mirror of https://github.com/Icinga/icinga2.git
Introduce SetupSslContext()
This commit is contained in:
parent
fbcaf82e3e
commit
80a1128ec7
|
@ -258,6 +258,49 @@ int ResolveTlsProtocolVersion(const std::string& version) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Shared<boost::asio::ssl::context>::Ptr SetupSslContext(String certPath, String keyPath,
|
||||||
|
String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di)
|
||||||
|
{
|
||||||
|
namespace ssl = boost::asio::ssl;
|
||||||
|
|
||||||
|
Shared<ssl::context>::Ptr context;
|
||||||
|
|
||||||
|
try {
|
||||||
|
context = MakeAsioSslContext(certPath, keyPath, caPath);
|
||||||
|
} catch (const std::exception&) {
|
||||||
|
BOOST_THROW_EXCEPTION(ScriptError("Cannot make SSL context for cert path: '"
|
||||||
|
+ certPath + "' key path: '" + keyPath + "' ca path: '" + caPath + "'.", di));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!crlPath.IsEmpty()) {
|
||||||
|
try {
|
||||||
|
AddCRLToSSLContext(context, crlPath);
|
||||||
|
} catch (const std::exception&) {
|
||||||
|
BOOST_THROW_EXCEPTION(ScriptError("Cannot add certificate revocation list to SSL context for crl path: '"
|
||||||
|
+ crlPath + "'.", di));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!cipherList.IsEmpty()) {
|
||||||
|
try {
|
||||||
|
SetCipherListToSSLContext(context, cipherList);
|
||||||
|
} catch (const std::exception&) {
|
||||||
|
BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
|
||||||
|
+ cipherList + "'.", di));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!protocolmin.IsEmpty()){
|
||||||
|
try {
|
||||||
|
SetTlsProtocolminToSSLContext(context, protocolmin);
|
||||||
|
} catch (const std::exception&) {
|
||||||
|
BOOST_THROW_EXCEPTION(ScriptError("Cannot set minimum TLS protocol version to SSL context with tls_protocolmin: '" + protocolmin + "'.", di));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return std::move(context);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set the minimum TLS protocol version to the specified SSL context.
|
* Set the minimum TLS protocol version to the specified SSL context.
|
||||||
*
|
*
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
#define TLSUTILITY_H
|
#define TLSUTILITY_H
|
||||||
|
|
||||||
#include "base/i2-base.hpp"
|
#include "base/i2-base.hpp"
|
||||||
|
#include "base/debuginfo.hpp"
|
||||||
#include "base/object.hpp"
|
#include "base/object.hpp"
|
||||||
#include "base/shared.hpp"
|
#include "base/shared.hpp"
|
||||||
#include "base/array.hpp"
|
#include "base/array.hpp"
|
||||||
|
@ -35,6 +36,9 @@ void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& con
|
||||||
void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin);
|
void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin);
|
||||||
int ResolveTlsProtocolVersion(const std::string& version);
|
int ResolveTlsProtocolVersion(const std::string& version);
|
||||||
|
|
||||||
|
Shared<boost::asio::ssl::context>::Ptr SetupSslContext(String certPath, String keyPath,
|
||||||
|
String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di);
|
||||||
|
|
||||||
String GetCertificateCN(const std::shared_ptr<X509>& certificate);
|
String GetCertificateCN(const std::shared_ptr<X509>& certificate);
|
||||||
std::shared_ptr<X509> GetX509Certificate(const String& pemfile);
|
std::shared_ptr<X509> GetX509Certificate(const String& pemfile);
|
||||||
int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false);
|
int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false);
|
||||||
|
|
|
@ -181,44 +181,7 @@ void ApiListener::OnConfigLoaded()
|
||||||
|
|
||||||
void ApiListener::UpdateSSLContext()
|
void ApiListener::UpdateSSLContext()
|
||||||
{
|
{
|
||||||
namespace ssl = boost::asio::ssl;
|
m_SSLContext = SetupSslContext(GetDefaultCertPath(), GetDefaultKeyPath(), GetDefaultCaPath(), GetCrlPath(), GetCipherList(), GetTlsProtocolmin(), GetDebugInfo());
|
||||||
|
|
||||||
Shared<ssl::context>::Ptr context;
|
|
||||||
|
|
||||||
try {
|
|
||||||
context = MakeAsioSslContext(GetDefaultCertPath(), GetDefaultKeyPath(), GetDefaultCaPath());
|
|
||||||
} catch (const std::exception&) {
|
|
||||||
BOOST_THROW_EXCEPTION(ScriptError("Cannot make SSL context for cert path: '"
|
|
||||||
+ GetDefaultCertPath() + "' key path: '" + GetDefaultKeyPath() + "' ca path: '" + GetDefaultCaPath() + "'.", GetDebugInfo()));
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!GetCrlPath().IsEmpty()) {
|
|
||||||
try {
|
|
||||||
AddCRLToSSLContext(context, GetCrlPath());
|
|
||||||
} catch (const std::exception&) {
|
|
||||||
BOOST_THROW_EXCEPTION(ScriptError("Cannot add certificate revocation list to SSL context for crl path: '"
|
|
||||||
+ GetCrlPath() + "'.", GetDebugInfo()));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!GetCipherList().IsEmpty()) {
|
|
||||||
try {
|
|
||||||
SetCipherListToSSLContext(context, GetCipherList());
|
|
||||||
} catch (const std::exception&) {
|
|
||||||
BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
|
|
||||||
+ GetCipherList() + "'.", GetDebugInfo()));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!GetTlsProtocolmin().IsEmpty()){
|
|
||||||
try {
|
|
||||||
SetTlsProtocolminToSSLContext(context, GetTlsProtocolmin());
|
|
||||||
} catch (const std::exception&) {
|
|
||||||
BOOST_THROW_EXCEPTION(ScriptError("Cannot set minimum TLS protocol version to SSL context with tls_protocolmin: '" + GetTlsProtocolmin() + "'.", GetDebugInfo()));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
m_SSLContext = context;
|
|
||||||
|
|
||||||
for (const Endpoint::Ptr& endpoint : ConfigType::GetObjectsByType<Endpoint>()) {
|
for (const Endpoint::Ptr& endpoint : ConfigType::GetObjectsByType<Endpoint>()) {
|
||||||
for (const JsonRpcConnection::Ptr& client : endpoint->GetClients()) {
|
for (const JsonRpcConnection::Ptr& client : endpoint->GetClients()) {
|
||||||
|
|
Loading…
Reference in New Issue