECDSA-AES256-SHA384:"
+      "ECDHE-RSA-AES256-SHA384:"
+      "ECDHE-ECDSA-AES128-SHA256:"
+      "ECDHE-RSA-AES128-SHA256";
+
+  std::string lighttp_ciphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL";
+
+  if (SSL_CTX_set_cipher_list(m_ssl_context.native_handle(), ciphers.c_str()) != 1) {
+    CROW_LOG_ERROR << "Error setting cipher list\n";
+  }
+  return m_ssl_context;
+}
 }
 \ No newline at end of file
author	Ed Tanous <ed.tanous@intel.com>	2017-03-13 23:39:49 +0300
committer	Ed Tanous <ed.tanous@intel.com>	2017-03-13 23:41:09 +0300
commit	c4771fb4cecd77272a72f3265d19096c83e5e8e9 (patch)
tree	0193c46e782b4856871002c0b3d96d95f5d7bfe0 /include/ssl_key_handler.hpp
parent	9b65f1fdcfcaaa22719a83be26dbcb5dbe855b0c (diff)
download	bmcweb-c4771fb4cecd77272a72f3265d19096c83e5e8e9.tar.xz