3 * Copyright 2008, Google Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
19 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #if HAVE_OPENSSL_SSL_H
30 #include "talk/base/openssladapter.h"
36 // Must be included first before openssl headers.
37 #include "talk/base/win32.h" // NOLINT
39 #include <openssl/bio.h>
40 #include <openssl/crypto.h>
41 #include <openssl/err.h>
42 #include <openssl/opensslv.h>
43 #include <openssl/rand.h>
44 #include <openssl/ssl.h>
45 #include <openssl/x509v3.h>
49 #endif // HAVE_CONFIG_H
51 #include "talk/base/common.h"
52 #include "talk/base/logging.h"
53 #include "talk/base/sslroots.h"
54 #include "talk/base/stringutils.h"
56 // TODO: Use a nicer abstraction for mutex.
59 #define MUTEX_TYPE HANDLE
60 #define MUTEX_SETUP(x) (x) = CreateMutex(NULL, FALSE, NULL)
61 #define MUTEX_CLEANUP(x) CloseHandle(x)
62 #define MUTEX_LOCK(x) WaitForSingleObject((x), INFINITE)
63 #define MUTEX_UNLOCK(x) ReleaseMutex(x)
64 #define THREAD_ID GetCurrentThreadId()
65 #elif defined(_POSIX_THREADS)
66 // _POSIX_THREADS is normally defined in unistd.h if pthreads are available
68 #define MUTEX_TYPE pthread_mutex_t
69 #define MUTEX_SETUP(x) pthread_mutex_init(&(x), NULL)
70 #define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x))
71 #define MUTEX_LOCK(x) pthread_mutex_lock(&(x))
72 #define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x))
73 #define THREAD_ID pthread_self()
75 #error You must define mutex operations appropriate for your platform!
78 struct CRYPTO_dynlock_value {
82 //////////////////////////////////////////////////////////////////////
84 //////////////////////////////////////////////////////////////////////
86 static int socket_write(BIO* h, const char* buf, int num);
87 static int socket_read(BIO* h, char* buf, int size);
88 static int socket_puts(BIO* h, const char* str);
89 static long socket_ctrl(BIO* h, int cmd, long arg1, void* arg2);
90 static int socket_new(BIO* h);
91 static int socket_free(BIO* data);
93 static BIO_METHOD methods_socket = {
106 BIO_METHOD* BIO_s_socket2() { return(&methods_socket); }
108 BIO* BIO_new_socket(talk_base::AsyncSocket* socket) {
109 BIO* ret = BIO_new(BIO_s_socket2());
117 static int socket_new(BIO* b) {
120 b->num = 0; // 1 means socket closed
125 static int socket_free(BIO* b) {
131 static int socket_read(BIO* b, char* out, int outl) {
134 talk_base::AsyncSocket* socket = static_cast<talk_base::AsyncSocket*>(b->ptr);
135 BIO_clear_retry_flags(b);
136 int result = socket->Recv(out, outl);
139 } else if (result == 0) {
141 } else if (socket->IsBlocking()) {
142 BIO_set_retry_read(b);
147 static int socket_write(BIO* b, const char* in, int inl) {
150 talk_base::AsyncSocket* socket = static_cast<talk_base::AsyncSocket*>(b->ptr);
151 BIO_clear_retry_flags(b);
152 int result = socket->Send(in, inl);
155 } else if (socket->IsBlocking()) {
156 BIO_set_retry_write(b);
161 static int socket_puts(BIO* b, const char* str) {
162 return socket_write(b, str, strlen(str));
165 static long socket_ctrl(BIO* b, int cmd, long num, void* ptr) {
174 case BIO_CTRL_WPENDING:
175 case BIO_CTRL_PENDING:
184 /////////////////////////////////////////////////////////////////////////////
186 /////////////////////////////////////////////////////////////////////////////
188 namespace talk_base {
190 // This array will store all of the mutexes available to OpenSSL.
191 static MUTEX_TYPE* mutex_buf = NULL;
193 static void locking_function(int mode, int n, const char * file, int line) {
194 if (mode & CRYPTO_LOCK) {
195 MUTEX_LOCK(mutex_buf[n]);
197 MUTEX_UNLOCK(mutex_buf[n]);
201 static unsigned long id_function() { // NOLINT
202 // Use old-style C cast because THREAD_ID's type varies with the platform,
203 // in some cases requiring static_cast, and in others requiring
205 return (unsigned long)THREAD_ID; // NOLINT
208 static CRYPTO_dynlock_value* dyn_create_function(const char* file, int line) {
209 CRYPTO_dynlock_value* value = new CRYPTO_dynlock_value;
212 MUTEX_SETUP(value->mutex);
216 static void dyn_lock_function(int mode, CRYPTO_dynlock_value* l,
217 const char* file, int line) {
218 if (mode & CRYPTO_LOCK) {
219 MUTEX_LOCK(l->mutex);
221 MUTEX_UNLOCK(l->mutex);
225 static void dyn_destroy_function(CRYPTO_dynlock_value* l,
226 const char* file, int line) {
227 MUTEX_CLEANUP(l->mutex);
231 VerificationCallback OpenSSLAdapter::custom_verify_callback_ = NULL;
233 bool OpenSSLAdapter::InitializeSSL(VerificationCallback callback) {
234 if (!InitializeSSLThread() || !SSL_library_init())
236 #if !defined(ADDRESS_SANITIZER) || !defined(OSX)
237 // Loading the error strings crashes mac_asan. Omit this debugging aid there.
238 SSL_load_error_strings();
240 ERR_load_BIO_strings();
241 OpenSSL_add_all_algorithms();
243 custom_verify_callback_ = callback;
247 bool OpenSSLAdapter::InitializeSSLThread() {
248 mutex_buf = new MUTEX_TYPE[CRYPTO_num_locks()];
251 for (int i = 0; i < CRYPTO_num_locks(); ++i)
252 MUTEX_SETUP(mutex_buf[i]);
254 // we need to cast our id_function to return an unsigned long -- pthread_t is
256 CRYPTO_set_id_callback(id_function);
257 CRYPTO_set_locking_callback(locking_function);
258 CRYPTO_set_dynlock_create_callback(dyn_create_function);
259 CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
260 CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
264 bool OpenSSLAdapter::CleanupSSL() {
267 CRYPTO_set_id_callback(NULL);
268 CRYPTO_set_locking_callback(NULL);
269 CRYPTO_set_dynlock_create_callback(NULL);
270 CRYPTO_set_dynlock_lock_callback(NULL);
271 CRYPTO_set_dynlock_destroy_callback(NULL);
272 for (int i = 0; i < CRYPTO_num_locks(); ++i)
273 MUTEX_CLEANUP(mutex_buf[i]);
279 OpenSSLAdapter::OpenSSLAdapter(AsyncSocket* socket)
280 : SSLAdapter(socket),
282 ssl_read_needs_write_(false),
283 ssl_write_needs_read_(false),
285 ssl_(NULL), ssl_ctx_(NULL),
286 custom_verification_succeeded_(false) {
289 OpenSSLAdapter::~OpenSSLAdapter() {
294 OpenSSLAdapter::StartSSL(const char* hostname, bool restartable) {
295 if (state_ != SSL_NONE)
298 ssl_host_name_ = hostname;
299 restartable_ = restartable;
301 if (socket_->GetState() != Socket::CS_CONNECTED) {
306 state_ = SSL_CONNECTING;
307 if (int err = BeginSSL()) {
308 Error("BeginSSL", err, false);
316 OpenSSLAdapter::BeginSSL() {
317 LOG(LS_INFO) << "BeginSSL: " << ssl_host_name_;
318 ASSERT(state_ == SSL_CONNECTING);
323 // First set up the context
325 ssl_ctx_ = SetupSSLContext();
332 bio = BIO_new_socket(static_cast<AsyncSocketAdapter*>(socket_));
338 ssl_ = SSL_new(ssl_ctx_);
344 SSL_set_app_data(ssl_, this);
346 SSL_set_bio(ssl_, bio, bio);
347 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
348 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
350 // the SSL object owns the bio now
369 OpenSSLAdapter::ContinueSSL() {
370 ASSERT(state_ == SSL_CONNECTING);
372 int code = SSL_connect(ssl_);
373 switch (SSL_get_error(ssl_, code)) {
375 if (!SSLPostConnectionCheck(ssl_, ssl_host_name_.c_str())) {
376 LOG(LS_ERROR) << "TLS post connection check failed";
377 // make sure we close the socket
379 // The connect failed so return -1 to shut down the socket
383 state_ = SSL_CONNECTED;
384 AsyncSocketAdapter::OnConnectEvent(this);
385 #if 0 // TODO: worry about this
386 // Don't let ourselves go away during the callbacks
387 PRefPtr<OpenSSLAdapter> lock(this);
388 LOG(LS_INFO) << " -- onStreamReadable";
389 AsyncSocketAdapter::OnReadEvent(this);
390 LOG(LS_INFO) << " -- onStreamWriteable";
391 AsyncSocketAdapter::OnWriteEvent(this);
395 case SSL_ERROR_WANT_READ:
396 case SSL_ERROR_WANT_WRITE:
399 case SSL_ERROR_ZERO_RETURN:
401 LOG(LS_WARNING) << "ContinueSSL -- error " << code;
402 return (code != 0) ? code : -1;
409 OpenSSLAdapter::Error(const char* context, int err, bool signal) {
410 LOG(LS_WARNING) << "OpenSSLAdapter::Error("
411 << context << ", " << err << ")";
415 AsyncSocketAdapter::OnCloseEvent(this, err);
419 OpenSSLAdapter::Cleanup() {
420 LOG(LS_INFO) << "Cleanup";
423 ssl_read_needs_write_ = false;
424 ssl_write_needs_read_ = false;
425 custom_verification_succeeded_ = false;
433 SSL_CTX_free(ssl_ctx_);
439 // AsyncSocket Implementation
443 OpenSSLAdapter::Send(const void* pv, size_t cb) {
444 //LOG(LS_INFO) << "OpenSSLAdapter::Send(" << cb << ")";
448 return AsyncSocketAdapter::Send(pv, cb);
452 SetError(EWOULDBLOCK);
463 // OpenSSL will return an error if we try to write zero bytes
467 ssl_write_needs_read_ = false;
469 int code = SSL_write(ssl_, pv, cb);
470 switch (SSL_get_error(ssl_, code)) {
472 //LOG(LS_INFO) << " -- success";
474 case SSL_ERROR_WANT_READ:
475 //LOG(LS_INFO) << " -- error want read";
476 ssl_write_needs_read_ = true;
477 SetError(EWOULDBLOCK);
479 case SSL_ERROR_WANT_WRITE:
480 //LOG(LS_INFO) << " -- error want write";
481 SetError(EWOULDBLOCK);
483 case SSL_ERROR_ZERO_RETURN:
484 //LOG(LS_INFO) << " -- remote side closed";
485 SetError(EWOULDBLOCK);
486 // do we need to signal closure?
489 //LOG(LS_INFO) << " -- error " << code;
490 Error("SSL_write", (code ? code : -1), false);
498 OpenSSLAdapter::Recv(void* pv, size_t cb) {
499 //LOG(LS_INFO) << "OpenSSLAdapter::Recv(" << cb << ")";
503 return AsyncSocketAdapter::Recv(pv, cb);
507 SetError(EWOULDBLOCK);
518 // Don't trust OpenSSL with zero byte reads
522 ssl_read_needs_write_ = false;
524 int code = SSL_read(ssl_, pv, cb);
525 switch (SSL_get_error(ssl_, code)) {
527 //LOG(LS_INFO) << " -- success";
529 case SSL_ERROR_WANT_READ:
530 //LOG(LS_INFO) << " -- error want read";
531 SetError(EWOULDBLOCK);
533 case SSL_ERROR_WANT_WRITE:
534 //LOG(LS_INFO) << " -- error want write";
535 ssl_read_needs_write_ = true;
536 SetError(EWOULDBLOCK);
538 case SSL_ERROR_ZERO_RETURN:
539 //LOG(LS_INFO) << " -- remote side closed";
540 SetError(EWOULDBLOCK);
541 // do we need to signal closure?
544 //LOG(LS_INFO) << " -- error " << code;
545 Error("SSL_read", (code ? code : -1), false);
553 OpenSSLAdapter::Close() {
555 state_ = restartable_ ? SSL_WAIT : SSL_NONE;
556 return AsyncSocketAdapter::Close();
560 OpenSSLAdapter::GetState() const {
562 // return CS_CONNECTED;
563 ConnState state = socket_->GetState();
564 if ((state == CS_CONNECTED)
565 && ((state_ == SSL_WAIT) || (state_ == SSL_CONNECTING)))
566 state = CS_CONNECTING;
571 OpenSSLAdapter::OnConnectEvent(AsyncSocket* socket) {
572 LOG(LS_INFO) << "OpenSSLAdapter::OnConnectEvent";
573 if (state_ != SSL_WAIT) {
574 ASSERT(state_ == SSL_NONE);
575 AsyncSocketAdapter::OnConnectEvent(socket);
579 state_ = SSL_CONNECTING;
580 if (int err = BeginSSL()) {
581 AsyncSocketAdapter::OnCloseEvent(socket, err);
586 OpenSSLAdapter::OnReadEvent(AsyncSocket* socket) {
587 //LOG(LS_INFO) << "OpenSSLAdapter::OnReadEvent";
589 if (state_ == SSL_NONE) {
590 AsyncSocketAdapter::OnReadEvent(socket);
594 if (state_ == SSL_CONNECTING) {
595 if (int err = ContinueSSL()) {
596 Error("ContinueSSL", err);
601 if (state_ != SSL_CONNECTED)
604 // Don't let ourselves go away during the callbacks
605 //PRefPtr<OpenSSLAdapter> lock(this); // TODO: fix this
606 if (ssl_write_needs_read_) {
607 //LOG(LS_INFO) << " -- onStreamWriteable";
608 AsyncSocketAdapter::OnWriteEvent(socket);
611 //LOG(LS_INFO) << " -- onStreamReadable";
612 AsyncSocketAdapter::OnReadEvent(socket);
616 OpenSSLAdapter::OnWriteEvent(AsyncSocket* socket) {
617 //LOG(LS_INFO) << "OpenSSLAdapter::OnWriteEvent";
619 if (state_ == SSL_NONE) {
620 AsyncSocketAdapter::OnWriteEvent(socket);
624 if (state_ == SSL_CONNECTING) {
625 if (int err = ContinueSSL()) {
626 Error("ContinueSSL", err);
631 if (state_ != SSL_CONNECTED)
634 // Don't let ourselves go away during the callbacks
635 //PRefPtr<OpenSSLAdapter> lock(this); // TODO: fix this
637 if (ssl_read_needs_write_) {
638 //LOG(LS_INFO) << " -- onStreamReadable";
639 AsyncSocketAdapter::OnReadEvent(socket);
642 //LOG(LS_INFO) << " -- onStreamWriteable";
643 AsyncSocketAdapter::OnWriteEvent(socket);
647 OpenSSLAdapter::OnCloseEvent(AsyncSocket* socket, int err) {
648 LOG(LS_INFO) << "OpenSSLAdapter::OnCloseEvent(" << err << ")";
649 AsyncSocketAdapter::OnCloseEvent(socket, err);
652 // This code is taken from the "Network Security with OpenSSL"
653 // sample in chapter 5
655 bool OpenSSLAdapter::VerifyServerName(SSL* ssl, const char* host,
656 bool ignore_bad_cert) {
660 // Checking the return from SSL_get_peer_certificate here is not strictly
661 // necessary. With our setup, it is not possible for it to return
662 // NULL. However, it is good form to check the return.
663 X509* certificate = SSL_get_peer_certificate(ssl);
667 // Logging certificates is extremely verbose. So it is disabled by default.
668 #ifdef LOG_CERTIFICATES
670 LOG(LS_INFO) << "Certificate from server:";
671 BIO* mem = BIO_new(BIO_s_mem());
672 X509_print_ex(mem, certificate, XN_FLAG_SEP_CPLUS_SPC, X509_FLAG_NO_HEADER);
673 BIO_write(mem, "\0", 1);
675 BIO_get_mem_data(mem, &buffer);
676 LOG(LS_INFO) << buffer;
679 char* cipher_description =
680 SSL_CIPHER_description(SSL_get_current_cipher(ssl), NULL, 128);
681 LOG(LS_INFO) << "Cipher: " << cipher_description;
682 OPENSSL_free(cipher_description);
687 int extension_count = X509_get_ext_count(certificate);
688 for (int i = 0; i < extension_count; ++i) {
689 X509_EXTENSION* extension = X509_get_ext(certificate, i);
690 int extension_nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
692 if (extension_nid == NID_subject_alt_name) {
693 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
694 const X509V3_EXT_METHOD* meth = X509V3_EXT_get(extension);
696 X509V3_EXT_METHOD* meth = X509V3_EXT_get(extension);
701 void* ext_str = NULL;
703 // We assign this to a local variable, instead of passing the address
704 // directly to ASN1_item_d2i.
705 // See http://readlist.com/lists/openssl.org/openssl-users/0/4761.html.
706 unsigned char* ext_value_data = extension->value->data;
708 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
709 const unsigned char **ext_value_data_ptr =
710 (const_cast<const unsigned char **>(&ext_value_data));
712 unsigned char **ext_value_data_ptr = &ext_value_data;
716 ext_str = ASN1_item_d2i(NULL, ext_value_data_ptr,
717 extension->value->length,
718 ASN1_ITEM_ptr(meth->it));
720 ext_str = meth->d2i(NULL, ext_value_data_ptr, extension->value->length);
723 STACK_OF(CONF_VALUE)* value = meth->i2v(meth, ext_str, NULL);
724 for (int j = 0; j < sk_CONF_VALUE_num(value); ++j) {
725 CONF_VALUE* nval = sk_CONF_VALUE_value(value, j);
726 // The value for nval can contain wildcards
727 if (!strcmp(nval->name, "DNS") && string_match(host, nval->value)) {
732 sk_CONF_VALUE_pop_free(value, X509V3_conf_free);
736 ASN1_item_free(reinterpret_cast<ASN1_VALUE*>(ext_str),
737 ASN1_ITEM_ptr(meth->it));
739 meth->ext_free(ext_str);
748 X509_name_st* subject;
750 && ((subject = X509_get_subject_name(certificate)) != NULL)
751 && (X509_NAME_get_text_by_NID(subject, NID_commonName,
752 data, sizeof(data)) > 0)) {
753 data[sizeof(data)-1] = 0;
754 if (_stricmp(data, host) == 0)
758 X509_free(certificate);
760 // This should only ever be turned on for debugging and development.
761 if (!ok && ignore_bad_cert) {
762 LOG(LS_WARNING) << "TLS certificate check FAILED. "
763 << "Allowing connection anyway.";
770 bool OpenSSLAdapter::SSLPostConnectionCheck(SSL* ssl, const char* host) {
771 bool ok = VerifyServerName(ssl, host, ignore_bad_cert());
774 ok = (SSL_get_verify_result(ssl) == X509_V_OK ||
775 custom_verification_succeeded_);
778 if (!ok && ignore_bad_cert()) {
779 LOG(LS_INFO) << "Other TLS post connection checks failed.";
788 // We only use this for tracing and so it is only needed in debug mode
791 OpenSSLAdapter::SSLInfoCallback(const SSL* s, int where, int ret) {
792 const char* str = "undefined";
793 int w = where & ~SSL_ST_MASK;
794 if (w & SSL_ST_CONNECT) {
796 } else if (w & SSL_ST_ACCEPT) {
799 if (where & SSL_CB_LOOP) {
800 LOG(LS_INFO) << str << ":" << SSL_state_string_long(s);
801 } else if (where & SSL_CB_ALERT) {
802 str = (where & SSL_CB_READ) ? "read" : "write";
803 LOG(LS_INFO) << "SSL3 alert " << str
804 << ":" << SSL_alert_type_string_long(ret)
805 << ":" << SSL_alert_desc_string_long(ret);
806 } else if (where & SSL_CB_EXIT) {
808 LOG(LS_INFO) << str << ":failed in " << SSL_state_string_long(s);
809 } else if (ret < 0) {
810 LOG(LS_INFO) << str << ":error in " << SSL_state_string_long(s);
818 OpenSSLAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
822 X509* cert = X509_STORE_CTX_get_current_cert(store);
823 int depth = X509_STORE_CTX_get_error_depth(store);
824 int err = X509_STORE_CTX_get_error(store);
826 LOG(LS_INFO) << "Error with certificate at depth: " << depth;
827 X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
828 LOG(LS_INFO) << " issuer = " << data;
829 X509_NAME_oneline(X509_get_subject_name(cert), data, sizeof(data));
830 LOG(LS_INFO) << " subject = " << data;
831 LOG(LS_INFO) << " err = " << err
832 << ":" << X509_verify_cert_error_string(err);
836 // Get our stream pointer from the store
837 SSL* ssl = reinterpret_cast<SSL*>(
838 X509_STORE_CTX_get_ex_data(store,
839 SSL_get_ex_data_X509_STORE_CTX_idx()));
841 OpenSSLAdapter* stream =
842 reinterpret_cast<OpenSSLAdapter*>(SSL_get_app_data(ssl));
844 if (!ok && custom_verify_callback_) {
846 reinterpret_cast<void*>(X509_STORE_CTX_get_current_cert(store));
847 if (custom_verify_callback_(cert)) {
848 stream->custom_verification_succeeded_ = true;
849 LOG(LS_INFO) << "validated certificate using custom callback";
854 // Should only be used for debugging and development.
855 if (!ok && stream->ignore_bad_cert()) {
856 LOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
863 bool OpenSSLAdapter::ConfigureTrustedRootCertificates(SSL_CTX* ctx) {
864 // Add the root cert that we care about to the SSL context
865 int count_of_added_certs = 0;
866 for (int i = 0; i < ARRAY_SIZE(kSSLCertCertificateList); i++) {
867 const unsigned char* cert_buffer = kSSLCertCertificateList[i];
868 size_t cert_buffer_len = kSSLCertCertificateSizeList[i];
869 X509* cert = d2i_X509(NULL, &cert_buffer, cert_buffer_len);
871 int return_value = X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx), cert);
872 if (return_value == 0) {
873 LOG(LS_WARNING) << "Unable to add certificate.";
875 count_of_added_certs++;
880 return count_of_added_certs > 0;
884 OpenSSLAdapter::SetupSSLContext() {
885 SSL_CTX* ctx = SSL_CTX_new(TLSv1_client_method());
887 unsigned long error = ERR_get_error(); // NOLINT: type used by OpenSSL.
888 LOG(LS_WARNING) << "SSL_CTX creation failed: "
889 << '"' << ERR_reason_error_string(error) << "\" "
890 << "(error=" << error << ')';
893 if (!ConfigureTrustedRootCertificates(ctx)) {
899 SSL_CTX_set_info_callback(ctx, SSLInfoCallback);
902 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
903 SSL_CTX_set_verify_depth(ctx, 4);
904 SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
909 } // namespace talk_base
911 #endif // HAVE_OPENSSL_SSL_H