Initializes SSL for a single domain. The domain name and full paths for the private key, SSL certificate and CA certificate, must be supplied. The scope of the certificates is set by the domain argument as follows:- 1) The certificate is assumed to a single domain wildcard if it is a domain name preceded by an asterisk and a period 2) The certificate is assumed to single domain if only a domain name is submitted. The domain name must specify the exact subdomain.

Return TypeFunction nameArguments
hzEcodeInitDomainSSL(const char*,const char*,const char*,const char*,)

Declared in file: hzIpServer.h
Defined in file : hzIpServer.cpp

Function Logic:

0:START 1:unknown 2:Return hzerr(E_ARGUMENT,Domain %s: SSL params missing [PvtKey=%s][Cert=%s][CertCA=%s],domain,pvtKey,sslCert,sslCA) 3:items 4:unknown 5:sys_rc items items sys_rc items s_svrMeth 6:unknown 7:Return hzerr(E_INITFAIL,Failed to allocate SSLv23 Server Method (errno %d)\n,errno) 8:S 9:unknown 10:Return hzerr(E_INITDUP,SSL Init called already for domain %s,domain) 11:pSSL_Regime pSSL_Regime items pSSL_Regime 12:unknown 13:Return hzerr(E_INITFAIL,Failed to allocate SSL Server Context for % (errno %d)\n,*pSSL_Regime->m_Domain,errno) 14:items sys_rc 15:unknown 16:Return hzerr(E_INITFAIL,No SSL certificate. File %s Returned %d, errno %d,sslCert,sys_rc,errno) 17:items sys_rc 18:unknown 19:Return hzerr(E_INITFAIL,No SSL CA certificate. File %s Returned %d, errno %d,sslCA,sys_rc,errno) 20:items sys_rc 21:unknown 22:Return hzerr(E_INITFAIL,No SSL private key. File %s Error %d,pvtKey,sys_rc) 23:items 24:unknown 25:Return hzerr(E_INITFAIL,Private key does not match the certificate public key) 26:items 27:Return E_OK

Function body:

hzEcode InitDomainSSL (const char* pvtKey)const char* sslCert, const char* sslCA, const char* domain, 
{
   //  Category: Internet Server
   //  
   //  Initializes SSL for a single domain. The domain name and full paths for the private key, SSL certificate and CA certificate, must be supplied. The scope of the certificates
   //  is set by the domain argument as follows:-
   //  
   //   1) The certificate is assumed to a single domain wildcard if it is a domain name preceded by an asterisk and a period
   //   2) The certificate is assumed to single domain if only a domain name is submitted. The domain name must specify the exact subdomain.
   //  
   //  Arguments: 1) pvtKey   Domain Private Key
   //     2) sslCert   Domain Certificate
   //     3) sslCA   Domain CA Certificate
   //     4) domain   Domain name
   //  
   //  Returns: E_INITDUP If SSL has already been initialized
   //     E_ARGUMENT If either the private key, the server SSL certificate or the certificate authority are not supplied
   //     E_INITFAIL If any of the SSL functions return an error
   //     E_OK  If the SSL is set up OK
   _hzfunc("InitDomainSSL") ;
   _hz_SSL_Regime* pSSL_Regime ;       //  SSL Server context
   hzString        S ;             //  Temp string
   int32_t         sys_rc ;        //  System return value
   //  Check args
   if (!pvtKey || !sslCert || !sslCA || !domain)
       return hzerr(E_ARGUMENT, "Domain %s: SSL params missing [PvtKey=%s][Cert=%s][CertCA=%s]", domain, pvtKey, sslCert, sslCA) ;
   threadLog("Domain %s: SSL params [PvtKey=%s][Cert=%s][CertCA=%s]\n", domain, pvtKey, sslCert, sslCA) ;
   //  Do server SSL init
   if (!s_svrMeth)
   {
       sys_rc = SSL_library_init() ;
       threadLog("Returned from SSL_library_init with %d\n", sys_rc) ;
       SSL_load_error_strings();
       sys_rc = OpenSSL_add_ssl_algorithms();
       threadLog("Returned from OpenSSL_add_ssl_algorithms with %d\n", sys_rc) ;
       s_svrMeth = SSLv23_server_method() ;
       if (!s_svrMeth)
           return hzerr(E_INITFAIL, "Failed to allocate SSLv23 Server Method (errno %d)\n", errno) ;
   }
   //  Create domain or server context container
   S = domain ;
   if (s_mapSSLDoms.Exists(S))
       return hzerr(E_INITDUP, "SSL Init called already for domain %s", domain) ;
   pSSL_Regime = new _hz_SSL_Regime() ;
   pSSL_Regime->m_Domain = S ;
   s_mapSSLDoms.Insert(S, pSSL_Regime) ;
   //  Create the SSL context and set callback
   pSSL_Regime->m_svrCTX = SSL_CTX_new(s_svrMeth) ;
   if (!pSSL_Regime->m_svrCTX)
       return hzerr(E_INITFAIL, "Failed to allocate SSL Server Context for % (errno %d)\n", *pSSL_Regime->m_Domain, errno) ;
   SSL_CTX_set_tlsext_servername_callback(pSSL_Regime->m_svrCTX, &SNI_Callback) ;
   //  Load server certificate into the SSL context
   sys_rc = SSL_CTX_use_certificate_file(pSSL_Regime->m_svrCTX, sslCert, SSL_FILETYPE_PEM) ;
   if (sys_rc <&eq; 0)
       return hzerr(E_INITFAIL, "No SSL certificate. File %s Returned %d, errno %d", sslCert, sys_rc, errno) ;
   threadLog("Returned from SSL_CTX_use_certificate_file with %d\n", sys_rc) ;
   sys_rc = SSL_CTX_load_verify_locations(pSSL_Regime->m_svrCTX, sslCA, NULL) ;
   if (sys_rc <&eq; 0)
       return hzerr(E_INITFAIL, "No SSL CA certificate. File %s Returned %d, errno %d", sslCA, sys_rc, errno) ;
   threadLog("Returned from SSL_CTX_load_verify_locations with %d\n", sys_rc) ;
   //  Load the server private-key into the SSL context
   sys_rc = SSL_CTX_use_PrivateKey_file(pSSL_Regime->m_svrCTX, pvtKey, SSL_FILETYPE_PEM) ;
   if (sys_rc <&eq; 0)
       return hzerr(E_INITFAIL, "No SSL private key. File %s Error %d", pvtKey, sys_rc) ;
   threadLog("Returned from SSL_CTX_use_PrivateKey_file with %d\n", sys_rc) ;
   //  Check if the server certificate and private-key matches
   if (!(sys_rc = SSL_CTX_check_private_key(pSSL_Regime->m_svrCTX)))
       return hzerr(E_INITFAIL, "Private key does not match the certificate public key") ;
   threadLog("Returned from SSL_CTX_check_private_key with %d\n", sys_rc) ;
   return E_OK ;
}