1 /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */ 2 3 #include "base/tlsstream.hpp" 4 #include "base/application.hpp" 5 #include "base/utility.hpp" 6 #include "base/exception.hpp" 7 #include "base/logger.hpp" 8 #include "base/configuration.hpp" 9 #include "base/convert.hpp" 10 #include <boost/asio/ssl/context.hpp> 11 #include <boost/asio/ssl/verify_context.hpp> 12 #include <boost/asio/ssl/verify_mode.hpp> 13 #include <iostream> 14 #include <openssl/ssl.h> 15 #include <openssl/tls1.h> 16 #include <openssl/x509.h> 17 #include <sstream> 18 19 using namespace icinga; 20 IsVerifyOK() const21bool UnbufferedAsioTlsStream::IsVerifyOK() const 22 { 23 return m_VerifyOK; 24 } 25 GetVerifyError() const26String UnbufferedAsioTlsStream::GetVerifyError() const 27 { 28 return m_VerifyError; 29 } 30 GetPeerCertificate()31std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate() 32 { 33 return std::shared_ptr<X509>(SSL_get_peer_certificate(native_handle()), X509_free); 34 } 35 BeforeHandshake(handshake_type type)36void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type) 37 { 38 namespace ssl = boost::asio::ssl; 39 40 if (!m_Hostname.IsEmpty()) { 41 X509_VERIFY_PARAM_set1_host(SSL_get0_param(native_handle()), m_Hostname.CStr(), m_Hostname.GetLength()); 42 } 43 44 set_verify_mode(ssl::verify_peer | ssl::verify_client_once); 45 46 set_verify_callback([this](bool preverified, ssl::verify_context& ctx) { 47 if (!preverified) { 48 m_VerifyOK = false; 49 50 std::ostringstream msgbuf; 51 int err = X509_STORE_CTX_get_error(ctx.native_handle()); 52 53 msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err); 54 m_VerifyError = msgbuf.str(); 55 } 56 57 return true; 58 }); 59 60 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 61 if (type == client && !m_Hostname.IsEmpty()) { 62 String environmentName = Application::GetAppEnvironment(); 63 String serverName = m_Hostname; 64 65 if (!environmentName.IsEmpty()) 66 serverName += ":" + environmentName; 67 68 SSL_set_tlsext_host_name(native_handle(), serverName.CStr()); 69 } 70 #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */ 71 } 72