Introduce SetupSslContext()

This commit is contained in:
Alexander A. Klimov 2021-07-16 18:31:52 +02:00
parent fbcaf82e3e
commit 80a1128ec7
3 changed files with 48 additions and 38 deletions

View File

@ -258,6 +258,49 @@ int ResolveTlsProtocolVersion(const std::string& version) {
} }
} }
Shared<boost::asio::ssl::context>::Ptr SetupSslContext(String certPath, String keyPath,
String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di)
{
namespace ssl = boost::asio::ssl;
Shared<ssl::context>::Ptr context;
try {
context = MakeAsioSslContext(certPath, keyPath, caPath);
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot make SSL context for cert path: '"
+ certPath + "' key path: '" + keyPath + "' ca path: '" + caPath + "'.", di));
}
if (!crlPath.IsEmpty()) {
try {
AddCRLToSSLContext(context, crlPath);
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot add certificate revocation list to SSL context for crl path: '"
+ crlPath + "'.", di));
}
}
if (!cipherList.IsEmpty()) {
try {
SetCipherListToSSLContext(context, cipherList);
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
+ cipherList + "'.", di));
}
}
if (!protocolmin.IsEmpty()){
try {
SetTlsProtocolminToSSLContext(context, protocolmin);
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot set minimum TLS protocol version to SSL context with tls_protocolmin: '" + protocolmin + "'.", di));
}
}
return std::move(context);
}
/** /**
* Set the minimum TLS protocol version to the specified SSL context. * Set the minimum TLS protocol version to the specified SSL context.
* *

View File

@ -4,6 +4,7 @@
#define TLSUTILITY_H #define TLSUTILITY_H
#include "base/i2-base.hpp" #include "base/i2-base.hpp"
#include "base/debuginfo.hpp"
#include "base/object.hpp" #include "base/object.hpp"
#include "base/shared.hpp" #include "base/shared.hpp"
#include "base/array.hpp" #include "base/array.hpp"
@ -35,6 +36,9 @@ void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& con
void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin); void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin);
int ResolveTlsProtocolVersion(const std::string& version); int ResolveTlsProtocolVersion(const std::string& version);
Shared<boost::asio::ssl::context>::Ptr SetupSslContext(String certPath, String keyPath,
String caPath, String crlPath, String cipherList, String protocolmin, DebugInfo di);
String GetCertificateCN(const std::shared_ptr<X509>& certificate); String GetCertificateCN(const std::shared_ptr<X509>& certificate);
std::shared_ptr<X509> GetX509Certificate(const String& pemfile); std::shared_ptr<X509> GetX509Certificate(const String& pemfile);
int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false); int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false);

View File

@ -181,44 +181,7 @@ void ApiListener::OnConfigLoaded()
void ApiListener::UpdateSSLContext() void ApiListener::UpdateSSLContext()
{ {
namespace ssl = boost::asio::ssl; m_SSLContext = SetupSslContext(GetDefaultCertPath(), GetDefaultKeyPath(), GetDefaultCaPath(), GetCrlPath(), GetCipherList(), GetTlsProtocolmin(), GetDebugInfo());
Shared<ssl::context>::Ptr context;
try {
context = MakeAsioSslContext(GetDefaultCertPath(), GetDefaultKeyPath(), GetDefaultCaPath());
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot make SSL context for cert path: '"
+ GetDefaultCertPath() + "' key path: '" + GetDefaultKeyPath() + "' ca path: '" + GetDefaultCaPath() + "'.", GetDebugInfo()));
}
if (!GetCrlPath().IsEmpty()) {
try {
AddCRLToSSLContext(context, GetCrlPath());
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot add certificate revocation list to SSL context for crl path: '"
+ GetCrlPath() + "'.", GetDebugInfo()));
}
}
if (!GetCipherList().IsEmpty()) {
try {
SetCipherListToSSLContext(context, GetCipherList());
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
+ GetCipherList() + "'.", GetDebugInfo()));
}
}
if (!GetTlsProtocolmin().IsEmpty()){
try {
SetTlsProtocolminToSSLContext(context, GetTlsProtocolmin());
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot set minimum TLS protocol version to SSL context with tls_protocolmin: '" + GetTlsProtocolmin() + "'.", GetDebugInfo()));
}
}
m_SSLContext = context;
for (const Endpoint::Ptr& endpoint : ConfigType::GetObjectsByType<Endpoint>()) { for (const Endpoint::Ptr& endpoint : ConfigType::GetObjectsByType<Endpoint>()) {
for (const JsonRpcConnection::Ptr& client : endpoint->GetClients()) { for (const JsonRpcConnection::Ptr& client : endpoint->GetClients()) {