ACE_SSL_Context Class Reference

A wrapper for the OpenSSL SSL_CTX related functions. More...

#include <SSL_Context.h>

Collaboration diagram for ACE_SSL_Context:

[legend]List of all members.

Public Types
typedef ACE_SYNCH_MUTEX	lock_type
enum	{   INVALID_METHOD = -1, SSLv2_client = 1, SSLv2_server, SSLv2,   SSLv3_client, SSLv3_server, SSLv3, SSLv23_client,   SSLv23_server, SSLv23, TLSv1_client, TLSv1_server,   TLSv1 }
Public Member Functions
	ACE_SSL_Context (void)
	Constructor.
	~ACE_SSL_Context (void)
	Destructor.
int	set_mode (int mode=ACE_SSL_Context::SSLv23)
int	get_mode (void) const
SSL_CTX *	context (void)
	Get the SSL context.
int	private_key_type (void) const
	Get the file name and file format used for the private key.
const char *	private_key_file_name (void) const
int	private_key (const char *file_name, int type=SSL_FILETYPE_PEM)
	Set the private key file.
int	verify_private_key (void)
	Verify that the private key is valid.
int	certificate_type (void) const
	Get the file name and file format used for the certificate file.
const char *	certificate_file_name (void) const
int	certificate (const char *file_name, int type=SSL_FILETYPE_PEM)
	Set the certificate file.
int	certificate (X509 *cert)
	Load certificate from memory rather than a file.
int	load_trusted_ca (const char *ca_file=0, const char *ca_dir=0, bool use_env_defaults=true)
int	have_trusted_ca (void) const
void	set_verify_peer (int strict=0, int once=1, int depth=0)
void	default_verify_mode (int mode)
int	default_verify_mode (void) const
Diffie-Hellman (DH) Parameters
When using DSS-based certificates, Diffie-Hellman keys need to be exchanged. These must be provided in the form of DH key generation parameters loaded in, or as fixed keys hardcoded into the code itself. ACE_SSL supports loaded parameters.
int	dh_params (const char *file_name, int type=SSL_FILETYPE_PEM)
const char *	dh_params_file_name () const
int	dh_params_file_type () const
Static Public Member Functions
ACE_SSL_Context *	instance (void)
void	report_error (unsigned long error_code)
	Print SSL error corresponding to the given error code.
void	report_error (void)
	Print the last SSL error for the current thread.
OpenSSL Random Number Generator Seed Related Methods
These are methods that can be used to seed OpenSSL's pseudo-random number generator. These methods can be called more than once.
int	random_seed (const char *seed)
int	egd_file (const char *socket_file)
int	seed_file (const char *seed_file, long bytes=-1)
Private Member Functions
void	check_context (void)
	Verify if the context has been initialized or not.
void	ssl_library_init ()
	More to document.
void	ssl_library_fini ()
	ACE_SSL_Context (const ACE_SSL_Context &)
ACE_SSL_Context &	operator= (const ACE_SSL_Context &)
Private Attributes
SSL_CTX *	context_
	The SSL_CTX structure.
int	mode_
	Cache the mode so we can answer fast.
ACE_SSL_Data_File	private_key_
	The private key, certificate, and Diffie-Hellman paramters files.
ACE_SSL_Data_File	certificate_
ACE_SSL_Data_File	dh_params_
int	default_verify_mode_
	The default verify mode.
int	have_ca_
	count of successful CA load attempts
Static Private Attributes
lock_type *	locks_

---

Detailed Description

A wrapper for the OpenSSL SSL_CTX related functions.

This class provides a wrapper for the SSL_CTX data structure. Since most applications have a single SSL_CTX structure, this class can be used as a singleton.

Definition at line 75 of file SSL_Context.h.

---

Member Typedef Documentation

typedef ACE_SYNCH_MUTEX ACE_SSL_Context::lock_type

Definition at line 80 of file SSL_Context.h.

---

Member Enumeration Documentation

anonymous enum

Enumeration values: INVALID_METHOD  SSLv2_client  SSLv2_server  SSLv2  SSLv3_client  SSLv3_server  SSLv3  SSLv23_client  SSLv23_server  SSLv23  TLSv1_client  TLSv1_server  TLSv1  Definition at line 83 of file SSL_Context.h. { INVALID_METHOD = -1, SSLv2_client = 1, SSLv2_server, SSLv2, SSLv3_client, SSLv3_server, SSLv3, SSLv23_client, SSLv23_server, SSLv23, TLSv1_client, TLSv1_server, TLSv1 };

---

Constructor & Destructor Documentation

ACE_SSL_Context::ACE_SSL_Context (  void   )

Constructor. Definition at line 110 of file SSL_Context.cpp. References ssl_library_init(). : context_ (0), mode_ (-1), default_verify_mode_ (SSL_VERIFY_NONE), have_ca_ (0) { ACE_SSL_Context::ssl_library_init (); }

ACE_SSL_Context::~ACE_SSL_Context (  void   )

Destructor. Definition at line 119 of file SSL_Context.cpp. References ssl_library_fini(). { if (this->context_) { ::SSL_CTX_free (this->context_); this->context_ = 0; } ACE_SSL_Context::ssl_library_fini (); }

ACE_SSL_Context::ACE_SSL_Context (  const ACE_SSL_Context &   )  [private]

---

Member Function Documentation

int ACE_SSL_Context::certificate (  X509 *  cert  )

Load certificate from memory rather than a file. Definition at line 463 of file SSL_Context.cpp. References certificate_, check_context(), and ACE_SSL_Data_File::type(). { // Is it really a good idea to return 0 if we're not setting the // certificate? if (this->certificate_.type () != -1) return 0; this->check_context(); if (::SSL_CTX_use_certificate (this->context_, cert) <= 0) { return -1; } else { // No file is associated with the certificate, set this to a fictional // value so we don't reset it later. this->certificate_ = ACE_SSL_Data_File ("MEMORY CERTIFICATE"); return 0; } }

int ACE_SSL_Context::certificate (  const char *  file_name, int  type = SSL_FILETYPE_PEM )

Set the certificate file. Definition at line 441 of file SSL_Context.cpp. References certificate_, check_context(), ACE_SSL_Data_File::file_name(), and ACE_SSL_Data_File::type(). { if (this->certificate_.type () != -1) return 0; this->certificate_ = ACE_SSL_Data_File (file_name, type); this->check_context (); if (::SSL_CTX_use_certificate_file (this->context_, this->certificate_.file_name (), this->certificate_.type ()) <= 0) { this->certificate_ = ACE_SSL_Data_File (); return -1; } else return 0; }

ACE_INLINE const char * ACE_SSL_Context::certificate_file_name (  void   )  const

Definition at line 72 of file SSL_Context.inl. References certificate_, and ACE_SSL_Data_File::file_name(). { return this->certificate_.file_name (); }

ACE_INLINE int ACE_SSL_Context::certificate_type (  void   )  const

Get the file name and file format used for the certificate file. Definition at line 66 of file SSL_Context.inl. References certificate_, and ACE_SSL_Data_File::type(). { return this->certificate_.type (); }

ACE_INLINE void ACE_SSL_Context::check_context (  void   )  [private]

Verify if the context has been initialized or not. Definition at line 36 of file SSL_Context.inl. References default_verify_mode(), and set_mode(). Referenced by certificate(), context(), dh_params(), load_trusted_ca(), private_key(), set_verify_peer(), and verify_private_key(). { if (this->context_ == 0) { this->set_mode (); } ::SSL_CTX_set_verify (this->context_, this->default_verify_mode (), 0); }

ACE_INLINE SSL_CTX * ACE_SSL_Context::context (  void   )

Get the SSL context. Definition at line 47 of file SSL_Context.inl. References check_context(). Referenced by ACE_RCSID(), and ACE_SSL_Asynch_Stream::ACE_SSL_Asynch_Stream(). { this->check_context (); return this->context_; }

ACE_INLINE int ACE_SSL_Context::default_verify_mode (  void   )  const

Definition at line 96 of file SSL_Context.inl. References default_verify_mode_. Referenced by check_context(), and set_verify_peer(). { return this->default_verify_mode_; }

ACE_INLINE void ACE_SSL_Context::default_verify_mode (  int  mode  )

Set and query the default verify mode for this context, it is inherited by all the ACE_SSL objects created using the context. It can be overriden on a per-ACE_SSL object. Definition at line 90 of file SSL_Context.inl. References default_verify_mode_. { this->default_verify_mode_ = mode; }

int ACE_SSL_Context::dh_params (  const char *  file_name, int  type = SSL_FILETYPE_PEM )

Load Diffie-Hellman parameters from file_name. The specified file can be a standalone file containing only DH parameters (e.g., as created by openssl dhparam), or it can be a certificate which has a PEM-encoded set of DH params concatenated on to i. Definition at line 582 of file SSL_Context.cpp. References check_context(), dh_params_, ACE_SSL_Data_File::file_name(), and ACE_SSL_Data_File::type(). { if (this->dh_params_.type () != -1) return 0; // For now we only support PEM encodings if (type != SSL_FILETYPE_PEM) return -1; this->dh_params_ = ACE_SSL_Data_File (file_name, type); this->check_context (); { // Swiped from Rescorla's examples and the OpenSSL s_server.c app DH * ret=0; BIO * bio = 0; if ((bio = ::BIO_new_file (this->dh_params_.file_name (), "r")) == 0) { this->dh_params_ = ACE_SSL_Data_File (); return -1; } ret = PEM_read_bio_DHparams (bio, 0, 0, 0); BIO_free (bio); if (ret == 0) { this->dh_params_ = ACE_SSL_Data_File (); return -1; } if (::SSL_CTX_set_tmp_dh (this->context_, ret) < 0) { this->dh_params_ = ACE_SSL_Data_File (); return -1; } DH_free (ret); } return 0; }

ACE_INLINE const char * ACE_SSL_Context::dh_params_file_name (   )  const

Load Diffie-Hellman parameters from file_name. The specified file can be a standalone file containing only DH parameters (e.g., as created by openssl dhparam), or it can be a certificate which has a PEM-encoded set of DH params concatenated on to i. Definition at line 84 of file SSL_Context.inl. References dh_params_, and ACE_SSL_Data_File::file_name(). { return this->dh_params_.file_name (); }

ACE_INLINE int ACE_SSL_Context::dh_params_file_type (   )  const

Load Diffie-Hellman parameters from file_name. The specified file can be a standalone file containing only DH parameters (e.g., as created by openssl dhparam), or it can be a certificate which has a PEM-encoded set of DH params concatenated on to i. Definition at line 78 of file SSL_Context.inl. References dh_params_, and ACE_SSL_Data_File::type(). { return this->dh_params_.type (); }

int ACE_SSL_Context::egd_file (  const char *  socket_file  )  [static]

Set the Entropy Gathering Daemon (EGD) UNIX domain socket file to read random seed values from. Definition at line 523 of file SSL_Context.cpp. References ACE_NOTSUP_RETURN. Referenced by ssl_library_init(). { #if OPENSSL_VERSION_NUMBER < 0x00905100L // OpenSSL < 0.9.5 doesn't have EGD support. ACE_UNUSED_ARG (socket_file); ACE_NOTSUP_RETURN (-1); #else // RAND_egd() returns the amount of entropy used to seed the random // number generator. The actual value should be greater than 16, // i.e. 128 bits. if (::RAND_egd (socket_file) > 0) return 0; else return -1; #endif /* OPENSSL_VERSION_NUMBER >= 0x00905100L */ }

ACE_INLINE int ACE_SSL_Context::get_mode (  void   )  const

Definition at line 102 of file SSL_Context.inl. { return this->mode_; }

ACE_INLINE int ACE_SSL_Context::have_trusted_ca (  void   )  const

Test whether any CA locations have been successfully loaded and return the number of successful attempts. Return values: >0  The number of successful CA load attempts. 0  If all CA load attempts have failed. Definition at line 108 of file SSL_Context.inl. References have_ca_. { return this->have_ca_; }

ACE_SSL_Context * ACE_SSL_Context::instance (  void   )  [static]

The Singleton context, the SSL components use the singleton if nothing else is available. Definition at line 131 of file SSL_Context.cpp. References ACE_Singleton< TYPE, ACE_LOCK >::instance(). Referenced by ACE_RCSID(), and ACE_SSL_Asynch_Stream::ACE_SSL_Asynch_Stream(). { return ACE_Singleton<ACE_SSL_Context, ACE_SYNCH_MUTEX>::instance (); }

int ACE_SSL_Context::load_trusted_ca (  const char *  ca_file = 0, const char *  ca_dir = 0, bool  use_env_defaults = true )

Load the location of the trusted certification authority certificates. Note that CA certificates are stored in PEM format as a sequence of certificates in ca_file or as a set of individual certificates in ca_dir (or both). Note this method is called by set_mode() to load the default environment settings for ca_file and ca_dir, if any. This allows for automatic service configuration (and backward compatibility with previous versions). Note that the underlying SSL function will add valid file and directory names to the load location lists maintained as part of the SSL_CTX table. It therefore doesn't make sense to keep a copy of the file and path name of the most recently added ca_file or ca_path. Parameters: in]  ca_file CA file pathname. Passed to SSL_CTX_load_verify_locations() if not 0. If 0, behavior depends on the value of use_env_defaults. in]  ca_dir CA directory pathname. Passed to SSL_CTX_load_verify_locations() if not 0. If 0, behavior depends on the value of use_env_defaults. in]  use_env_defaults If false, the specified ca_file argument is passed to SSL_CTX_load_verify_locations(), regardless of its value. If true (the default), additional defaults can be applied to either ca_file, ca_dir, or both. The following additional defaults are applied when the ca_file argument is 0: The SSL_CERT_FILE environment variable will be queried for a file name to use as the ca_file argument. The environment variable name to query can be changed by supplying a ACE_SSL_CERT_FILE_ENV configuration item when building ACE. If there is no SSL_CERT_FILE in the current environment, the file specified by the ACE_DEFAULT_SSL_CERT_FILE ACE configuration item will be used. The default value is "cert.pem" on Windows and "/etc/ssl/cert.pem" on all other platforms. The following additional defaults are applied when the ca_dir argument is 0: The SSL_CERT_DIR environment variable will be queried for a file name to use as the ca_dir argument. The environment variable name to query can be changed by supplying a ACE_SSL_CERT_DIR_ENV configuration item when building ACE. If there is no SSL_CERT_DIR in the current environment, the directory specified by the ACE_DEFAULT_SSL_CERT_DIR ACE configuration item will be used. The default value is "certs" on Windows and "/etc/ssl/certs" on all other platforms. Returns: 0 for success or -1 on error. See also: OpenSSL manual SSL_CTX_load_verify_locations(3) for a detailed description of the CA file and directory requirements and processing. Definition at line 297 of file SSL_Context.cpp. References ACE_DEFAULT_SSL_CERT_DIR, ACE_DEFAULT_SSL_CERT_FILE, ACE_SSL_CERT_DIR_ENV, ACE_SSL_CERT_FILE_ENV, check_context(), ACE::debug(), ACE_OS::getenv(), have_ca_, report_error(), SSLv2, SSLv23, SSLv23_server, SSLv2_server, SSLv3, SSLv3_server, TLSv1, and TLSv1_server. Referenced by set_mode(). { this->check_context (); if (ca_file == 0 && use_env_defaults) { // Use the default environment settings. ca_file = ACE_OS::getenv (ACE_SSL_CERT_FILE_ENV); if (ca_file == 0) ca_file = ACE_DEFAULT_SSL_CERT_FILE; } if (ca_dir == 0 && use_env_defaults) { // Use the default environment settings. ca_dir = ACE_OS::getenv (ACE_SSL_CERT_DIR_ENV); if (ca_dir == 0) ca_dir = ACE_DEFAULT_SSL_CERT_DIR; } // NOTE: SSL_CTX_load_verify_locations() returns 0 on error. if (::SSL_CTX_load_verify_locations (this->context_, ca_file, ca_dir) <= 0) { if (ACE::debug ()) ACE_SSL_Context::report_error (); return -1; } ++this->have_ca_; // For TLS/SSL servers scan all certificates in ca_file and ca_dir and // list them as acceptable CAs when requesting a client certificate. if (mode_ == SSLv23 || mode_ == SSLv23_server || mode_ == TLSv1 || mode_ == TLSv1_server || mode_ == SSLv3 || mode_ == SSLv3_server || mode_ == SSLv2 || mode_ == SSLv2_server) { // Note: The STACK_OF(X509_NAME) pointer is a copy of the pointer in // the CTX; any changes to it by way of these function calls will // change the CTX directly. STACK_OF (X509_NAME) * cert_names; cert_names = ::SSL_CTX_get_client_CA_list (this->context_); bool error = false; // Add CAs from both the file and dir, if specified. There should // already be a STACK_OF(X509_NAME) in the CTX, but if not, we create // one. if (ca_file) { if (cert_names == 0) { if ((cert_names = ::SSL_load_client_CA_file (ca_file)) != 0) ::SSL_CTX_set_client_CA_list (this->context_, cert_names); else error = true; } else { // Add new certificate names to the list. error = (0 == ::SSL_add_file_cert_subjects_to_stack (cert_names, ca_file)); } if (error) { if (ACE::debug ()) ACE_SSL_Context::report_error (); return -1; } } // SSL_add_dir_cert_subjects_to_stack is defined at 0.9.8a (but not // on OpenVMS or Mac Classic); it may be available earlier. Change // this comparison if so. #if defined (OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x0090801fL) # if !defined (OPENSSL_SYS_VMS) && !defined (OPENSSL_SYS_MACINTOSH_CLASSIC) if (ca_dir != 0) { if (cert_names == 0) { if ((cert_names = sk_X509_NAME_new_null ()) == 0) { if (ACE::debug ()) ACE_SSL_Context::report_error (); return -1; } ::SSL_CTX_set_client_CA_list (this->context_, cert_names); } if (0 == ::SSL_add_dir_cert_subjects_to_stack (cert_names, ca_dir)) { if (ACE::debug ()) ACE_SSL_Context::report_error (); return -1; } } # endif /* !OPENSSL_SYS_VMS && !OPENSSL_SYS_MACINTOSH_CLASSIC */ #endif /* OPENSSL_VERSION_NUMBER >= 0.9.8a release */ } return 0; }

ACE_SSL_Context& ACE_SSL_Context::operator= (  const ACE_SSL_Context &   )  [private]

int ACE_SSL_Context::private_key (  const char *  file_name, int  type = SSL_FILETYPE_PEM )

Set the private key file. Note: This method should only be called after a certificate has been set since key verification is performed against the certificate, among other things. Definition at line 411 of file SSL_Context.cpp. References check_context(), ACE_SSL_Data_File::file_name(), private_key_, ACE_SSL_Data_File::type(), and verify_private_key(). { if (this->private_key_.type () != -1) return 0; this->check_context (); this->private_key_ = ACE_SSL_Data_File (file_name, type); if (::SSL_CTX_use_PrivateKey_file (this->context_, this->private_key_.file_name (), this->private_key_.type ()) <= 0) { this->private_key_ = ACE_SSL_Data_File (); return -1; } else return this->verify_private_key (); }

ACE_INLINE const char * ACE_SSL_Context::private_key_file_name (  void   )  const

Definition at line 60 of file SSL_Context.inl. References ACE_SSL_Data_File::file_name(), and private_key_. { return this->private_key_.file_name (); }

ACE_INLINE int ACE_SSL_Context::private_key_type (  void   )  const

Get the file name and file format used for the private key. Definition at line 54 of file SSL_Context.inl. References private_key_, and ACE_SSL_Data_File::type(). { return this->private_key_.type (); }

int ACE_SSL_Context::random_seed (  const char *  seed  )  [static]

Seed the underlying random number generator. This value should have at least 128 bits of entropy. Definition at line 510 of file SSL_Context.cpp. References ACE_OS::strlen(). { ::RAND_seed (seed, ACE_OS::strlen (seed)); #if OPENSSL_VERSION_NUMBER >= 0x00905100L // RAND_status() returns 1 if the PRNG has enough entropy. return (::RAND_status () == 1 ? 0 : -1); #else return 0; // Ugly, but OpenSSL <= 0.9.4 doesn't have RAND_status(). #endif /* OPENSSL_VERSION_NUMBER >= 0x00905100L */ }

void ACE_SSL_Context::report_error (  void   )  [static]

Print the last SSL error for the current thread. Definition at line 574 of file SSL_Context.cpp. References ACE_OS::last_error(). Referenced by ACE_SSL_SOCK_Stream::close(), load_trusted_ca(), ACE_SSL_SOCK_Stream::recv_i(), ACE_SSL_SOCK_Stream::send_i(), ACE_SSL_SOCK_Acceptor::ssl_accept(), and ACE_SSL_SOCK_Connector::ssl_connect(). { unsigned long err = ::ERR_get_error (); ACE_SSL_Context::report_error (err); ACE_OS::last_error (err); }

void ACE_SSL_Context::report_error (  unsigned long  error_code  )  [static]

Print SSL error corresponding to the given error code. Definition at line 558 of file SSL_Context.cpp. References ACE_ERROR, ACE_TEXT, and LM_ERROR. { if (error_code == 0) return; char error_string[256]; (void) ::ERR_error_string (error_code, error_string); ACE_ERROR ((LM_ERROR, ACE_TEXT ("ACE_SSL (%P|%t) error code: %u - %C\n"), error_code, error_string)); }

int ACE_SSL_Context::seed_file (  const char *  seed_file, long  bytes = -1 )  [static]

Set the file that contains the random seed value state, and the amount of bytes to read. "-1" bytes causes the entire file to be read. Definition at line 541 of file SSL_Context.cpp. Referenced by ssl_library_init(). { // RAND_load_file() returns the number of bytes used to seed the // random number generator. If the file reads ok, check RAND_status to // see if it got enough entropy. if (::RAND_load_file (seed_file, bytes) > 0) #if OPENSSL_VERSION_NUMBER >= 0x00905100L // RAND_status() returns 1 if the PRNG has enough entropy. return (::RAND_status () == 1 ? 0 : -1); #else return 0; // Ugly, but OpenSSL <= 0.9.4 doesn't have RAND_status(). #endif /* OPENSSL_VERSION_NUMBER >= 0x00905100L */ else return -1; }

int ACE_SSL_Context::set_mode (  int  mode = ACE_SSL_Context::SSLv23  )

Set the CTX mode. The mode can be set only once, afterwards the function has no effect and returns -1. Once the mode is set the underlying SSL_CTX is initialized and the class can be used. If the mode is not set, then the class automatically initializes itself to the default mode. Definition at line 224 of file SSL_Context.cpp. References ACE_GUARD_RETURN, load_trusted_ca(), SSLv2, SSLv23, SSLv23_client, SSLv23_server, SSLv2_client, SSLv2_server, SSLv3, SSLv3_client, SSLv3_server, TLSv1, TLSv1_client, and TLSv1_server. Referenced by check_context(). { ACE_MT (ACE_GUARD_RETURN (ACE_Recursive_Thread_Mutex, ace_ssl_mon, *ACE_Static_Object_Lock::instance (), -1)); if (this->context_ != 0) return -1; SSL_METHOD *method = 0; switch (mode) { case ACE_SSL_Context::SSLv2_client: method = ::SSLv2_client_method (); break; case ACE_SSL_Context::SSLv2_server: method = ::SSLv2_server_method (); break; case ACE_SSL_Context::SSLv2: method = ::SSLv2_method (); break; case ACE_SSL_Context::SSLv3_client: method = ::SSLv3_client_method (); break; case ACE_SSL_Context::SSLv3_server: method = ::SSLv3_server_method (); break; case ACE_SSL_Context::SSLv3: method = ::SSLv3_method (); break; case ACE_SSL_Context::SSLv23_client: method = ::SSLv23_client_method (); break; case ACE_SSL_Context::SSLv23_server: method = ::SSLv23_server_method (); break; case ACE_SSL_Context::SSLv23: method = ::SSLv23_method (); break; case ACE_SSL_Context::TLSv1_client: method = ::TLSv1_client_method (); break; case ACE_SSL_Context::TLSv1_server: method = ::TLSv1_server_method (); break; case ACE_SSL_Context::TLSv1: method = ::TLSv1_method (); break; default: method = ::SSLv3_method (); break; } this->context_ = ::SSL_CTX_new (method); if (this->context_ == 0) return -1; this->mode_ = mode; // Load the trusted certificate authority (default) certificate // locations. But do not return -1 on error, doing so confuses CTX // allocation (severe error) with the less important loading of CA // certificate location error. If it is important for your // application then call ACE_SSL_Context::have_trusted_ca(), // immediately following this call to set_mode(). (void) this->load_trusted_ca (); return 0; }

void ACE_SSL_Context::set_verify_peer (  int  strict = 0, int  once = 1, int  depth = 0 )

Todo: Complete this documentation where elipses(...) are used Use this method when certificate chain verification is required. The default server behaviour is SSL_VERIFY_NONE i.e. client certicates are requested for verified. This method can be used to configure server to request client certificates and perform the certificate verification. If is set true the client connection is rejected when certificate verification fails. Otherwise the session is accepted with a warning, which is the default behaviour. If is set true (default), certificates are requested only once per session. The last parameter can be used to set the verification depth. Note for verification to work correctly there should be a valid CA name list set using load_trusted_ca(). See also: OpenSSL documentation of SSL_CTX_set_verify(3) for details of the verification process. OpenSSL documentation ... set_verify_depth(3) ... Note that this method overrides the use of the default_verify_mode() method. Definition at line 487 of file SSL_Context.cpp. References check_context(), and default_verify_mode(). { this->check_context (); // Setup the peer verififcation mode. int verify_mode = SSL_VERIFY_PEER; if (once) verify_mode |= SSL_VERIFY_CLIENT_ONCE; if (strict) verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; // set the default verify mode this->default_verify_mode (verify_mode); // Set the max certificate depth but later let the verify_callback // catch the depth error by adding one to the required depth. if (depth > 0) ::SSL_CTX_set_verify_depth (this->context_, depth + 1); }

void ACE_SSL_Context::ssl_library_fini (   )  [private]

Definition at line 198 of file SSL_Context.cpp. References ACE_GUARD, and locks_. Referenced by ~ACE_SSL_Context(). { ACE_MT (ACE_GUARD (ACE_Recursive_Thread_Mutex, ace_ssl_mon, *ACE_Static_Object_Lock::instance ())); --ssl_library_init_count; if (ssl_library_init_count == 0) { ::ERR_free_strings (); ::EVP_cleanup (); // Clean up the locking callbacks after everything else has been // cleaned up. #ifdef ACE_HAS_THREADS ::CRYPTO_set_locking_callback (0); ssl_locks = 0; delete [] this->locks_; this->locks_ = 0; #endif /* ACE_HAS_THREADS */ } }

void ACE_SSL_Context::ssl_library_init (   )  [private]

More to document. @ Definition at line 137 of file SSL_Context.cpp. References ACE_GUARD, ACE_SSL_EGD_FILE_ENV, ACE_SSL_LOCKING_CALLBACK_NAME, ACE_SSL_RAND_FILE_ENV, ACE_SSL_THREAD_ID_NAME, egd_file(), ACE_OS::getenv(), locks_, and seed_file(). Referenced by ACE_SSL_Context(). { ACE_MT (ACE_GUARD (ACE_Recursive_Thread_Mutex, ace_ssl_mon, *ACE_Static_Object_Lock::instance ())); if (ssl_library_init_count == 0) { // Initialize the locking callbacks before initializing anything // else. #ifdef ACE_HAS_THREADS int const num_locks = ::CRYPTO_num_locks (); this->locks_ = new lock_type[num_locks]; ssl_locks = this->locks_; # if !defined (WIN32) // This call isn't necessary on some platforms. See the CRYPTO // library's threads(3) man page for details. ::CRYPTO_set_id_callback (ACE_SSL_THREAD_ID_NAME); # endif /* !WIN32 */ ::CRYPTO_set_locking_callback (ACE_SSL_LOCKING_CALLBACK_NAME); #endif /* ACE_HAS_THREADS */ ::SSLeay_add_ssl_algorithms (); ::SSL_load_error_strings (); // Seed the random number generator. Note that the random // number generator can be seeded more than once to "stir" its // state. #ifdef WIN32 // Seed the random number generator by sampling the screen. ::RAND_screen (); #endif /* WIN32 */ #if OPENSSL_VERSION_NUMBER >= 0x00905100L // OpenSSL < 0.9.5 doesn't have EGD support. const char *egd_socket_file = ACE_OS::getenv (ACE_SSL_EGD_FILE_ENV); if (egd_socket_file != 0) (void) this->egd_file (egd_socket_file); #endif /* OPENSSL_VERSION_NUMBER */ const char *rand_file = ACE_OS::getenv (ACE_SSL_RAND_FILE_ENV); if (rand_file != 0) (void) this->seed_file (rand_file); // Initialize the mutexes that will be used by the SSL and // crypto library. } ++ssl_library_init_count; }

int ACE_SSL_Context::verify_private_key (  void   )

Verify that the private key is valid. Note: This method should only be called after a certificate has been set since key verification is performed against the certificate, among other things. Definition at line 433 of file SSL_Context.cpp. References check_context(). Referenced by private_key(). { this->check_context (); return (::SSL_CTX_check_private_key (this->context_) <= 0 ? -1 : 0); }

---

Member Data Documentation

ACE_SSL_Data_File ACE_SSL_Context::certificate_ [private]

Definition at line 359 of file SSL_Context.h. Referenced by certificate(), certificate_file_name(), and certificate_type().

SSL_CTX* ACE_SSL_Context::context_ [private]

The SSL_CTX structure. Definition at line 352 of file SSL_Context.h.

int ACE_SSL_Context::default_verify_mode_ [private]

The default verify mode. Definition at line 363 of file SSL_Context.h. Referenced by default_verify_mode().

ACE_SSL_Data_File ACE_SSL_Context::dh_params_ [private]

Definition at line 360 of file SSL_Context.h. Referenced by dh_params(), dh_params_file_name(), and dh_params_file_type().

int ACE_SSL_Context::have_ca_ [private]

count of successful CA load attempts Definition at line 366 of file SSL_Context.h. Referenced by have_trusted_ca(), and load_trusted_ca().

lock_type* ACE_SSL_Context::locks_ [static, private]

Array of mutexes used internally by OpenSSL when the SSL application is multithreaded. Definition at line 371 of file SSL_Context.h. Referenced by ssl_library_fini(), and ssl_library_init().

int ACE_SSL_Context::mode_ [private]

Cache the mode so we can answer fast. Definition at line 355 of file SSL_Context.h.

ACE_SSL_Data_File ACE_SSL_Context::private_key_ [private]

The private key, certificate, and Diffie-Hellman paramters files. Definition at line 358 of file SSL_Context.h. Referenced by private_key(), private_key_file_name(), and private_key_type().

---

The documentation for this class was generated from the following files:

• SSL_Context.h
• SSL_Context.cpp
• SSL_Context.inl

---