return error;
}
- error = inet_open_active(SOCK_STREAM, suffix, OFP_OLD_PORT, NULL, &fd,
+ error = inet_open_active(SOCK_STREAM, suffix, OFP_PORT, NULL, &fd,
dscp);
if (fd >= 0) {
int state = error ? STATE_TCP_CONNECTING : STATE_SSL_CONNECTING;
/* SSL_CTX_add_client_CA makes a copy of cert's relevant data. */
SSL_CTX_add_client_CA(ctx, cert);
- /* SSL_CTX_use_certificate() takes ownership of the certificate passed in.
- * 'cert' is owned by sslv->ssl, so we need to duplicate it. */
- cert = X509_dup(cert);
- if (!cert) {
- out_of_memory();
- }
SSL_CTX_set_cert_store(ctx, X509_STORE_new());
if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
VLOG_ERR("SSL_CTX_load_verify_locations: %s",
return retval;
}
- fd = inet_open_passive(SOCK_STREAM, suffix, OFP_OLD_PORT, &ss, dscp, true);
+ fd = inet_open_passive(SOCK_STREAM, suffix, OFP_PORT, &ss, dscp, true);
if (fd < 0) {
return -fd;
}
port = ss_get_port(&ss);
- snprintf(bound_name, sizeof bound_name, "ptcp:%"PRIu16":%s",
+ snprintf(bound_name, sizeof bound_name, "pssl:%"PRIu16":%s",
port, ss_format_address(&ss, addrbuf, sizeof addrbuf));
pssl = xmalloc(sizeof *pssl);
return error;
}
- snprintf(name, sizeof name, "tcp:%s:%"PRIu16,
+ snprintf(name, sizeof name, "ssl:%s:%"PRIu16,
ss_format_address(&ss, addrbuf, sizeof addrbuf),
ss_get_port(&ss));
return new_ssl_stream(name, new_fd, SERVER, STATE_SSL_CONNECTING,
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
return 0;
}
static void
stream_ssl_set_certificate_file__(const char *file_name)
{
- if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) {
+ if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) {
certificate.read = true;
} else {
VLOG_ERR("SSL_use_certificate_file: %s",
stream_ssl_set_ca_cert_file__(const char *file_name,
bool bootstrap, bool force)
{
- X509 **certs;
- size_t n_certs;
struct stat s;
if (!update_ssl_config(&ca_cert, file_name) && !force) {
"(this is a security risk)");
} else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
bootstrap_ca_cert = true;
- } else if (!read_cert_file(file_name, &certs, &n_certs)) {
- size_t i;
-
- /* Set up list of CAs that the server will accept from the client. */
- for (i = 0; i < n_certs; i++) {
- /* SSL_CTX_add_client_CA makes a copy of the relevant data. */
- if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) {
- VLOG_ERR("failed to add client certificate %"PRIuSIZE" from %s: %s",
- i, file_name,
+ } else {
+ STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(file_name);
+ if (cert_names) {
+ /* Set up list of CAs that the server will accept from the
+ * client. */
+ SSL_CTX_set_client_CA_list(ctx, cert_names);
+
+ /* Set up CAs for OpenSSL to trust in verifying the peer's
+ * certificate. */
+ SSL_CTX_set_cert_store(ctx, X509_STORE_new());
+ if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
+ VLOG_ERR("SSL_CTX_load_verify_locations: %s",
ERR_error_string(ERR_get_error(), NULL));
- } else {
- log_ca_cert(file_name, certs[i]);
+ return;
}
- X509_free(certs[i]);
- }
- free(certs);
-
- /* Set up CAs for OpenSSL to trust in verifying the peer's
- * certificate. */
- SSL_CTX_set_cert_store(ctx, X509_STORE_new());
- if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
- VLOG_ERR("SSL_CTX_load_verify_locations: %s",
- ERR_error_string(ERR_get_error(), NULL));
- return;
+ bootstrap_ca_cert = false;
+ } else {
+ VLOG_ERR("failed to load client certificates from %s: %s",
+ file_name, ERR_error_string(ERR_get_error(), NULL));
}
-
- bootstrap_ca_cert = false;
}
ca_cert.read = true;
}