3 * Copyright 2004--2008, Google Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 * 3. The name of the author may not be used to endorse or promote products
14 * derived from this software without specific prior written permission.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
19 * EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
20 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
21 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
22 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
23 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 #endif // HAVE_CONFIG_H
32 #if HAVE_OPENSSL_SSL_H
34 #include "talk/base/opensslstreamadapter.h"
36 #include <openssl/bio.h>
37 #include <openssl/crypto.h>
38 #include <openssl/err.h>
39 #include <openssl/rand.h>
40 #include <openssl/ssl.h>
41 #include <openssl/x509v3.h>
45 #include "talk/base/common.h"
46 #include "talk/base/logging.h"
47 #include "talk/base/stream.h"
48 #include "talk/base/openssladapter.h"
49 #include "talk/base/openssldigest.h"
50 #include "talk/base/opensslidentity.h"
51 #include "talk/base/stringutils.h"
52 #include "talk/base/thread.h"
56 #if (OPENSSL_VERSION_NUMBER >= 0x10001000L)
57 #define HAVE_DTLS_SRTP
60 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
65 // SRTP cipher suite table
66 struct SrtpCipherMapEntry {
67 const char* external_name;
68 const char* internal_name;
71 // This isn't elegant, but it's better than an external reference
72 static SrtpCipherMapEntry SrtpCipherMap[] = {
73 {"AES_CM_128_HMAC_SHA1_80", "SRTP_AES128_CM_SHA1_80"},
74 {"AES_CM_128_HMAC_SHA1_32", "SRTP_AES128_CM_SHA1_32"},
79 //////////////////////////////////////////////////////////////////////
81 //////////////////////////////////////////////////////////////////////
83 static int stream_write(BIO* h, const char* buf, int num);
84 static int stream_read(BIO* h, char* buf, int size);
85 static int stream_puts(BIO* h, const char* str);
86 static long stream_ctrl(BIO* h, int cmd, long arg1, void* arg2);
87 static int stream_new(BIO* h);
88 static int stream_free(BIO* data);
90 static BIO_METHOD methods_stream = {
103 static BIO_METHOD* BIO_s_stream() { return(&methods_stream); }
105 static BIO* BIO_new_stream(StreamInterface* stream) {
106 BIO* ret = BIO_new(BIO_s_stream());
113 // bio methods return 1 (or at least non-zero) on success and 0 on failure.
115 static int stream_new(BIO* b) {
118 b->num = 0; // 1 means end-of-stream
123 static int stream_free(BIO* b) {
129 static int stream_read(BIO* b, char* out, int outl) {
132 StreamInterface* stream = static_cast<StreamInterface*>(b->ptr);
133 BIO_clear_retry_flags(b);
136 StreamResult result = stream->Read(out, outl, &read, &error);
137 if (result == SR_SUCCESS) {
139 } else if (result == SR_EOS) {
141 } else if (result == SR_BLOCK) {
142 BIO_set_retry_read(b);
147 static int stream_write(BIO* b, const char* in, int inl) {
150 StreamInterface* stream = static_cast<StreamInterface*>(b->ptr);
151 BIO_clear_retry_flags(b);
154 StreamResult result = stream->Write(in, inl, &written, &error);
155 if (result == SR_SUCCESS) {
157 } else if (result == SR_BLOCK) {
158 BIO_set_retry_write(b);
163 static int stream_puts(BIO* b, const char* str) {
164 return stream_write(b, str, strlen(str));
167 static long stream_ctrl(BIO* b, int cmd, long num, void* ptr) {
176 case BIO_CTRL_WPENDING:
177 case BIO_CTRL_PENDING:
186 /////////////////////////////////////////////////////////////////////////////
187 // OpenSSLStreamAdapter
188 /////////////////////////////////////////////////////////////////////////////
190 OpenSSLStreamAdapter::OpenSSLStreamAdapter(StreamInterface* stream)
191 : SSLStreamAdapter(stream),
194 ssl_read_needs_write_(false), ssl_write_needs_read_(false),
195 ssl_(NULL), ssl_ctx_(NULL),
196 custom_verification_succeeded_(false),
197 ssl_mode_(SSL_MODE_TLS) {
200 OpenSSLStreamAdapter::~OpenSSLStreamAdapter() {
204 void OpenSSLStreamAdapter::SetIdentity(SSLIdentity* identity) {
206 identity_.reset(static_cast<OpenSSLIdentity*>(identity));
209 void OpenSSLStreamAdapter::SetServerRole(SSLRole role) {
213 void OpenSSLStreamAdapter::SetPeerCertificate(SSLCertificate* cert) {
214 ASSERT(!peer_certificate_);
215 ASSERT(peer_certificate_digest_algorithm_.empty());
216 ASSERT(ssl_server_name_.empty());
217 peer_certificate_.reset(static_cast<OpenSSLCertificate*>(cert));
220 bool OpenSSLStreamAdapter::GetPeerCertificate(SSLCertificate** cert) const {
221 if (!peer_certificate_)
224 *cert = peer_certificate_->GetReference();
228 bool OpenSSLStreamAdapter::SetPeerCertificateDigest(const std::string
233 ASSERT(!peer_certificate_);
234 ASSERT(peer_certificate_digest_algorithm_.size() == 0);
235 ASSERT(ssl_server_name_.empty());
238 if (!OpenSSLDigest::GetDigestSize(digest_alg, &expected_len)) {
239 LOG(LS_WARNING) << "Unknown digest algorithm: " << digest_alg;
242 if (expected_len != digest_len)
245 peer_certificate_digest_value_.SetData(digest_val, digest_len);
246 peer_certificate_digest_algorithm_ = digest_alg;
251 // Key Extractor interface
252 bool OpenSSLStreamAdapter::ExportKeyingMaterial(const std::string& label,
253 const uint8* context,
258 #ifdef HAVE_DTLS_SRTP
261 i = SSL_export_keying_material(ssl_, result, result_len,
262 label.c_str(), label.length(),
263 const_cast<uint8 *>(context),
264 context_len, use_context);
275 bool OpenSSLStreamAdapter::SetDtlsSrtpCiphers(
276 const std::vector<std::string>& ciphers) {
277 std::string internal_ciphers;
279 if (state_ != SSL_NONE)
282 #ifdef HAVE_DTLS_SRTP
283 for (std::vector<std::string>::const_iterator cipher = ciphers.begin();
284 cipher != ciphers.end(); ++cipher) {
286 for (SrtpCipherMapEntry *entry = SrtpCipherMap; entry->internal_name;
288 if (*cipher == entry->external_name) {
290 if (!internal_ciphers.empty())
291 internal_ciphers += ":";
292 internal_ciphers += entry->internal_name;
298 LOG(LS_ERROR) << "Could not find cipher: " << *cipher;
303 if (internal_ciphers.empty())
306 srtp_ciphers_ = internal_ciphers;
313 bool OpenSSLStreamAdapter::GetDtlsSrtpCipher(std::string* cipher) {
314 #ifdef HAVE_DTLS_SRTP
315 ASSERT(state_ == SSL_CONNECTED);
316 if (state_ != SSL_CONNECTED)
319 SRTP_PROTECTION_PROFILE *srtp_profile =
320 SSL_get_selected_srtp_profile(ssl_);
325 for (SrtpCipherMapEntry *entry = SrtpCipherMap;
326 entry->internal_name; ++entry) {
327 if (!strcmp(entry->internal_name, srtp_profile->name)) {
328 *cipher = entry->external_name;
333 ASSERT(false); // This should never happen
341 int OpenSSLStreamAdapter::StartSSLWithServer(const char* server_name) {
342 ASSERT(server_name != NULL && server_name[0] != '\0');
343 ssl_server_name_ = server_name;
347 int OpenSSLStreamAdapter::StartSSLWithPeer() {
348 ASSERT(ssl_server_name_.empty());
349 // It is permitted to specify peer_certificate_ only later.
353 void OpenSSLStreamAdapter::SetMode(SSLMode mode) {
354 ASSERT(state_ == SSL_NONE);
359 // StreamInterface Implementation
362 StreamResult OpenSSLStreamAdapter::Write(const void* data, size_t data_len,
363 size_t* written, int* error) {
364 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Write(" << data_len << ")";
368 // pass-through in clear text
369 return StreamAdapterInterface::Write(data, data_len, written, error);
382 *error = ssl_error_code_;
386 // OpenSSL will return an error if we try to write zero bytes
393 ssl_write_needs_read_ = false;
395 int code = SSL_write(ssl_, data, data_len);
396 int ssl_error = SSL_get_error(ssl_, code);
399 LOG(LS_VERBOSE) << " -- success";
400 ASSERT(0 < code && static_cast<unsigned>(code) <= data_len);
404 case SSL_ERROR_WANT_READ:
405 LOG(LS_VERBOSE) << " -- error want read";
406 ssl_write_needs_read_ = true;
408 case SSL_ERROR_WANT_WRITE:
409 LOG(LS_VERBOSE) << " -- error want write";
412 case SSL_ERROR_ZERO_RETURN:
414 Error("SSL_write", (ssl_error ? ssl_error : -1), false);
416 *error = ssl_error_code_;
422 StreamResult OpenSSLStreamAdapter::Read(void* data, size_t data_len,
423 size_t* read, int* error) {
424 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::Read(" << data_len << ")";
427 // pass-through in clear text
428 return StreamAdapterInterface::Read(data, data_len, read, error);
443 *error = ssl_error_code_;
447 // Don't trust OpenSSL with zero byte reads
454 ssl_read_needs_write_ = false;
456 int code = SSL_read(ssl_, data, data_len);
457 int ssl_error = SSL_get_error(ssl_, code);
460 LOG(LS_VERBOSE) << " -- success";
461 ASSERT(0 < code && static_cast<unsigned>(code) <= data_len);
465 if (ssl_mode_ == SSL_MODE_DTLS) {
466 // Enforce atomic reads -- this is a short read
467 unsigned int pending = SSL_pending(ssl_);
470 LOG(LS_INFO) << " -- short DTLS read. flushing";
473 *error = SSE_MSG_TRUNC;
478 case SSL_ERROR_WANT_READ:
479 LOG(LS_VERBOSE) << " -- error want read";
481 case SSL_ERROR_WANT_WRITE:
482 LOG(LS_VERBOSE) << " -- error want write";
483 ssl_read_needs_write_ = true;
485 case SSL_ERROR_ZERO_RETURN:
486 LOG(LS_VERBOSE) << " -- remote side closed";
490 LOG(LS_VERBOSE) << " -- error " << code;
491 Error("SSL_read", (ssl_error ? ssl_error : -1), false);
493 *error = ssl_error_code_;
499 void OpenSSLStreamAdapter::FlushInput(unsigned int left) {
500 unsigned char buf[2048];
503 // This should always succeed
504 int toread = (sizeof(buf) < left) ? sizeof(buf) : left;
505 int code = SSL_read(ssl_, buf, toread);
507 int ssl_error = SSL_get_error(ssl_, code);
508 ASSERT(ssl_error == SSL_ERROR_NONE);
510 if (ssl_error != SSL_ERROR_NONE) {
511 LOG(LS_VERBOSE) << " -- error " << code;
512 Error("SSL_read", (ssl_error ? ssl_error : -1), false);
516 LOG(LS_VERBOSE) << " -- flushed " << code << " bytes";
521 void OpenSSLStreamAdapter::Close() {
523 ASSERT(state_ == SSL_CLOSED || state_ == SSL_ERROR);
524 StreamAdapterInterface::Close();
527 StreamState OpenSSLStreamAdapter::GetState() const {
540 void OpenSSLStreamAdapter::OnEvent(StreamInterface* stream, int events,
542 int events_to_signal = 0;
543 int signal_error = 0;
544 ASSERT(stream == this->stream());
545 if ((events & SE_OPEN)) {
546 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent SE_OPEN";
547 if (state_ != SSL_WAIT) {
548 ASSERT(state_ == SSL_NONE);
549 events_to_signal |= SE_OPEN;
551 state_ = SSL_CONNECTING;
552 if (int err = BeginSSL()) {
553 Error("BeginSSL", err, true);
558 if ((events & (SE_READ|SE_WRITE))) {
559 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent"
560 << ((events & SE_READ) ? " SE_READ" : "")
561 << ((events & SE_WRITE) ? " SE_WRITE" : "");
562 if (state_ == SSL_NONE) {
563 events_to_signal |= events & (SE_READ|SE_WRITE);
564 } else if (state_ == SSL_CONNECTING) {
565 if (int err = ContinueSSL()) {
566 Error("ContinueSSL", err, true);
569 } else if (state_ == SSL_CONNECTED) {
570 if (((events & SE_READ) && ssl_write_needs_read_) ||
571 (events & SE_WRITE)) {
572 LOG(LS_VERBOSE) << " -- onStreamWriteable";
573 events_to_signal |= SE_WRITE;
575 if (((events & SE_WRITE) && ssl_read_needs_write_) ||
576 (events & SE_READ)) {
577 LOG(LS_VERBOSE) << " -- onStreamReadable";
578 events_to_signal |= SE_READ;
582 if ((events & SE_CLOSE)) {
583 LOG(LS_VERBOSE) << "OpenSSLStreamAdapter::OnEvent(SE_CLOSE, " << err << ")";
585 events_to_signal |= SE_CLOSE;
586 // SE_CLOSE is the only event that uses the final parameter to OnEvent().
587 ASSERT(signal_error == 0);
590 if (events_to_signal)
591 StreamAdapterInterface::OnEvent(stream, events_to_signal, signal_error);
594 int OpenSSLStreamAdapter::StartSSL() {
595 ASSERT(state_ == SSL_NONE);
597 if (StreamAdapterInterface::GetState() != SS_OPEN) {
602 state_ = SSL_CONNECTING;
603 if (int err = BeginSSL()) {
604 Error("BeginSSL", err, false);
611 int OpenSSLStreamAdapter::BeginSSL() {
612 ASSERT(state_ == SSL_CONNECTING);
613 // The underlying stream has open. If we are in peer-to-peer mode
614 // then a peer certificate must have been specified by now.
615 ASSERT(!ssl_server_name_.empty() ||
617 !peer_certificate_digest_algorithm_.empty());
618 LOG(LS_INFO) << "BeginSSL: "
619 << (!ssl_server_name_.empty() ? ssl_server_name_ :
624 // First set up the context
625 ASSERT(ssl_ctx_ == NULL);
626 ssl_ctx_ = SetupSSLContext();
630 bio = BIO_new_stream(static_cast<StreamInterface*>(stream()));
634 ssl_ = SSL_new(ssl_ctx_);
640 SSL_set_app_data(ssl_, this);
642 SSL_set_bio(ssl_, bio, bio); // the SSL object owns the bio now.
644 SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
645 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
648 return ContinueSSL();
651 int OpenSSLStreamAdapter::ContinueSSL() {
652 LOG(LS_VERBOSE) << "ContinueSSL";
653 ASSERT(state_ == SSL_CONNECTING);
655 // Clear the DTLS timer
656 Thread::Current()->Clear(this, MSG_TIMEOUT);
658 int code = (role_ == SSL_CLIENT) ? SSL_connect(ssl_) : SSL_accept(ssl_);
660 switch (ssl_error = SSL_get_error(ssl_, code)) {
662 LOG(LS_VERBOSE) << " -- success";
664 if (!SSLPostConnectionCheck(ssl_, ssl_server_name_.c_str(),
666 peer_certificate_->x509() : NULL,
667 peer_certificate_digest_algorithm_)) {
668 LOG(LS_ERROR) << "TLS post connection check failed";
672 state_ = SSL_CONNECTED;
673 StreamAdapterInterface::OnEvent(stream(), SE_OPEN|SE_READ|SE_WRITE, 0);
676 case SSL_ERROR_WANT_READ: {
677 LOG(LS_VERBOSE) << " -- error want read";
679 struct timeval timeout;
680 if (DTLSv1_get_timeout(ssl_, &timeout)) {
681 int delay = timeout.tv_sec * 1000 + timeout.tv_usec/1000;
683 Thread::Current()->PostDelayed(delay, this, MSG_TIMEOUT, 0);
689 case SSL_ERROR_WANT_WRITE:
690 LOG(LS_VERBOSE) << " -- error want write";
693 case SSL_ERROR_ZERO_RETURN:
695 LOG(LS_VERBOSE) << " -- error " << code;
696 return (ssl_error != 0) ? ssl_error : -1;
702 void OpenSSLStreamAdapter::Error(const char* context, int err, bool signal) {
703 LOG(LS_WARNING) << "OpenSSLStreamAdapter::Error("
704 << context << ", " << err << ")";
706 ssl_error_code_ = err;
709 StreamAdapterInterface::OnEvent(stream(), SE_CLOSE, err);
712 void OpenSSLStreamAdapter::Cleanup() {
713 LOG(LS_INFO) << "Cleanup";
715 if (state_ != SSL_ERROR) {
725 SSL_CTX_free(ssl_ctx_);
729 peer_certificate_.reset();
731 // Clear the DTLS timer
732 Thread::Current()->Clear(this, MSG_TIMEOUT);
736 void OpenSSLStreamAdapter::OnMessage(Message* msg) {
737 // Process our own messages and then pass others to the superclass
738 if (MSG_TIMEOUT == msg->message_id) {
739 LOG(LS_INFO) << "DTLS timeout expired";
741 DTLSv1_handle_timeout(ssl_);
745 StreamInterface::OnMessage(msg);
749 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
752 if (role_ == SSL_CLIENT) {
754 ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ?
755 DTLSv1_client_method() : TLSv1_client_method());
757 ctx = SSL_CTX_new(TLSv1_client_method());
761 ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ?
762 DTLSv1_server_method() : TLSv1_server_method());
764 ctx = SSL_CTX_new(TLSv1_server_method());
770 if (identity_ && !identity_->ConfigureIdentity(ctx)) {
775 if (!peer_certificate_) { // traditional mode
776 // Add the root cert to the SSL context
777 if (!OpenSSLAdapter::ConfigureTrustedRootCertificates(ctx)) {
783 if (peer_certificate_ && role_ == SSL_SERVER)
784 // we must specify which client cert to ask for
785 SSL_CTX_add_client_CA(ctx, peer_certificate_->x509());
788 SSL_CTX_set_info_callback(ctx, OpenSSLAdapter::SSLInfoCallback);
791 SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
793 SSL_CTX_set_verify_depth(ctx, 4);
794 SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
796 #ifdef HAVE_DTLS_SRTP
797 if (!srtp_ciphers_.empty()) {
798 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_ciphers_.c_str())) {
808 int OpenSSLStreamAdapter::SSLVerifyCallback(int ok, X509_STORE_CTX* store) {
812 X509* cert = X509_STORE_CTX_get_current_cert(store);
813 int depth = X509_STORE_CTX_get_error_depth(store);
814 int err = X509_STORE_CTX_get_error(store);
816 LOG(LS_INFO) << "Error with certificate at depth: " << depth;
817 X509_NAME_oneline(X509_get_issuer_name(cert), data, sizeof(data));
818 LOG(LS_INFO) << " issuer = " << data;
819 X509_NAME_oneline(X509_get_subject_name(cert), data, sizeof(data));
820 LOG(LS_INFO) << " subject = " << data;
821 LOG(LS_INFO) << " err = " << err
822 << ":" << X509_verify_cert_error_string(err);
826 // Get our SSL structure from the store
827 SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(
829 SSL_get_ex_data_X509_STORE_CTX_idx()));
831 OpenSSLStreamAdapter* stream =
832 reinterpret_cast<OpenSSLStreamAdapter*>(SSL_get_app_data(ssl));
834 // In peer-to-peer mode, no root cert / certificate authority was
835 // specified, so the libraries knows of no certificate to accept,
836 // and therefore it will necessarily call here on the first cert it
838 if (!ok && stream->peer_certificate_) {
839 X509* cert = X509_STORE_CTX_get_current_cert(store);
840 int err = X509_STORE_CTX_get_error(store);
841 // peer-to-peer mode: allow the certificate to be self-signed,
842 // assuming it matches the cert that was specified.
843 if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT &&
844 X509_cmp(cert, stream->peer_certificate_->x509()) == 0) {
845 LOG(LS_INFO) << "Accepted self-signed peer certificate authority";
848 } else if (!ok && !stream->peer_certificate_digest_algorithm_.empty()) {
849 X509* cert = X509_STORE_CTX_get_current_cert(store);
850 int err = X509_STORE_CTX_get_error(store);
852 // peer-to-peer mode: allow the certificate to be self-signed,
853 // assuming it matches the digest that was specified.
854 if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
855 unsigned char digest[EVP_MAX_MD_SIZE];
856 std::size_t digest_length;
858 if (OpenSSLCertificate::
860 stream->peer_certificate_digest_algorithm_,
861 digest, sizeof(digest),
863 Buffer computed_digest(digest, digest_length);
864 if (computed_digest == stream->peer_certificate_digest_value_) {
866 "Accepted self-signed peer certificate authority";
869 // Record the peer's certificate.
870 stream->peer_certificate_.reset(new OpenSSLCertificate(cert));
874 } else if (!ok && OpenSSLAdapter::custom_verify_callback_) {
875 // this applies only in traditional mode
877 reinterpret_cast<void*>(X509_STORE_CTX_get_current_cert(store));
878 if (OpenSSLAdapter::custom_verify_callback_(cert)) {
879 stream->custom_verification_succeeded_ = true;
880 LOG(LS_INFO) << "validated certificate using custom callback";
885 if (!ok && stream->ignore_bad_cert()) {
886 LOG(LS_WARNING) << "Ignoring cert error while verifying cert chain";
893 // This code is taken from the "Network Security with OpenSSL"
894 // sample in chapter 5
895 bool OpenSSLStreamAdapter::SSLPostConnectionCheck(SSL* ssl,
896 const char* server_name,
897 const X509* peer_cert,
900 ASSERT(server_name != NULL);
902 if (server_name[0] != '\0') { // traditional mode
903 ok = OpenSSLAdapter::VerifyServerName(ssl, server_name, ignore_bad_cert());
906 ok = (SSL_get_verify_result(ssl) == X509_V_OK ||
907 custom_verification_succeeded_);
909 } else { // peer-to-peer mode
910 ASSERT((peer_cert != NULL) || (!peer_digest.empty()));
911 // no server name validation
915 if (!ok && ignore_bad_cert()) {
916 LOG(LS_ERROR) << "SSL_get_verify_result(ssl) = "
917 << SSL_get_verify_result(ssl);
918 LOG(LS_INFO) << "Other TLS post connection checks failed.";
925 bool OpenSSLStreamAdapter::HaveDtls() {
933 bool OpenSSLStreamAdapter::HaveDtlsSrtp() {
934 #ifdef HAVE_DTLS_SRTP
941 bool OpenSSLStreamAdapter::HaveExporter() {
942 #ifdef HAVE_DTLS_SRTP
949 } // namespace talk_base
951 #endif // HAVE_OPENSSL_SSL_H