aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/core/tsi/ssl_transport_security.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/tsi/ssl_transport_security.cc')
-rw-r--r--src/core/tsi/ssl_transport_security.cc59
1 files changed, 35 insertions, 24 deletions
diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc
index d6a72ada0d..fb6ea19210 100644
--- a/src/core/tsi/ssl_transport_security.cc
+++ b/src/core/tsi/ssl_transport_security.cc
@@ -156,9 +156,13 @@ static unsigned long openssl_thread_id_cb(void) {
#endif
static void init_openssl(void) {
+#if OPENSSL_API_COMPAT >= 0x10100000L
+ OPENSSL_init_ssl(0, NULL);
+#else
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
+#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000
if (!CRYPTO_get_locking_callback()) {
int num_locks = CRYPTO_num_locks();
@@ -1649,7 +1653,11 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
return TSI_INVALID_ARGUMENT;
}
+#if defined(OPENSSL_NO_TLS1_2_METHOD) || OPENSSL_API_COMPAT >= 0x10100000L
+ ssl_context = SSL_CTX_new(TLS_method());
+#else
ssl_context = SSL_CTX_new(TLSv1_2_method());
+#endif
if (ssl_context == nullptr) {
gpr_log(GPR_ERROR, "Could not create ssl context.");
return TSI_INVALID_ARGUMENT;
@@ -1806,7 +1814,11 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
for (i = 0; i < options->num_key_cert_pairs; i++) {
do {
+#if defined(OPENSSL_NO_TLS1_2_METHOD) || OPENSSL_API_COMPAT >= 0x10100000L
+ impl->ssl_contexts[i] = SSL_CTX_new(TLS_method());
+#else
impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method());
+#endif
if (impl->ssl_contexts[i] == nullptr) {
gpr_log(GPR_ERROR, "Could not create ssl context.");
result = TSI_OUT_OF_RESOURCES;
@@ -1850,31 +1862,30 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
break;
}
SSL_CTX_set_client_CA_list(impl->ssl_contexts[i], root_names);
- switch (options->client_certificate_request) {
- case TSI_DONT_REQUEST_CLIENT_CERTIFICATE:
- SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_NONE, nullptr);
- break;
- case TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
- SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER,
- NullVerifyCallback);
- break;
- case TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
- SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, nullptr);
- break;
- case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
- SSL_CTX_set_verify(
- impl->ssl_contexts[i],
- SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
- NullVerifyCallback);
- break;
- case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
- SSL_CTX_set_verify(
- impl->ssl_contexts[i],
- SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
- break;
- }
- /* TODO(jboeuf): Add revocation verification. */
}
+ switch (options->client_certificate_request) {
+ case TSI_DONT_REQUEST_CLIENT_CERTIFICATE:
+ SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_NONE, nullptr);
+ break;
+ case TSI_REQUEST_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
+ SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER,
+ NullVerifyCallback);
+ break;
+ case TSI_REQUEST_CLIENT_CERTIFICATE_AND_VERIFY:
+ SSL_CTX_set_verify(impl->ssl_contexts[i], SSL_VERIFY_PEER, nullptr);
+ break;
+ case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_BUT_DONT_VERIFY:
+ SSL_CTX_set_verify(impl->ssl_contexts[i],
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ NullVerifyCallback);
+ break;
+ case TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY:
+ SSL_CTX_set_verify(impl->ssl_contexts[i],
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ nullptr);
+ break;
+ }
+ /* TODO(jboeuf): Add revocation verification. */
result = extract_x509_subject_names_from_pem_cert(
options->pem_key_cert_pairs[i].cert_chain,
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-08 17:12:53 +0000