+void SSLContext::setCipherList(const std::vector<std::string>& ciphers) {
+ if (ciphers.size() == 0) {
+ return;
+ }
+ std::string opensslCipherList;
+ join(":", ciphers, opensslCipherList);
+ setCiphersOrThrow(opensslCipherList);
+}
+
+void SSLContext::setSignatureAlgorithms(
+ const std::vector<std::string>& sigalgs) {
+ if (sigalgs.size() == 0) {
+ return;
+ }
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+ std::string opensslSigAlgsList;
+ join(":", sigalgs, opensslSigAlgsList);
+ int rc = SSL_CTX_set1_sigalgs_list(ctx_, opensslSigAlgsList.c_str());
+ if (rc == 0) {
+ throw std::runtime_error("SSL_CTX_set1_sigalgs_list " + getErrors());
+ }
+#endif
+}
+
+void SSLContext::setClientECCurvesList(
+ const std::vector<std::string>& ecCurves) {
+ if (ecCurves.size() == 0) {
+ return;
+ }
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+ std::string ecCurvesList;
+ join(":", ecCurves, ecCurvesList);
+ int rc = SSL_CTX_set1_curves_list(ctx_, ecCurvesList.c_str());
+ if (rc == 0) {
+ throw std::runtime_error("SSL_CTX_set1_curves_list " + getErrors());
+ }
+#endif
+}
+
+void SSLContext::setServerECCurve(const std::string& curveName) {
+ bool validCall = false;
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+ validCall = true;
+#endif
+#endif
+ if (!validCall) {
+ throw std::runtime_error("Elliptic curve encryption not allowed");
+ }
+
+ EC_KEY* ecdh = nullptr;
+ int nid;
+
+ /*
+ * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
+ * from RFC 4492 section 5.1.1, or explicitly described curves over
+ * binary fields. OpenSSL only supports the "named curves", which provide
+ * maximum interoperability.
+ */
+
+ nid = OBJ_sn2nid(curveName.c_str());
+ if (nid == 0) {
+ LOG(FATAL) << "Unknown curve name:" << curveName.c_str();
+ return;
+ }
+ ecdh = EC_KEY_new_by_curve_name(nid);
+ if (ecdh == nullptr) {
+ LOG(FATAL) << "Unable to create curve:" << curveName.c_str();
+ return;
+ }
+
+ SSL_CTX_set_tmp_ecdh(ctx_, ecdh);
+ EC_KEY_free(ecdh);
+}
+
+void SSLContext::setX509VerifyParam(
+ const ssl::X509VerifyParam& x509VerifyParam) {
+ if (!x509VerifyParam) {
+ return;
+ }
+ if (SSL_CTX_set1_param(ctx_, x509VerifyParam.get()) != 1) {
+ throw std::runtime_error("SSL_CTX_set1_param " + getErrors());
+ }
+}
+