#include <string>
#include <random>
+// This has to come before SSL.
+#include <folly/portability/Sockets.h>
+
#include <openssl/ssl.h>
#include <openssl/tls1.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-
#include <glog/logging.h>
#ifndef FOLLY_NO_CONFIG
#include <folly/folly-config.h>
#endif
-#include <folly/Random.h>
#include <folly/Range.h>
#include <folly/io/async/ssl/OpenSSLPtrTypes.h>
#include <folly/io/async/ssl/OpenSSLUtils.h>
* @param password Pass collected password back to OpenSSL
* @param size Maximum length of password including nullptr character
*/
- virtual void getPassword(std::string& password, int size) = 0;
+ virtual void getPassword(std::string& password, int size) const = 0;
/**
* Return a description of this collector for logging purposes
*/
virtual void ciphers(const std::string& ciphers);
+ /**
+ * Set default ciphers to be used in SSL handshake process.
+ *
+ * @param ciphers A list of ciphers to use for TLS.
+ */
+ virtual void setCipherList(const std::vector<std::string>& ciphers);
+
/**
* Low-level method that attempts to set the provided ciphers on the
* SSL_CTX object, and throws if something goes wrong.
*/
virtual void setCiphersOrThrow(const std::string& ciphers);
+ /**
+ * Sets the signature algorithms to be used during SSL negotiation
+ * for TLS1.2+
+ *
+ * @param sigalgs A list of signature algorithms, eg. RSA+SHA512
+ */
+ void setSignatureAlgorithms(const std::vector<std::string>& sigalgs);
+
+ /**
+ * Sets the list of EC curves supported by the client.
+ *
+ * @param ecCurves A list of ec curves, eg: P-256
+ */
+ void setClientECCurvesList(const std::vector<std::string>& ecCurves);
+
+ /**
+ * Method to add support for a specific elliptic curve encryption algorithm.
+ *
+ * @param curveName: The name of the ec curve to support, eg: prime256v1.
+ */
+ void setServerECCurve(const std::string& curveName);
+
+ /**
+ * Sets an x509 verification param on the context.
+ */
+ void setX509VerifyParam(const ssl::X509VerifyParam& x509VerifyParam);
+
/**
* Method to set verification option in the context object.
*
/**
* We want to vary which cipher we'll use based on the client's TLS version.
+ *
+ * XXX: The refernces to tls11CipherString and tls11AltCipherlist are reused
+ * for * each >= TLS 1.1 handshake, so we expect these fields to not change.
*/
void switchCiphersIfTLS11(
- SSL* ssl,
- const std::string& tls11CipherString
- );
+ SSL* ssl,
+ const std::string& tls11CipherString,
+ const std::vector<std::pair<std::string, int>>& tls11AltCipherlist);
bool checkPeerName() { return checkPeerName_; }
std::string peerFixedName() { return peerFixedName_; }
static bool initialized_;
+ // To provide control over choice of server ciphersuites
+ std::unique_ptr<std::discrete_distribution<int>> cipherListPicker_;
+
#ifdef OPENSSL_NPN_NEGOTIATED
struct AdvertisedNextProtocolsItem {
std::vector<AdvertisedNextProtocolsItem> advertisedNextProtocols_;
std::vector<int> advertisedNextProtocolWeights_;
std::discrete_distribution<int> nextProtocolDistribution_;
- Random::DefaultGenerator nextProtocolPicker_;
static int sNextProtocolsExDataIndex_;