@@ -197,10 +197,23 @@ void initOpenSSL()
197
197
class SSLContext
198
198
{
199
199
public:
200
- explicit SSLContext (bool useOldTLS, bool enableValidtion)
200
+ explicit SSLContext (
201
+ bool useOldTLS,
202
+ bool enableValidtion,
203
+ const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
201
204
{
202
205
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
203
206
ctxPtr_ = SSL_CTX_new (TLS_method ());
207
+ SSL_CONF_CTX *cctx = SSL_CONF_CTX_new ();
208
+ SSL_CONF_CTX_set_flags (cctx, SSL_CONF_FLAG_SERVER);
209
+ SSL_CONF_CTX_set_flags (cctx, SSL_CONF_FLAG_CLIENT);
210
+ SSL_CONF_CTX_set_flags (cctx, SSL_CONF_FLAG_CERTIFICATE);
211
+ SSL_CONF_CTX_set_ssl_ctx (cctx, ctxPtr_);
212
+ for (auto cmd : sslConfCmds)
213
+ {
214
+ SSL_CONF_cmd (cctx, cmd.first .data (), cmd.second .data ());
215
+ }
216
+ SSL_CONF_CTX_finish (cctx);
204
217
if (!useOldTLS)
205
218
{
206
219
SSL_CTX_set_min_proto_version (ctxPtr_, TLS1_2_VERSION);
@@ -213,6 +226,16 @@ class SSLContext
213
226
}
214
227
#else
215
228
ctxPtr_ = SSL_CTX_new (SSLv23_method ());
229
+ SSL_CONF_CTX *cctx = SSL_CONF_CTX_new ();
230
+ SSL_CONF_CTX_set_flags (cctx, SSL_CONF_FLAG_SERVER);
231
+ SSL_CONF_CTX_set_flags (cctx, SSL_CONF_FLAG_CLIENT);
232
+ SSL_CONF_CTX_set_flags (cctx, SSL_CONF_FLAG_CERTIFICATE);
233
+ SSL_CONF_CTX_set_ssl_ctx (cctx, ctxPtr_);
234
+ for (auto cmd : sslConfCmds)
235
+ {
236
+ SSL_CONF_cmd (cctx, cmd.first .data (), cmd.second .data ());
237
+ }
238
+ SSL_CONF_CTX_finish (cctx);
216
239
if (!useOldTLS)
217
240
{
218
241
SSL_CTX_set_options (ctxPtr_, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
@@ -271,16 +294,21 @@ class SSLConn
271
294
SSL *SSL_;
272
295
};
273
296
274
- std::shared_ptr<SSLContext> newSSLContext (bool useOldTLS, bool validateCert)
297
+ std::shared_ptr<SSLContext> newSSLContext (
298
+ bool useOldTLS,
299
+ bool validateCert,
300
+ const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
275
301
{ // init OpenSSL
276
302
initOpenSSL ();
277
- return std::make_shared<SSLContext>(useOldTLS, validateCert);
303
+ return std::make_shared<SSLContext>(useOldTLS, validateCert, sslConfCmds );
278
304
}
279
- std::shared_ptr<SSLContext> newSSLServerContext (const std::string &certPath,
280
- const std::string &keyPath,
281
- bool useOldTLS)
305
+ std::shared_ptr<SSLContext> newSSLServerContext (
306
+ const std::string &certPath,
307
+ const std::string &keyPath,
308
+ bool useOldTLS,
309
+ const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
282
310
{
283
- auto ctx = newSSLContext (useOldTLS, false );
311
+ auto ctx = newSSLContext (useOldTLS, false , sslConfCmds );
284
312
auto r = SSL_CTX_use_certificate_chain_file (ctx->get (), certPath.c_str ());
285
313
if (!r)
286
314
{
@@ -319,9 +347,11 @@ std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
319
347
#else
320
348
namespace trantor
321
349
{
322
- std::shared_ptr<SSLContext> newSSLServerContext (const std::string &certPath,
323
- const std::string &keyPath,
324
- bool useOldTLS)
350
+ std::shared_ptr<SSLContext> newSSLServerContext (
351
+ const std::string &certPath,
352
+ const std::string &keyPath,
353
+ bool useOldTLS,
354
+ const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
325
355
{
326
356
LOG_FATAL << " OpenSSL is not found in your system!" ;
327
357
abort ();
@@ -360,7 +390,8 @@ void TcpConnectionImpl::startClientEncryptionInLoop(
360
390
std::function<void ()> &&callback,
361
391
bool useOldTLS,
362
392
bool validateCert,
363
- const std::string &hostname)
393
+ const std::string &hostname,
394
+ const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
364
395
{
365
396
validateCert_ = validateCert;
366
397
loop_->assertInLoopThread ();
@@ -371,7 +402,8 @@ void TcpConnectionImpl::startClientEncryptionInLoop(
371
402
}
372
403
sslEncryptionPtr_ = std::make_unique<SSLEncryption>();
373
404
sslEncryptionPtr_->upgradeCallback_ = std::move (callback);
374
- sslEncryptionPtr_->sslCtxPtr_ = newSSLContext (useOldTLS, validateCert_);
405
+ sslEncryptionPtr_->sslCtxPtr_ =
406
+ newSSLContext (useOldTLS, validateCert_, sslConfCmds);
375
407
sslEncryptionPtr_->sslPtr_ =
376
408
std::make_unique<SSLConn>(sslEncryptionPtr_->sslCtxPtr_ ->get ());
377
409
if (validateCert)
@@ -452,10 +484,12 @@ void TcpConnectionImpl::startServerEncryption(
452
484
453
485
#endif
454
486
}
455
- void TcpConnectionImpl::startClientEncryption (std::function<void ()> callback,
456
- bool useOldTLS,
457
- bool validateCert,
458
- std::string hostname)
487
+ void TcpConnectionImpl::startClientEncryption (
488
+ std::function<void ()> callback,
489
+ bool useOldTLS,
490
+ bool validateCert,
491
+ std::string hostname,
492
+ const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
459
493
{
460
494
#ifndef USE_OPENSSL
461
495
LOG_FATAL << " OpenSSL is not found in your system!" ;
@@ -475,19 +509,22 @@ void TcpConnectionImpl::startClientEncryption(std::function<void()> callback,
475
509
startClientEncryptionInLoop (std::move (callback),
476
510
useOldTLS,
477
511
validateCert,
478
- hostname);
512
+ hostname,
513
+ sslConfCmds);
479
514
}
480
515
else
481
516
{
482
517
loop_->queueInLoop ([thisPtr = shared_from_this (),
483
518
callback = std::move (callback),
484
519
useOldTLS,
485
520
hostname = std::move (hostname),
486
- validateCert]() mutable {
521
+ validateCert,
522
+ &sslConfCmds]() mutable {
487
523
thisPtr->startClientEncryptionInLoop (std::move (callback),
488
524
useOldTLS,
489
525
validateCert,
490
- hostname);
526
+ hostname,
527
+ sslConfCmds);
491
528
});
492
529
}
493
530
#endif
0 commit comments