mirror of
https://github.com/cesanta/mongoose.git
synced 2024-12-28 15:40:23 +08:00
Add ssl_cipher_suites to mg_{bind,connect}_opts
Optional specification of SSL/TLS cipher suites. PUBLISHED_FROM=e8968c6c7a92f10514d3ee575c2fb9be862e6cf8
This commit is contained in:
parent
cd9e179fcb
commit
67626d49c9
@ -9,15 +9,30 @@ signature: |
|
|||||||
const char **error_string; /* Placeholder for the error string */
|
const char **error_string; /* Placeholder for the error string */
|
||||||
struct mg_iface *iface; /* Interface instance */
|
struct mg_iface *iface; /* Interface instance */
|
||||||
#if MG_ENABLE_SSL
|
#if MG_ENABLE_SSL
|
||||||
/* SSL settings. */
|
/*
|
||||||
const char *ssl_cert; /* Server certificate to present to clients
|
* SSL settings.
|
||||||
* Or client certificate to present to tunnel
|
*
|
||||||
* dispatcher. */
|
* Server certificate to present to clients or client certificate to
|
||||||
const char *ssl_key; /* Private key corresponding to the certificate.
|
* present to tunnel dispatcher (for tunneled connections).
|
||||||
If ssl_cert is set but ssl_key is not, ssl_cert
|
*/
|
||||||
is used. */
|
const char *ssl_cert;
|
||||||
const char *ssl_ca_cert; /* CA bundle used to verify client certificates or
|
/* Private key corresponding to the certificate. If ssl_cert is set but
|
||||||
* tunnel dispatchers. */
|
* ssl_key is not, ssl_cert is used. */
|
||||||
|
const char *ssl_key;
|
||||||
|
/* CA bundle used to verify client certificates or tunnel dispatchers. */
|
||||||
|
const char *ssl_ca_cert;
|
||||||
|
/* Colon-delimited list of acceptable cipher suites.
|
||||||
|
* Names depend on the library used, for example:
|
||||||
|
*
|
||||||
|
* ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256 (OpenSSL)
|
||||||
|
* TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
||||||
|
* (mbedTLS)
|
||||||
|
*
|
||||||
|
* For OpenSSL the list can be obtained by running "openssl ciphers".
|
||||||
|
* For mbedTLS, names can be found in library/ssl_ciphersuites.c
|
||||||
|
* If NULL, a reasonable default is used.
|
||||||
|
*/
|
||||||
|
const char *ssl_cipher_suites;
|
||||||
#endif
|
#endif
|
||||||
};
|
};
|
||||||
---
|
---
|
||||||
|
@ -9,15 +9,33 @@ signature: |
|
|||||||
const char **error_string; /* Placeholder for the error string */
|
const char **error_string; /* Placeholder for the error string */
|
||||||
struct mg_iface *iface; /* Interface instance */
|
struct mg_iface *iface; /* Interface instance */
|
||||||
#if MG_ENABLE_SSL
|
#if MG_ENABLE_SSL
|
||||||
/* SSL settings. */
|
/*
|
||||||
const char *ssl_cert; /* Client certificate to present to the server */
|
* SSL settings.
|
||||||
const char *ssl_key; /* Private key corresponding to the certificate.
|
* Client certificate to present to the server.
|
||||||
If ssl_cert is set but ssl_key is not, ssl_cert
|
*/
|
||||||
is used. */
|
const char *ssl_cert;
|
||||||
const char *ssl_ca_cert; /* Verify server certificate using this CA bundle.
|
/*
|
||||||
If set to "*", then SSL is enabled but no cert
|
* Private key corresponding to the certificate.
|
||||||
verification is performed. */
|
* If ssl_cert is set but ssl_key is not, ssl_cert is used.
|
||||||
|
*/
|
||||||
|
const char *ssl_key;
|
||||||
|
/*
|
||||||
|
* Verify server certificate using this CA bundle. If set to "*", then SSL
|
||||||
|
* is enabled but no cert verification is performed.
|
||||||
|
*/
|
||||||
|
const char *ssl_ca_cert;
|
||||||
|
/* Colon-delimited list of acceptable cipher suites.
|
||||||
|
* Names depend on the library used, for example:
|
||||||
|
*
|
||||||
|
* ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256 (OpenSSL)
|
||||||
|
* TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
||||||
|
* (mbedTLS)
|
||||||
|
*
|
||||||
|
* For OpenSSL the list can be obtained by running "openssl ciphers".
|
||||||
|
* For mbedTLS, names can be found in library/ssl_ciphersuites.c
|
||||||
|
* If NULL, a reasonable default is used.
|
||||||
|
*/
|
||||||
|
const char *ssl_cipher_suites;
|
||||||
/*
|
/*
|
||||||
* Server name verification. If ssl_ca_cert is set and the certificate has
|
* Server name verification. If ssl_ca_cert is set and the certificate has
|
||||||
* passed verification, its subject will be verified against this string.
|
* passed verification, its subject will be verified against this string.
|
||||||
|
20
mongoose.c
20
mongoose.c
@ -2746,6 +2746,7 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
|
|||||||
params.cert = opts.ssl_cert;
|
params.cert = opts.ssl_cert;
|
||||||
params.key = opts.ssl_key;
|
params.key = opts.ssl_key;
|
||||||
params.ca_cert = opts.ssl_ca_cert;
|
params.ca_cert = opts.ssl_ca_cert;
|
||||||
|
params.cipher_suites = opts.ssl_cipher_suites;
|
||||||
if (opts.ssl_ca_cert != NULL) {
|
if (opts.ssl_ca_cert != NULL) {
|
||||||
if (opts.ssl_server_name != NULL) {
|
if (opts.ssl_server_name != NULL) {
|
||||||
if (strcmp(opts.ssl_server_name, "*") != 0) {
|
if (strcmp(opts.ssl_server_name, "*") != 0) {
|
||||||
@ -2850,6 +2851,7 @@ struct mg_connection *mg_bind_opt(struct mg_mgr *mgr, const char *address,
|
|||||||
params.cert = opts.ssl_cert;
|
params.cert = opts.ssl_cert;
|
||||||
params.key = opts.ssl_key;
|
params.key = opts.ssl_key;
|
||||||
params.ca_cert = opts.ssl_ca_cert;
|
params.ca_cert = opts.ssl_ca_cert;
|
||||||
|
params.cipher_suites = opts.ssl_cipher_suites;
|
||||||
if (mg_ssl_if_conn_init(nc, ¶ms, &err_msg) != MG_SSL_OK) {
|
if (mg_ssl_if_conn_init(nc, ¶ms, &err_msg) != MG_SSL_OK) {
|
||||||
MG_SET_PTRPTR(opts.error_string, err_msg);
|
MG_SET_PTRPTR(opts.error_string, err_msg);
|
||||||
mg_destroy_conn(nc, 1 /* destroy_if */);
|
mg_destroy_conn(nc, 1 /* destroy_if */);
|
||||||
@ -4060,7 +4062,7 @@ enum mg_ssl_if_result mg_ssl_if_conn_accept(struct mg_connection *nc,
|
|||||||
static enum mg_ssl_if_result mg_use_cert(SSL_CTX *ctx, const char *cert,
|
static enum mg_ssl_if_result mg_use_cert(SSL_CTX *ctx, const char *cert,
|
||||||
const char *key, const char **err_msg);
|
const char *key, const char **err_msg);
|
||||||
static enum mg_ssl_if_result mg_use_ca_cert(SSL_CTX *ctx, const char *cert);
|
static enum mg_ssl_if_result mg_use_ca_cert(SSL_CTX *ctx, const char *cert);
|
||||||
static enum mg_ssl_if_result mg_set_cipher_list(SSL_CTX *ctx);
|
static enum mg_ssl_if_result mg_set_cipher_list(SSL_CTX *ctx, const char *cl);
|
||||||
|
|
||||||
enum mg_ssl_if_result mg_ssl_if_conn_init(
|
enum mg_ssl_if_result mg_ssl_if_conn_init(
|
||||||
struct mg_connection *nc, const struct mg_ssl_if_conn_params *params,
|
struct mg_connection *nc, const struct mg_ssl_if_conn_params *params,
|
||||||
@ -4105,7 +4107,10 @@ enum mg_ssl_if_result mg_ssl_if_conn_init(
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
mg_set_cipher_list(ctx->ssl_ctx);
|
if (mg_set_cipher_list(ctx->ssl_ctx, params->cipher_suites) != MG_SSL_OK) {
|
||||||
|
MG_SET_PTRPTR(err_msg, "Invalid cipher suite list");
|
||||||
|
return MG_SSL_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
if (!(nc->flags & MG_F_LISTENING) &&
|
if (!(nc->flags & MG_F_LISTENING) &&
|
||||||
(ctx->ssl = SSL_new(ctx->ssl_ctx)) == NULL) {
|
(ctx->ssl = SSL_new(ctx->ssl_ctx)) == NULL) {
|
||||||
@ -4287,8 +4292,9 @@ static enum mg_ssl_if_result mg_use_cert(SSL_CTX *ctx, const char *cert,
|
|||||||
return MG_SSL_OK;
|
return MG_SSL_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
static enum mg_ssl_if_result mg_set_cipher_list(SSL_CTX *ctx) {
|
static enum mg_ssl_if_result mg_set_cipher_list(SSL_CTX *ctx, const char *cl) {
|
||||||
return (SSL_CTX_set_cipher_list(ctx, mg_s_cipher_list) == 1 ? MG_SSL_OK
|
return (SSL_CTX_set_cipher_list(ctx, cl ? cl : mg_s_cipher_list) == 1
|
||||||
|
? MG_SSL_OK
|
||||||
: MG_SSL_ERROR);
|
: MG_SSL_ERROR);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4418,7 +4424,10 @@ enum mg_ssl_if_result mg_ssl_if_conn_init(
|
|||||||
return MG_SSL_ERROR;
|
return MG_SSL_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
mg_set_cipher_list(ctx, NULL);
|
if (mg_set_cipher_list(ctx, params->cipher_suites) != MG_SSL_OK) {
|
||||||
|
MG_SET_PTRPTR(err_msg, "Invalid cipher suite list");
|
||||||
|
return MG_SSL_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
if (!(nc->flags & MG_F_LISTENING)) {
|
if (!(nc->flags & MG_F_LISTENING)) {
|
||||||
ctx->ssl = MG_CALLOC(1, sizeof(*ctx->ssl));
|
ctx->ssl = MG_CALLOC(1, sizeof(*ctx->ssl));
|
||||||
@ -13493,6 +13502,7 @@ enum mg_ssl_if_result mg_ssl_if_conn_init(
|
|||||||
if (params->ca_cert != NULL && strcmp(params->ca_cert, "*") != 0) {
|
if (params->ca_cert != NULL && strcmp(params->ca_cert, "*") != 0) {
|
||||||
ctx->ssl_ca_cert = strdup(params->ca_cert);
|
ctx->ssl_ca_cert = strdup(params->ca_cert);
|
||||||
}
|
}
|
||||||
|
/* TODO(rojer): cipher_suites. */
|
||||||
if (params->server_name != NULL) {
|
if (params->server_name != NULL) {
|
||||||
ctx->ssl_server_name = strdup(params->server_name);
|
ctx->ssl_server_name = strdup(params->server_name);
|
||||||
}
|
}
|
||||||
|
70
mongoose.h
70
mongoose.h
@ -3152,6 +3152,7 @@ struct mg_ssl_if_conn_params {
|
|||||||
const char *key;
|
const char *key;
|
||||||
const char *ca_cert;
|
const char *ca_cert;
|
||||||
const char *server_name;
|
const char *server_name;
|
||||||
|
const char *cipher_suites;
|
||||||
};
|
};
|
||||||
|
|
||||||
enum mg_ssl_if_result mg_ssl_if_conn_init(
|
enum mg_ssl_if_result mg_ssl_if_conn_init(
|
||||||
@ -3471,15 +3472,30 @@ struct mg_bind_opts {
|
|||||||
const char **error_string; /* Placeholder for the error string */
|
const char **error_string; /* Placeholder for the error string */
|
||||||
struct mg_iface *iface; /* Interface instance */
|
struct mg_iface *iface; /* Interface instance */
|
||||||
#if MG_ENABLE_SSL
|
#if MG_ENABLE_SSL
|
||||||
/* SSL settings. */
|
/*
|
||||||
const char *ssl_cert; /* Server certificate to present to clients
|
* SSL settings.
|
||||||
* Or client certificate to present to tunnel
|
*
|
||||||
* dispatcher. */
|
* Server certificate to present to clients or client certificate to
|
||||||
const char *ssl_key; /* Private key corresponding to the certificate.
|
* present to tunnel dispatcher (for tunneled connections).
|
||||||
If ssl_cert is set but ssl_key is not, ssl_cert
|
*/
|
||||||
is used. */
|
const char *ssl_cert;
|
||||||
const char *ssl_ca_cert; /* CA bundle used to verify client certificates or
|
/* Private key corresponding to the certificate. If ssl_cert is set but
|
||||||
* tunnel dispatchers. */
|
* ssl_key is not, ssl_cert is used. */
|
||||||
|
const char *ssl_key;
|
||||||
|
/* CA bundle used to verify client certificates or tunnel dispatchers. */
|
||||||
|
const char *ssl_ca_cert;
|
||||||
|
/* Colon-delimited list of acceptable cipher suites.
|
||||||
|
* Names depend on the library used, for example:
|
||||||
|
*
|
||||||
|
* ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256 (OpenSSL)
|
||||||
|
* TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
||||||
|
* (mbedTLS)
|
||||||
|
*
|
||||||
|
* For OpenSSL the list can be obtained by running "openssl ciphers".
|
||||||
|
* For mbedTLS, names can be found in library/ssl_ciphersuites.c
|
||||||
|
* If NULL, a reasonable default is used.
|
||||||
|
*/
|
||||||
|
const char *ssl_cipher_suites;
|
||||||
#endif
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -3519,15 +3535,33 @@ struct mg_connect_opts {
|
|||||||
const char **error_string; /* Placeholder for the error string */
|
const char **error_string; /* Placeholder for the error string */
|
||||||
struct mg_iface *iface; /* Interface instance */
|
struct mg_iface *iface; /* Interface instance */
|
||||||
#if MG_ENABLE_SSL
|
#if MG_ENABLE_SSL
|
||||||
/* SSL settings. */
|
/*
|
||||||
const char *ssl_cert; /* Client certificate to present to the server */
|
* SSL settings.
|
||||||
const char *ssl_key; /* Private key corresponding to the certificate.
|
* Client certificate to present to the server.
|
||||||
If ssl_cert is set but ssl_key is not, ssl_cert
|
*/
|
||||||
is used. */
|
const char *ssl_cert;
|
||||||
const char *ssl_ca_cert; /* Verify server certificate using this CA bundle.
|
/*
|
||||||
If set to "*", then SSL is enabled but no cert
|
* Private key corresponding to the certificate.
|
||||||
verification is performed. */
|
* If ssl_cert is set but ssl_key is not, ssl_cert is used.
|
||||||
|
*/
|
||||||
|
const char *ssl_key;
|
||||||
|
/*
|
||||||
|
* Verify server certificate using this CA bundle. If set to "*", then SSL
|
||||||
|
* is enabled but no cert verification is performed.
|
||||||
|
*/
|
||||||
|
const char *ssl_ca_cert;
|
||||||
|
/* Colon-delimited list of acceptable cipher suites.
|
||||||
|
* Names depend on the library used, for example:
|
||||||
|
*
|
||||||
|
* ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256 (OpenSSL)
|
||||||
|
* TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
||||||
|
* (mbedTLS)
|
||||||
|
*
|
||||||
|
* For OpenSSL the list can be obtained by running "openssl ciphers".
|
||||||
|
* For mbedTLS, names can be found in library/ssl_ciphersuites.c
|
||||||
|
* If NULL, a reasonable default is used.
|
||||||
|
*/
|
||||||
|
const char *ssl_cipher_suites;
|
||||||
/*
|
/*
|
||||||
* Server name verification. If ssl_ca_cert is set and the certificate has
|
* Server name verification. If ssl_ca_cert is set and the certificate has
|
||||||
* passed verification, its subject will be verified against this string.
|
* passed verification, its subject will be verified against this string.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user