SSLContext

#include <icy/net/sslcontext.h>

class SSLContext

Defined in src/net/include/icy/net/sslcontext.h:44

OpenSSL SSL_CTX wrapper for client and server TLS configuration.

This class encapsulates context information for an SSL server or client, such as the certificate verification mode and the location of certificates and private key files, as well as the list of supported ciphers.

The Context class is also used to control SSL session caching on the server and client side.

List of all members

Name	Kind	Owner
`SSLContext`	`function`	Declared here
`SSLContext`	`function`	Declared here
`~SSLContext`	`function`	Declared here
`useCertificate`	`function`	Declared here
`addChainCertificate`	`function`	Declared here
`addVerificationCertificate`	`function`	Declared here
`sslContext`	`function`	Declared here
`usage`	`function`	Declared here
`isForServerUse`	`function`	Declared here
`verificationMode`	`function`	Declared here
`enableSessionCache`	`function`	Declared here
`enableSessionCache`	`function`	Declared here
`sessionCacheEnabled`	`function`	Declared here
`setSessionCacheSize`	`function`	Declared here
`getSessionCacheSize`	`function`	Declared here
`setSessionTimeout`	`function`	Declared here
`getSessionTimeout`	`function`	Declared here
`flushSessionCache`	`function`	Declared here
`disableStatelessSessionResumption`	`function`	Declared here
`setALPNProtocols`	`function`	Declared here
`SSLContext`	`function`	Declared here
`operator=`	`function`	Declared here
`SSLContext`	`function`	Declared here
`operator=`	`function`	Declared here
`enableSNI`	`function`	Declared here
`Usage`	`enum`	Declared here
`VerificationMode`	`enum`	Declared here
`Ptr`	`typedef`	Declared here
`_usage`	`variable`	Declared here
`_mode`	`variable`	Declared here
`_sslContext`	`variable`	Declared here
`_alpnWire`	`variable`	Declared here
`createSSLContext`	`function`	Declared here

Public Methods

Return	Name	Description
	`SSLContext`	Creates a Context.
	`SSLContext`	Creates a Context.
	`~SSLContext` `noexcept`	Destroys the Context.
`void`	`useCertificate`	Sets the certificate to be used by the Context.
`void`	`addChainCertificate`	Adds a certificate for certificate chain validation.
`void`	`addVerificationCertificate`	Sets the private key to be used by the Context.
`SSL_CTX *`	`sslContext` `const` `inline`	Returns the underlying OpenSSL SSL Context object.
`Usage`	`usage` `const` `inline`	Returns whether the context is for use by a client or by a server and whether TLSv1 is required.
`bool`	`isForServerUse` `const` `inline`	Returns true if the context is for use by a server.
`SSLContext::VerificationMode`	`verificationMode` `const` `inline`	Returns the verification mode.
`void`	`enableSessionCache`	Enable or disable SSL/TLS session caching. For session caching to work, it must be enabled on the server, as well as on the client side.
`void`	`enableSessionCache`	Enables or disables SSL/TLS session caching on the server. For session caching to work, it must be enabled on the server, as well as on the client side.
`bool`	`sessionCacheEnabled` `const`	Returns true if the session cache is enabled.
`void`	`setSessionCacheSize`	Sets the maximum size of the server session cache, in number of sessions. The default size (according to OpenSSL documentation) is 1024*20, which may be too large for many applications, especially on embedded platforms with limited memory.
`size_t`	`getSessionCacheSize` `const`	Returns the current maximum size of the server session cache.
`void`	`setSessionTimeout`	Sets the timeout (in seconds) of cached sessions on the server. A cached session will be removed from the cache if it has not been used for the given number of seconds.
`long`	`getSessionTimeout` `const`	Returns the timeout (in seconds) of cached sessions on the server.
`void`	`flushSessionCache`	Flushes the SSL session cache on the server.
`void`	`disableStatelessSessionResumption`	Newer versions of OpenSSL support RFC 4507 tickets for stateless session resumption.
`void`	`setALPNProtocols`	Set the ALPN protocols for negotiation. Protocols should be in preference order. Example: {"h2", "http/1.1"}
	`SSLContext`	Deleted constructor.
	`SSLContext`	Deleted constructor.

SSLContext

SSLContext(Usage usage, const std::string & privateKeyFile, const std::string & certificateFile, const std::string & caLocation, VerificationMode verificationMode = VERIFY_RELAXED, int verificationDepth = 9, bool loadDefaultCAs = false, const std::string & cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")

Defined in src/net/include/icy/net/sslcontext.h:123

Creates a Context.

usage specifies whether the context is used by a client or server.
privateKeyFile contains the path to the private key file used for encryption. Can be empty if no private key file is used.
certificateFile contains the path to the certificate file (in PEM format). If the private key and the certificate are stored in the same file, this can be empty if privateKeyFile is given.
caLocation contains the path to the file or directory containing the CA/root certificates. Can be empty if the OpenSSL builtin CA certificates are used (see loadDefaultCAs).
verificationMode specifies whether and how peer certificates are validated.
verificationDepth sets the upper limit for verification chain sizes. Verification will fail if a certificate chain larger than this is encountered.
loadDefaultCAs specifies whether the builtin CA certificates from OpenSSL are used.
cipherList specifies the supported ciphers in OpenSSL notation.

Note: If the private key is protected by a passphrase, a PrivateKeyPassphraseHandler must have been setup with the SSLManager, or the SSLManager's PrivateKeyPassphraseRequired event must be handled.

SSLContext

SSLContext(Usage usage, const std::string & caLocation, VerificationMode verificationMode = VERIFY_RELAXED, int verificationDepth = 9, bool loadDefaultCAs = false, const std::string & cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH")

Defined in src/net/include/icy/net/sslcontext.h:148

Creates a Context.

usage specifies whether the context is used by a client or server.
caLocation contains the path to the file or directory containing the CA/root certificates. Can be empty if the OpenSSL builtin CA certificates are used (see loadDefaultCAs).
verificationMode specifies whether and how peer certificates are validated.
verificationDepth sets the upper limit for verification chain sizes. Verification will fail if a certificate chain larger than this is encountered.
loadDefaultCAs specifies whether the builtin CA certificates from OpenSSL are used.
cipherList specifies the supported ciphers in OpenSSL notation.

Note that a private key and/or certificate must be specified with usePrivateKey()/useCertificate() before the Context can be used.

~SSLContext

noexcept

~SSLContext() noexcept

Defined in src/net/include/icy/net/sslcontext.h:155

Destroys the Context.

useCertificate

void useCertificate(crypto::X509Certificate & certificate)

Defined in src/net/include/icy/net/sslcontext.h:165

Sets the certificate to be used by the Context.

To set-up a complete certificate chain, it might be necessary to call addChainCertificate() to specify additional certificates.

Note that useCertificate() must always be called before usePrivateKey().

addChainCertificate

void addChainCertificate(crypto::X509Certificate & certificate)

Defined in src/net/include/icy/net/sslcontext.h:168

Adds a certificate for certificate chain validation.

addVerificationCertificate

void addVerificationCertificate(crypto::X509Certificate & certificate)

Defined in src/net/include/icy/net/sslcontext.h:184

Sets the private key to be used by the Context.

Note that useCertificate() must always be called before usePrivateKey().

Note: If the private key is protected by a passphrase, a PrivateKeyPassphraseHandler must have been setup with the SSLManager, or the SSLManager's PrivateKeyPassphraseRequired event must be handled. Adds the given certificate to the list of trusted certificates that will be used for verification.

sslContext

const inline

inline SSL_CTX * sslContext() const

Defined in src/net/include/icy/net/sslcontext.h:187

Returns the underlying OpenSSL SSL Context object.

usage

const inline

inline Usage usage() const

Defined in src/net/include/icy/net/sslcontext.h:191

Returns whether the context is for use by a client or by a server and whether TLSv1 is required.

isForServerUse

const inline

inline bool isForServerUse() const

Defined in src/net/include/icy/net/sslcontext.h:194

Returns true if the context is for use by a server.

verificationMode

const inline

inline SSLContext::VerificationMode verificationMode() const

Defined in src/net/include/icy/net/sslcontext.h:197

Returns the verification mode.

enableSessionCache

void enableSessionCache(bool flag = true)

Defined in src/net/include/icy/net/sslcontext.h:208

Enable or disable SSL/TLS session caching. For session caching to work, it must be enabled on the server, as well as on the client side.

The default is disabled session caching.

To enable session caching on the server side, use the two-argument version of this method to specify a session ID context.

enableSessionCache

void enableSessionCache(bool flag, std::string_view sessionIdContext)

Defined in src/net/include/icy/net/sslcontext.h:225

Enables or disables SSL/TLS session caching on the server. For session caching to work, it must be enabled on the server, as well as on the client side.

SessionIdContext contains the application's unique session ID context, which becomes part of each session identifier generated by the server within this context. SessionIdContext can be an arbitrary sequence of bytes with a maximum length of SSL_MAX_SSL_SESSION_ID_LENGTH.

A non-empty sessionIdContext should be specified even if session caching is disabled to avoid problems with clients requesting to reuse a session (e.g. Firefox 3.6).

This method may only be called on SERVER_USE Context objects.

sessionCacheEnabled

const

bool sessionCacheEnabled() const

Defined in src/net/include/icy/net/sslcontext.h:228

Returns true if the session cache is enabled.

setSessionCacheSize

void setSessionCacheSize(size_t size)

Defined in src/net/include/icy/net/sslcontext.h:238

Sets the maximum size of the server session cache, in number of sessions. The default size (according to OpenSSL documentation) is 1024*20, which may be too large for many applications, especially on embedded platforms with limited memory.

Specifying a size of 0 will set an unlimited cache size.

This method may only be called on SERVER_USE Context objects.

getSessionCacheSize

const

size_t getSessionCacheSize() const

Defined in src/net/include/icy/net/sslcontext.h:243

Returns the current maximum size of the server session cache.

This method may only be called on SERVER_USE Context objects.

setSessionTimeout

void setSessionTimeout(long seconds)

Defined in src/net/include/icy/net/sslcontext.h:250

Sets the timeout (in seconds) of cached sessions on the server. A cached session will be removed from the cache if it has not been used for the given number of seconds.

This method may only be called on SERVER_USE Context objects.

getSessionTimeout

const

long getSessionTimeout() const

Defined in src/net/include/icy/net/sslcontext.h:255

Returns the timeout (in seconds) of cached sessions on the server.

This method may only be called on SERVER_USE Context objects.

flushSessionCache

void flushSessionCache()

Defined in src/net/include/icy/net/sslcontext.h:260

Flushes the SSL session cache on the server.

This method may only be called on SERVER_USE Context objects.

disableStatelessSessionResumption

void disableStatelessSessionResumption()

Defined in src/net/include/icy/net/sslcontext.h:266

Newer versions of OpenSSL support RFC 4507 tickets for stateless session resumption.

The feature can be disabled by calling this method.

setALPNProtocols

void setALPNProtocols(const std::vector< std::string > & protocols)

Defined in src/net/include/icy/net/sslcontext.h:271

Set the ALPN protocols for negotiation. Protocols should be in preference order. Example: {"h2", "http/1.1"}

SSLContext

SSLContext(const SSLContext &) = delete

Defined in src/net/include/icy/net/sslcontext.h:278

Deleted constructor.

SSLContext

SSLContext(SSLContext &&) = delete

Defined in src/net/include/icy/net/sslcontext.h:280

Deleted constructor.

Public Static Methods

Return	Name	Description
`void`	`enableSNI` `static`	Enable SNI (Server Name Indication) for a specific SSL connection. The hostname is sent during the TLS handshake to allow the server to select the appropriate certificate.

enableSNI

static

static void enableSNI(SSL * ssl, const std::string & hostname)

Defined in src/net/include/icy/net/sslcontext.h:276

Enable SNI (Server Name Indication) for a specific SSL connection. The hostname is sent during the TLS handshake to allow the server to select the appropriate certificate.

Public Types

Name	Description
`Usage`
`VerificationMode`
`Ptr`

Usage

enum Usage

Defined in src/net/include/icy/net/sslcontext.h:49

Value	Description
`CLIENT_USE`	Context is used by a client.
`SERVER_USE`	Context is used by a server.
`TLSV1_CLIENT_USE`	Context is used by a client requiring TLSv1.
`TLSV1_SERVER_USE`	Context is used by a server requiring TLSv2.

VerificationMode

enum VerificationMode

Defined in src/net/include/icy/net/sslcontext.h:57

Value	Description
`VERIFY_NONE`	Server: The server will not send a client certificate request to the client, so the client will not send a certificate.
`VERIFY_RELAXED`	Server: The server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure.
`VERIFY_STRICT`	Server: If the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a handshake failure alert.
`VERIFY_ONCE`	Server: Only request a client certificate on the initial TLS/SSL handshake. Do not ask for a client certificate again in case of a renegotiation.

Ptr

using Ptr = std::shared_ptr< SSLContext >

Defined in src/net/include/icy/net/sslcontext.h:47

Private Attributes

Return	Name	Description
`Usage`	`_usage`
`VerificationMode`	`_mode`
`SSL_CTX *`	`_sslContext`
`std::vector< unsigned char >`	`_alpnWire`	Wire-format ALPN protocols for server selection.