Changeset 5087


Ignore:
Timestamp:
May 7, 2015 4:48:19 AM (10 years ago)
Author:
nanang
Message:

Close #1849: Enabled multiple TLS certificate chains (RSA+ECC+DSA) for server socket.

Location:
pjproject/trunk/pjlib
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • pjproject/trunk/pjlib/include/pj/ssl_sock.h

    r5078 r5087  
    186186 
    187187/** 
    188  * Create credential from files. 
     188 * Create credential from files. TLS server application can provide multiple 
     189 * certificates (RSA, ECC, and DSA) by supplying certificate name with "_rsa" 
     190 * suffix, e.g: "pjsip_rsa.pem", the library will automatically check for 
     191 * other certificates with "_ecc" and "_dsa" suffix. 
    189192 * 
    190193 * @param CA_file       The file of trusted CA list. 
     
    204207 
    205208/** 
    206  * Create credential from files. 
     209 * Create credential from files. TLS server application can provide multiple 
     210 * certificates (RSA, ECC, and DSA) by supplying certificate name with "_rsa" 
     211 * suffix, e.g: "pjsip_rsa.pem", the library will automatically check for 
     212 * other certificates with "_ecc" and "_dsa" suffix. 
    207213 * 
    208214 * This is the same as pj_ssl_cert_load_from_files() but also 

  • pjproject/trunk/pjlib/src/pj/ssl_sock_ossl.c

    r5083 r5087  
    2222#include <pj/assert.h> 
    2323#include <pj/errno.h> 
     24#include <pj/file_access.h> 
    2425#include <pj/list.h> 
    2526#include <pj/lock.h> 
     
    672673 
    673674    if (ssock->is_server) { 
     675        char *p = NULL; 
     676 
     677        /* If certificate file name contains "_rsa.", let's check if there are 
     678         * ecc and dsa certificates too. 
     679         */ 
     680        if (cert && cert->cert_file.slen) { 
     681            const pj_str_t RSA = {"_rsa.", 5}; 
     682            p = pj_strstr(&cert->cert_file, &RSA); 
     683            if (p) p++; /* Skip underscore */ 
     684        } 
     685        if (p) { 
     686            /* Certificate type string length must be exactly 3 */ 
     687            enum { CERT_TYPE_LEN = 3 }; 
     688            const char* cert_types[] = { "ecc", "dsa" }; 
     689            char *cf = cert->cert_file.ptr; 
     690            int i; 
     691 
     692            /* Check and load ECC & DSA certificates & private keys */ 
     693            for (i = 0; i < PJ_ARRAY_SIZE(cert_types); ++i) { 
     694                int err; 
     695 
     696                pj_memcpy(p, cert_types[i], CERT_TYPE_LEN); 
     697                if (!pj_file_exists(cf)) 
     698                    continue; 
     699 
     700                err = SSL_CTX_use_certificate_chain_file(ctx, cf); 
     701                if (err == 1) 
     702                    err = SSL_CTX_use_PrivateKey_file(ctx, cf, 
     703                                                      SSL_FILETYPE_PEM); 
     704                if (err == 1) { 
     705                    PJ_LOG(4,(ssock->pool->obj_name, 
     706                              "Additional certificate '%s' loaded.", cf)); 
     707                } else { 
     708                    pj_perror(1, ssock->pool->obj_name, GET_SSL_STATUS(ssock), 
     709                              "Error loading certificate file '%s'", cf); 
     710                    ERR_clear_error(); 
     711                } 
     712            } 
     713 
     714            /* Put back original name */ 
     715            pj_memcpy(p, "rsa", CERT_TYPE_LEN); 
     716        } 
     717 
    674718    #ifndef SSL_CTRL_SET_ECDH_AUTO 
    675719        #define SSL_CTRL_SET_ECDH_AUTO 94 
Note: See TracChangeset for help on using the changeset viewer.