From f7176051f816980a985beeb9b8a907dddd0dc0e3 Mon Sep 17 00:00:00 2001 From: Kyle Nekritz Date: Thu, 15 Oct 2015 08:19:48 -0700 Subject: [PATCH] Add framework for switching certs based on signature_algorithms TLS extension. Summary: Added support for switching SSLContexts based on the signature_algorithms extension. This diff does not currently include any logic for determining which certs use SHA1 or not. Some thoughts: - This is a little scary since it defaults to SHA1 (assuming the client can't support SHA256 if we don't see SHA256 specifically in the hello extension). We need to be 100% sure that all clients that are going to reject SHA1 are sending this, and that we identify it correctly. - We should add logging to see when we think a client needs SHA1, when we actually give SHA1, etc. I'm not sure what the best way to do this is with our logging infrastructure. - This is not setup to serve any SHA1 certs to SHA256 supporting clients. Reviewed By: @siyengar Differential Revision: D2408773 fb-gh-sync-id: 48ad9cdfaae25e144c0964b9bfb1c342b137ffca --- folly/io/async/AsyncSSLSocket.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/folly/io/async/AsyncSSLSocket.cpp b/folly/io/async/AsyncSSLSocket.cpp index e7a556c0..9ca8e8e5 100644 --- a/folly/io/async/AsyncSSLSocket.cpp +++ b/folly/io/async/AsyncSSLSocket.cpp @@ -807,6 +807,15 @@ int AsyncSSLSocket::getSSLVersion() const { return (ssl_ != nullptr) ? SSL_version(ssl_) : 0; } +const char *AsyncSSLSocket::getSSLCertSigAlgName() const { + X509 *cert = (ssl_ != nullptr) ? SSL_get_certificate(ssl_) : nullptr; + if (cert) { + int nid = OBJ_obj2nid(cert->sig_alg->algorithm); + return OBJ_nid2ln(nid); + } + return nullptr; +} + int AsyncSSLSocket::getSSLCertSize() const { int certSize = 0; X509 *cert = (ssl_ != nullptr) ? SSL_get_certificate(ssl_) : nullptr; -- 2.34.1