#include <openssl/ssl.h>
#include <openssl/dh.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
#include <openssl/rand.h>
static SSL_CTX *ssl_server_ctx;
{
int ret = 1;
char libratbox_data[] = "libratbox data";
+ const char libratbox_ciphers[] = "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL";
SSL_load_error_strings();
SSL_library_init();
libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
+
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
ssl_server_ctx = SSL_CTX_new(SSLv23_server_method());
+#else
+ ssl_server_ctx = SSL_CTX_new(TLS_server_method());
+#endif
+
if(ssl_server_ctx == NULL)
{
rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
get_ssl_error(ERR_get_error()));
ret = 0;
}
- /* Disable SSLv2, make the client use our settings */
- SSL_CTX_set_options(ssl_server_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE
+
+ long server_options = SSL_CTX_get_options(ssl_server_ctx);
+
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ server_options |= SSL_OP_NO_SSLv2;
+ server_options |= SSL_OP_NO_SSLv3;
+#endif
+
#ifdef SSL_OP_SINGLE_DH_USE
- | SSL_OP_SINGLE_DH_USE
+ server_options |= SSL_OP_SINGLE_DH_USE;
#endif
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ server_options |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+
#ifdef SSL_OP_NO_TICKET
- | SSL_OP_NO_TICKET
+ server_options |= SSL_OP_NO_TICKET;
#endif
- );
+
+ server_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+
+ SSL_CTX_set_options(ssl_server_ctx, server_options);
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_accept_all_cb);
SSL_CTX_set_session_cache_mode(ssl_server_ctx, SSL_SESS_CACHE_OFF);
- SSL_CTX_set_cipher_list(ssl_server_ctx, "kEECDH+HIGH:kEDH+HIGH:HIGH:!RC4:!aNULL");
+ SSL_CTX_set_cipher_list(ssl_server_ctx, libratbox_ciphers);
/* Set ECDHE on OpenSSL 1.00+, but make sure it's actually available because redhat are dicks
and bastardise their OpenSSL for stupid reasons... */
- #if (OPENSSL_VERSION_NUMBER >= 0x10000000) && defined(NID_secp384r1)
+ #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && defined(NID_secp384r1)
EC_KEY *key = EC_KEY_new_by_curve_name(NID_secp384r1);
if (key) {
SSL_CTX_set_tmp_ecdh(ssl_server_ctx, key);
EC_KEY_free(key);
}
-#ifdef SSL_OP_SINGLE_ECDH_USE
- SSL_CTX_set_options(ssl_server_ctx, SSL_OP_SINGLE_ECDH_USE);
-#endif
#endif
+#if defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
ssl_client_ctx = SSL_CTX_new(TLSv1_client_method());
+#else
+ ssl_client_ctx = SSL_CTX_new(TLS_client_method());
+#endif
if(ssl_client_ctx == NULL)
{
SSL_CTX_set_options(ssl_client_ctx, SSL_OP_NO_TICKET);
#endif
+ SSL_CTX_set_cipher_list(ssl_client_ctx, libratbox_ciphers);
+
return ret;
}
if(cert != NULL)
{
res = SSL_get_verify_result((SSL *) F->ssl);
- if(res == X509_V_OK ||
- res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
- res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
- res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+ if(
+ res == X509_V_OK ||
+ res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+ res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+ res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+ res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
{
- memcpy(certfp, cert->sha1_hash, RB_SSL_CERTFP_LEN);
+ unsigned int certfp_length = RB_SSL_CERTFP_LEN;
+ X509_digest(cert, EVP_sha1(), certfp, &certfp_length);
X509_free(cert);
return 1;
}