diff options
author | Tim Costen <tim.costen@isode.com> | 2019-08-01 11:05:53 (GMT) |
---|---|---|
committer | Tim Costen <timcosten64@gmail.com> | 2019-09-03 10:14:51 (GMT) |
commit | 415870c04a7e6cabf13e6acf3a94bb0f68732907 (patch) | |
tree | c1d2a509cdfa341efbc9e1d575ad3bb2383100c0 /Swiften/TLS/TLSOptions.h | |
parent | c62b7b6ce35a77d0a8236ef48155187fe5c30d12 (diff) | |
download | swift-415870c04a7e6cabf13e6acf3a94bb0f68732907.zip swift-415870c04a7e6cabf13e6acf3a94bb0f68732907.tar.bz2 |
Add enhanced OpenSSL configuration
Adds TLSOptions to the OpenSSLContext, which invokes a new private
'configure' method which allows various OpenSSL options to be set.
Also add standard verification callbacks and external (via a
std::function field in TLSOptions) to allow the user
to specify their own method which will perform client certificate
checking when a new TLS connection is accepted. Only set up
the internal verifyCertCallback if the user-supplied hook is set.
All callback hooks are set up in the 'configure' method, and only
then if TLSOptions.verifyMode is present (i.e. not defaulted
to boost::none), to preserve compatibility for users of
this class (e.g. Swift) which want to use OpenSSL's own
internal validation functions rather than setting the
callbacks.
Test-information:
Used new code under development in M-Link when setting up a TLSContext,
setting verify-mode=require, and set up verifyCertCallback with a local
method. Making a client TLS connection which includes a client
certificate results in the local verify callback being invoked.
Change-Id: Idbb7279e1711fca8123f430bfca0dcfb65bc8da6
Diffstat (limited to 'Swiften/TLS/TLSOptions.h')
-rw-r--r-- | Swiften/TLS/TLSOptions.h | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/Swiften/TLS/TLSOptions.h b/Swiften/TLS/TLSOptions.h index dd7e920..7a38aa2 100644 --- a/Swiften/TLS/TLSOptions.h +++ b/Swiften/TLS/TLSOptions.h @@ -7,8 +7,10 @@ #pragma once namespace Swift { + class TLSContext; - struct TLSOptions { + class TLSOptions { + public: TLSOptions() : schannelTLS1_0Workaround(false) { } @@ -21,5 +23,44 @@ namespace Swift { */ bool schannelTLS1_0Workaround; + /** + * OpenSSL configuration flags + */ + boost::optional<bool> workaroundMicrosoftSessID; + boost::optional<bool> workaroundNetscapeChallenge; + boost::optional<bool> workaroundNetscapeReuseCipherChange; + boost::optional<bool> workaroundSSLRef2ReuseCertType; + boost::optional<bool> workaroundMicrosoftBigSSLv3Buffer; + boost::optional<bool> workaroundSSLeay080ClientDH; + boost::optional<bool> workaroundTLSD5; + boost::optional<bool> workaroundTLSBlockPadding; + boost::optional<bool> workaroundDontInsertEmptyFragments; + boost::optional<bool> workaroundAll; + boost::optional<bool> suppressSSLv2; + boost::optional<bool> suppressSSLv3; + boost::optional<bool> suppressTLSv1; + boost::optional<bool> disableTLSRollBackBug; + boost::optional<bool> singleDHUse; + + /** + * Other OpenSSL configuration items + */ + boost::optional<std::string> cipherSuites; + boost::optional<std::string> context; + boost::optional<int> sessionCacheTimeout; + boost::optional<int> verifyDepth; + + enum class VerifyMode { + NONE, + REQUIRED, + OPTIONAL + } ; + boost::optional<VerifyMode> verifyMode; + + /** + * Callback for certificate verification + */ + + boost::optional<std::function<int(const TLSContext *)>> verifyCertificateCallback; }; } |