Initializes SSL for the whole server. If a multi-domain certificate is supplied, this will be used to create the default SSL regime. Otherwise the default SSL regime is set to that of the first domain SSL regime in the map of domain SSL regimes. It cannot be NULL as it is used to create the client connection SSL structure (created by SSL_new).
| Return Type | Function name | Arguments |
|---|---|---|
| hzEcode | InitServerSSL | (const char*,const char*,const char*,) |
Declared in file: hzIpServer.h
Defined in file : hzIpServer.cpp
Function Logic:
Function body:
hzEcode InitServerSSL (const char* pvtKey)const char* sslCert, const char* sslCA,
{
// Category: Internet Server
//
// Initializes SSL for the whole server. If a multi-domain certificate is supplied, this will be used to create the default SSL regime. Otherwise the default SSL regime is set
// to that of the first domain SSL regime in the map of domain SSL regimes. It cannot be NULL as it is used to create the client connection SSL structure (created by SSL_new).
//
// Arguments: 1) pvtKey Server Private Key
// 2) sslCert Server Certificate
// 3) sslCA Server CA Certificate
//
// Returns: E_INITDUP If server SSL has already been initialized
// E_ARGUMENT If either the private key, the server SSL certificate or the certificate authority are supplied, but not all
// E_INITFAIL If any of the SSL functions return an error
// E_OK If the SSL is set up OK
_hzfunc("InitServerSSL") ;
hzString S ; // Temp string
int32_t sys_rc ; // System return value
// Check we have not already set the default server SSL regime
if (s_SSL_svrRegime)
return hzerr(E_INITDUP, "SSL Init called already for whole server") ;
// Do server SSL init
if (!s_svrMeth)
{
sys_rc = SSL_library_init() ;
threadLog("Returned from SSL_library_init with %d\n", sys_rc) ;
SSL_load_error_strings();
sys_rc = OpenSSL_add_ssl_algorithms();
threadLog("Returned from OpenSSL_add_ssl_algorithms with %d\n", sys_rc) ;
s_svrMeth = SSLv23_server_method() ;
if (!s_svrMeth)
return hzerr(E_INITFAIL, "Failed to allocate SSLv23 Server Method (errno %d)\n", errno) ;
}
// Check args
if ((pvtKey || sslCert || sslCA) && (!pvtKey || !sslCert || !sslCA))
return hzerr(E_ARGUMENT, "Server SSL params incomplete set [PvtKey=%s][Cert=%s][CertCA=%s]", pvtKey, sslCert, sslCA) ;
if (!pvtKey || !sslCert || !sslCA)
{
s_SSL_svrRegime = s_mapSSLDoms.GetObj(0);
if (!s_SSL_svrRegime)
return hzerr(E_ARGUMENT, "Server SSL - No domain SSL regimes found [PvtKey=%s][Cert=%s][CertCA=%s]", pvtKey, sslCert, sslCA) ;
return E_OK ;
}
threadLog("SSL params [PvtKey=%s][Cert=%s][CertCA=%s]\n", pvtKey, sslCert, sslCA) ;
// Create domain or server context container
s_SSL_svrRegime = new _hz_SSL_Regime() ;
s_SSL_svrRegime->m_Domain = "default" ;
// Create the SSL context and set callback
s_SSL_svrRegime->m_svrCTX = SSL_CTX_new(s_svrMeth) ;
if (!s_SSL_svrRegime->m_svrCTX)
return hzerr(E_INITFAIL, "Failed to allocate SSL Server Context for % (errno %d)\n", *s_SSL_svrRegime->m_Domain, errno) ;
SSL_CTX_set_tlsext_servername_callback(s_SSL_svrRegime->m_svrCTX, &SNI_Callback) ;
// Load server certificate into the SSL context
sys_rc = SSL_CTX_use_certificate_file(s_SSL_svrRegime->m_svrCTX, sslCert, SSL_FILETYPE_PEM) ;
if (sys_rc <&eq; 0)
return hzerr(E_INITFAIL, "No SSL certificate. File %s Returned %d, errno %d", sslCert, sys_rc, errno) ;
threadLog("Returned from SSL_CTX_use_certificate_file with %d\n", sys_rc) ;
sys_rc = SSL_CTX_load_verify_locations(s_SSL_svrRegime->m_svrCTX, sslCA, NULL) ;
if (sys_rc <&eq; 0)
return hzerr(E_INITFAIL, "No SSL CA certificate. File %s Returned %d, errno %d", sslCA, sys_rc, errno) ;
threadLog("Returned from SSL_CTX_load_verify_locations with %d\n", sys_rc) ;
// Load the server private-key into the SSL context
sys_rc = SSL_CTX_use_PrivateKey_file(s_SSL_svrRegime->m_svrCTX, pvtKey, SSL_FILETYPE_PEM) ;
if (sys_rc <&eq; 0)
return hzerr(E_INITFAIL, "No SSL private key. File %s Error %d", pvtKey, sys_rc) ;
threadLog("Returned from SSL_CTX_use_PrivateKey_file with %d\n", sys_rc) ;
// Check if the server certificate and private-key matches
if (!(sys_rc = SSL_CTX_check_private_key(s_SSL_svrRegime->m_svrCTX)))
return hzerr(E_INITFAIL, "Private key does not match the certificate public key") ;
threadLog("Returned from SSL_CTX_check_private_key with %d\n", sys_rc) ;
return E_OK ;
}