2 * Copyright (c) 2015, Facebook, Inc.
5 * This source code is licensed under the BSD-style license found in the
6 * LICENSE file in the root directory of this source tree. An additional grant
7 * of patent rights can be found in the PATENTS file in the same directory.
13 #include <folly/io/async/SSLContext.h>
17 * SSLContextConfig helps to describe the configs/options for
18 * a SSL_CTX. For example:
20 * 1. Filename of X509, private key and its password.
23 * 4. Is session cache enabled?
24 * 5. Is it the default X509 in SNI operation?
25 * 6. .... and a few more
29 struct SSLContextConfig {
30 SSLContextConfig() = default;
31 ~SSLContextConfig() = default;
33 struct CertificateInfo {
34 CertificateInfo(const std::string& crtPath,
35 const std::string& kyPath,
36 const std::string& passwdPath)
37 : certPath(crtPath), keyPath(kyPath), passwordPath(passwdPath) {}
40 std::string passwordPath;
44 * Helpers to set/add a certificate
46 void setCertificate(const std::string& certPath,
47 const std::string& keyPath,
48 const std::string& passwordPath) {
50 addCertificate(certPath, keyPath, passwordPath);
53 void addCertificate(const std::string& certPath,
54 const std::string& keyPath,
55 const std::string& passwordPath) {
56 certificates.emplace_back(certPath, keyPath, passwordPath);
60 * Set the optional list of protocols to advertise via TLS
61 * Next Protocol Negotiation. An empty list means NPN is not enabled.
63 void setNextProtocols(const std::list<std::string>& inNextProtocols) {
64 nextProtocols.clear();
65 nextProtocols.emplace_back(1, inNextProtocols);
68 typedef std::function<bool(char const* server_name)> SNINoMatchFn;
70 std::vector<CertificateInfo> certificates;
71 folly::SSLContext::SSLVersion sslVersion{
72 folly::SSLContext::TLSv1};
73 bool sessionCacheEnabled{true};
74 bool sessionTicketEnabled{true};
75 bool clientHelloParsingEnabled{false};
76 std::string sslCiphers{
77 "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:"
78 "ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:"
79 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:"
80 "AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:"
81 "ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5:"
82 "ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA"};
83 std::string eccCurveName;
84 // Ciphers to negotiate if TLS version >= 1.1
85 std::string tls11Ciphers{""};
86 // Weighted lists of NPN strings to advertise
87 std::list<folly::SSLContext::NextProtocolsItem>
89 bool isLocalPrivateKey{true};
90 // Should this SSLContextConfig be the default for SNI purposes
91 bool isDefault{false};
92 // Callback function to invoke when there are no matching certificates
93 // (will only be invoked once)
94 SNINoMatchFn sniNoMatchFn;
95 // File containing trusted CA's to validate client certificates
96 std::string clientCAFile;