%attribute string "ca_path",
%require "ca_path",
+ %attribute string "crl_path",
+
%attribute string "bind_host",
%attribute string "bind_port",
m_SSLContext = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath());
+ if (!GetCrlPath().IsEmpty())
+ AddCRLToSSLContext(m_SSLContext, GetCrlPath());
+
/* create the primary JSON-RPC listener */
if (!GetBindPort().IsEmpty())
AddListener(GetBindPort());
[config] String cert_path;
[config] String key_path;
[config] String ca_path;
+ [config] String crl_path;
[config] String bind_host;
[config] String bind_port;
[config] Array::Ptr peers;
cert\_path |**Required.** Path to the public key.
key\_path |**Required.** Path to the private key.
ca\_path |**Required.** Path to the CA certificate file.
+ crl\_path |**Optional.** Path to the CRL file.
bind\_host |**Optional.** The IP address the cluster listener should be bound to.
bind\_port |**Optional.** The port the cluster listener should be bound to.
peers |**Optional.** A list of
return sslContext;
}
+/**
+ * Loads a CRL and appends its certificates to the specified SSL context.
+ *
+ * @param context The SSL context.
+ * @param crlPath The path to the CRL file.
+ */
+void AddCRLToSSLContext(const shared_ptr<SSL_CTX>& context, const String& crlPath)
+{
+ X509_STORE *x509_store = SSL_CTX_get_cert_store(context.get());
+
+ X509_LOOKUP *lookup;
+ lookup = X509_STORE_add_lookup(x509_store, X509_LOOKUP_file());
+
+ if (!lookup) {
+ BOOST_THROW_EXCEPTION(openssl_error()
+ << boost::errinfo_api_function("X509_STORE_add_lookup")
+ << errinfo_openssl_error(ERR_get_error()));
+ }
+
+ if (X509_LOOKUP_load_file(lookup, crlPath.CStr(), X509_FILETYPE_PEM) != 0) {
+ BOOST_THROW_EXCEPTION(openssl_error()
+ << boost::errinfo_api_function("X509_LOOKUP_load_file")
+ << errinfo_openssl_error(ERR_get_error())
+ << boost::errinfo_file_name(crlPath));
+ }
+
+ X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+ X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
+ SSL_CTX_set1_param(context.get(), param);
+ X509_VERIFY_PARAM_free(param);
+}
+
/**
* Retrieves the common name for an X509 certificate.
*
{
shared_ptr<SSL_CTX> I2_BASE_API MakeSSLContext(const String& pubkey, const String& privkey, const String& cakey);
+void I2_BASE_API AddCRLToSSLContext(const shared_ptr<SSL_CTX>& context, const String& crlPath);
String I2_BASE_API GetCertificateCN(const shared_ptr<X509>& certificate);
shared_ptr<X509> I2_BASE_API GetX509Certificate(const String& pemfile);
String I2_BASE_API SHA256(const String& s);
projects / icinga2 / commitdiff