Repository: nifi-minifi-cpp Updated Branches: refs/heads/master 2efac2da5 -> 0c31102da
MINIFI-389 Added support for one-way TLS to SSLContextService This closes #132. Signed-off-by: Marc Parisi <phroc...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/nifi-minifi-cpp/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi-minifi-cpp/commit/0c31102d Tree: http://git-wip-us.apache.org/repos/asf/nifi-minifi-cpp/tree/0c31102d Diff: http://git-wip-us.apache.org/repos/asf/nifi-minifi-cpp/diff/0c31102d Branch: refs/heads/master Commit: 0c31102da9227d32659e2ed861fd9eec36fd1467 Parents: 2efac2d Author: Andrew I. Christianson <a...@andyic.org> Authored: Fri Aug 25 16:24:12 2017 -0400 Committer: Marc Parisi <phroc...@apache.org> Committed: Wed Aug 30 11:04:49 2017 -0400 ---------------------------------------------------------------------- .../include/controllers/SSLContextService.h | 39 ++++++++++++-------- libminifi/src/controllers/SSLContextService.cpp | 37 +++++++++++-------- 2 files changed, 44 insertions(+), 32 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi-minifi-cpp/blob/0c31102d/libminifi/include/controllers/SSLContextService.h ---------------------------------------------------------------------- diff --git a/libminifi/include/controllers/SSLContextService.h b/libminifi/include/controllers/SSLContextService.h index 9093d5f..c48d30f 100644 --- a/libminifi/include/controllers/SSLContextService.h +++ b/libminifi/include/controllers/SSLContextService.h @@ -100,27 +100,34 @@ class SSLContextService : public core::controller::ControllerService { } bool configure_ssl_context(SSL_CTX *ctx) { - if (SSL_CTX_use_certificate_file(ctx, certificate.c_str(), SSL_FILETYPE_PEM) <= 0) { - logger_->log_error("Could not create load certificate, error : %s", std::strerror(errno)); - return false; - } - if (!IsNullOrEmpty(passphrase_)) { - SSL_CTX_set_default_passwd_cb_userdata(ctx, &passphrase_); - SSL_CTX_set_default_passwd_cb(ctx, pemPassWordCb); + if (!IsNullOrEmpty(certificate)) { + if (SSL_CTX_use_certificate_file(ctx, certificate.c_str(), SSL_FILETYPE_PEM) <= 0) { + logger_->log_error("Could not create load certificate, error : %s", std::strerror(errno)); + return false; + } + if (!IsNullOrEmpty(passphrase_)) { + SSL_CTX_set_default_passwd_cb_userdata(ctx, &passphrase_); + SSL_CTX_set_default_passwd_cb(ctx, pemPassWordCb); + } } - int retp = SSL_CTX_use_PrivateKey_file(ctx, private_key_.c_str(), SSL_FILETYPE_PEM); - if (retp != 1) { - logger_->log_error("Could not create load private key,%i on %s error : %s", retp, private_key_, std::strerror(errno)); - return false; + if (!IsNullOrEmpty(private_key_)) { + int retp = SSL_CTX_use_PrivateKey_file(ctx, private_key_.c_str(), SSL_FILETYPE_PEM); + if (retp != 1) { + logger_->log_error("Could not create load private key,%i on %s error : %s", retp, private_key_, + std::strerror(errno)); + return false; + } + + if (!SSL_CTX_check_private_key(ctx)) { + logger_->log_error("Private key does not match the public certificate, error : %s", std::strerror(errno)); + return false; + } } - if (!SSL_CTX_check_private_key(ctx)) { - logger_->log_error("Private key does not match the public certificate, error : %s", std::strerror(errno)); - return false; - } + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, nullptr); + int retp = SSL_CTX_load_verify_locations(ctx, ca_certificate_.c_str(), 0); - retp = SSL_CTX_load_verify_locations(ctx, ca_certificate_.c_str(), 0); if (retp == 0) { logger_->log_error("Can not load CA certificate, Exiting, error : %s", std::strerror(errno)); return false; http://git-wip-us.apache.org/repos/asf/nifi-minifi-cpp/blob/0c31102d/libminifi/src/controllers/SSLContextService.cpp ---------------------------------------------------------------------- diff --git a/libminifi/src/controllers/SSLContextService.cpp b/libminifi/src/controllers/SSLContextService.cpp index 73c9e35..95ccbb0 100644 --- a/libminifi/src/controllers/SSLContextService.cpp +++ b/libminifi/src/controllers/SSLContextService.cpp @@ -51,27 +51,32 @@ std::unique_ptr<SSLContext> SSLContextService::createSSLContext() { method = TLSv1_2_client_method(); SSL_CTX *ctx = SSL_CTX_new(method); - if (SSL_CTX_use_certificate_file(ctx, certificate.c_str(), SSL_FILETYPE_PEM) <= 0) { - logger_->log_error("Could not create load certificate, error : %s", std::strerror(errno)); - return nullptr; - } - if (!IsNullOrEmpty(passphrase_)) { - SSL_CTX_set_default_passwd_cb_userdata(ctx, &passphrase_); - SSL_CTX_set_default_passwd_cb(ctx, pemPassWordCb); + if (!IsNullOrEmpty(certificate)) { + if (SSL_CTX_use_certificate_file(ctx, certificate.c_str(), SSL_FILETYPE_PEM) <= 0) { + logger_->log_error("Could not create load certificate, error : %s", std::strerror(errno)); + return nullptr; + } + if (!IsNullOrEmpty(passphrase_)) { + SSL_CTX_set_default_passwd_cb_userdata(ctx, &passphrase_); + SSL_CTX_set_default_passwd_cb(ctx, pemPassWordCb); + } } - int retp = SSL_CTX_use_PrivateKey_file(ctx, private_key_.c_str(), SSL_FILETYPE_PEM); - if (retp != 1) { - logger_->log_error("Could not create load private key,%i on %s error : %s", retp, private_key_, std::strerror(errno)); - return nullptr; - } + if (!IsNullOrEmpty(private_key_)) { + int retp = SSL_CTX_use_PrivateKey_file(ctx, private_key_.c_str(), SSL_FILETYPE_PEM); + if (retp != 1) { + logger_->log_error("Could not create load private key,%i on %s error : %s", retp, private_key_, + std::strerror(errno)); + return nullptr; + } - if (!SSL_CTX_check_private_key(ctx)) { - logger_->log_error("Private key does not match the public certificate, error : %s", std::strerror(errno)); - return nullptr; + if (!SSL_CTX_check_private_key(ctx)) { + logger_->log_error("Private key does not match the public certificate, error : %s", std::strerror(errno)); + return nullptr; + } } - retp = SSL_CTX_load_verify_locations(ctx, ca_certificate_.c_str(), 0); + int retp = SSL_CTX_load_verify_locations(ctx, ca_certificate_.c_str(), 0); if (retp == 0) { logger_->log_error("Can not load CA certificate, Exiting, error : %s", std::strerror(errno)); }
