Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in / Register
Toggle navigation
B
brpc
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Packages
Packages
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
submodule
brpc
Commits
0ded6d86
Commit
0ded6d86
authored
Sep 07, 2018
by
gejun
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rename ssl_option.h/cpp to ssl_options.h/cpp
parent
70fd5053
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
195 additions
and
0 deletions
+195
-0
ssl_options.cpp
src/brpc/ssl_options.cpp
+37
-0
ssl_options.h
src/brpc/ssl_options.h
+158
-0
No files found.
src/brpc/ssl_options.cpp
0 → 100644
View file @
0ded6d86
// Copyright (c) 2014 baidu-rpc authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Authors: Rujie Jiang (jiangrujie@baidu.com)
#include "brpc/ssl_options.h"
namespace
brpc
{
VerifyOptions
::
VerifyOptions
()
:
verify_depth
(
0
)
{}
ChannelSSLOptions
::
ChannelSSLOptions
()
:
ciphers
(
"DEFAULT"
)
,
protocols
(
"TLSv1, TLSv1.1, TLSv1.2"
)
{}
ServerSSLOptions
::
ServerSSLOptions
()
:
strict_sni
(
false
)
,
disable_ssl3
(
true
)
,
release_buffer
(
false
)
,
session_lifetime_s
(
300
)
,
session_cache_size
(
20480
)
,
ecdhe_curve_name
(
"prime256v1"
)
{}
}
// namespace brpc
src/brpc/ssl_options.h
0 → 100644
View file @
0ded6d86
// Copyright (c) 2014 baidu-rpc authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Authors: Rujie Jiang (jiangrujie@baidu.com)
#ifndef BRPC_SSL_OPTION_H
#define BRPC_SSL_OPTION_H
#include <string>
#include <vector>
namespace
brpc
{
struct
CertInfo
{
// Certificate in PEM format.
// Note that CN and alt subjects will be extracted from the certificate,
// and will be used as hostnames. Requests to this hostname (provided SNI
// extension supported) will be encrypted using this certifcate.
// Supported both file path and raw string
std
::
string
certificate
;
// Private key in PEM format.
// Supported both file path and raw string based on prefix:
std
::
string
private_key
;
// Additional hostnames besides those inside the certificate. Wildcards
// are supported but it can only appear once at the beginning (i.e. *.xxx.com).
std
::
vector
<
std
::
string
>
sni_filters
;
};
struct
VerifyOptions
{
// Constructed with default options
VerifyOptions
();
// Set the maximum depth of the certificate chain for verification
// If 0, turn off the verification
// Default: 0
int
verify_depth
;
// Set the trusted CA file to verify the peer's certificate
// If empty, use the system default CA files
// Default: ""
std
::
string
ca_file_path
;
};
// SSL options at client side
struct
ChannelSSLOptions
{
// Constructed with default options
ChannelSSLOptions
();
// Cipher suites used for SSL handshake.
// The format of this string should follow that in `man 1 cipers'.
// Default: "DEFAULT"
std
::
string
ciphers
;
// SSL protocols used for SSL handshake, separated by comma.
// Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2
// Default: TLSv1, TLSv1.1, TLSv1.2
std
::
string
protocols
;
// When set, fill this into the SNI extension field during handshake,
// which can be used by the server to locate the right certificate.
// Default: empty
std
::
string
sni_name
;
// Certificate used for client authentication
// Default: empty
CertInfo
client_cert
;
// Options used to verify the server's certificate
// Default: see above
VerifyOptions
verify
;
// TODO: Support CRL
};
// SSL options at server side
struct
ServerSSLOptions
{
// Constructed with default options
ServerSSLOptions
();
// Default certificate which will be loaded into server. Requests
// without hostname or whose hostname doesn't have a corresponding
// certificate will use this certificate. MUST be set to enable SSL.
CertInfo
default_cert
;
// Additional certificates which will be loaded into server. These
// provide extra bindings between hostnames and certificates so that
// we can choose different certificates according to different hostnames.
// See `CertInfo' for detail.
std
::
vector
<
CertInfo
>
certs
;
// When set, requests without hostname or whose hostname can't be found in
// any of the cerficates above will be dropped. Otherwise, `default_cert'
// will be used.
// Default: false
bool
strict_sni
;
// When set, SSLv3 requests will be dropped. Strongly recommended since
// SSLv3 has been found suffering from severe security problems. Note that
// some old versions of browsers may use SSLv3 by default such as IE6.0
// Default: true
bool
disable_ssl3
;
// Flag for SSL_MODE_RELEASE_BUFFERS. When set, release read/write buffers
// when SSL connection is idle, which saves 34KB memory per connection.
// On the other hand, it introduces additional latency and reduces throughput
// Default: false
bool
release_buffer
;
// Maximum lifetime for a session to be cached inside OpenSSL in seconds.
// A session can be reused (initiated by client) to save handshake before
// it reaches this timeout.
// Default: 300
int
session_lifetime_s
;
// Maximum number of cached sessions. When cache is full, no more new
// session will be added into the cache until SSL_CTX_flush_sessions is
// called (automatically by SSL_read/write). A special value is 0, which
// means no limit.
// Default: 20480
int
session_cache_size
;
// Cipher suites allowed for each SSL handshake. The format of this string
// should follow that in `man 1 cipers'. If empty, OpenSSL will choose
// a default cipher based on the certificate information
// Default: ""
std
::
string
ciphers
;
// Name of the elliptic curve used to generate ECDH ephemerial keys
// Default: prime256v1
std
::
string
ecdhe_curve_name
;
// Options used to verify the client's certificate
// Default: see above
VerifyOptions
verify
;
// TODO: Support NPN & ALPN
// TODO: Support OSCP stapling
};
// Legacy name defined in server.h
typedef
ServerSSLOptions
SSLOptions
;
}
// namespace brpc
#endif // BRPC_SSL_OPTION_H
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
