#include <XrdTlsContext.hh>
|
static const int | DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60 |
| Default CRL refresh interval in seconds.
|
|
static const int | scNone = 0x00000000 |
| Do not change any option settings.
|
|
static const int | scOff = 0x00010000 |
| Turn off cache.
|
|
static const int | scSrvr = 0x00020000 |
| Turn on cache server mode (default)
|
|
static const int | scClnt = 0x00040000 |
| Turn on cache client mode.
|
|
static const int | scKeep = 0x40000000 |
| Info: TLS-controlled flush disabled.
|
|
static const int | scIdErr = 0x80000000 |
| Info: Id not set, is too long.
|
|
static const int | scFMax = 0x00007fff |
|
static const uint64_t | hsto = 0x00000000000000ff |
| Mask to isolate the hsto.
|
|
static const uint64_t | vdept = 0x000000000000ff00 |
| Mask to isolate vdept.
|
|
static const int | vdepS = 8 |
| Bits to shift vdept.
|
|
static const uint64_t | logVF = 0x0000000800000000 |
| Log verify failures.
|
|
static const uint64_t | servr = 0x0000000400000000 |
| This is a server context.
|
|
static const uint64_t | dnsok = 0x0000000200000000 |
| Trust DNS for host name.
|
|
static const uint64_t | nopxy = 0x0000000100000000 |
| Do not allow proxy certs.
|
|
static const uint64_t | rfCRL = 0x0000004000000000 |
| Turn on the CRL refresh thread.
|
|
static const uint64_t | crlON = 0x0000008000000000 |
| Enables crl checking.
|
|
static const uint64_t | crlFC = 0x000000C000000000 |
| Full crl chain checking.
|
|
static const uint64_t | crlRF = 0x00000000ffff0000 |
| Mask to isolate crl refresh in min.
|
|
static const int | crlRS = 16 |
| Bits to shift vdept.
|
|
static const uint64_t | artON = 0x0000002000000000 |
| Auto retry Handshake.
|
|
|
XrdTlsContextImpl * | pImpl |
|
◆ XrdTlsContext() [1/3]
XrdTlsContext::XrdTlsContext |
( |
const char * |
cert = 0 , |
|
|
const char * |
key = 0 , |
|
|
const char * |
cadir = 0 , |
|
|
const char * |
cafile = 0 , |
|
|
uint64_t |
opts = 0 , |
|
|
std::string * |
eMsg = 0 |
|
) |
| |
◆ ~XrdTlsContext()
XrdTlsContext::~XrdTlsContext |
( |
| ) |
|
◆ XrdTlsContext() [2/3]
Disallow any copies of this object.
◆ XrdTlsContext() [3/3]
◆ Clone()
XrdTlsContext * XrdTlsContext::Clone |
( |
bool |
full = true , |
|
|
bool |
startCRLRefresh = false |
|
) |
| |
Clone a new context from this context.
- Parameters
-
full | When true the complete context is cloned. When false, a context with no peer verification is cloned. |
- Returns
- Upon success, the pointer to a new XrdTlsContext is returned. Upon failure, a nil pointer is returned.
- Note
- The cloned context is identical to the one created by the original constructor. Note that while the crl refresh interval is set, the refresh thread needs to be started by calling crlRefresh(). Also, the session cache is set to off with no identifier.
◆ Context()
void * XrdTlsContext::Context |
( |
| ) |
|
Get the underlying context (should not be used).
- Returns
- Pointer to the underlying context.
◆ GetParams()
◆ Init()
static const char * XrdTlsContext::Init |
( |
| ) |
|
|
static |
Simply initialize the TLS library.
- Returns
- =0 Library initialized. !0 Library not initialized, return string indicates why.
- Note
- Init() is implicitly called by the contructor. Use this method to use the TLS libraries without instantiating a context.
◆ isOK()
bool XrdTlsContext::isOK |
( |
| ) |
|
Determine if this object was correctly built.
- Returns
- True if this object is usuable and false otherwise.
◆ newHostCertificateDetected()
bool XrdTlsContext::newHostCertificateDetected |
( |
| ) |
|
◆ operator=() [1/2]
◆ operator=() [2/2]
◆ Session()
void * XrdTlsContext::Session |
( |
| ) |
|
Apply this context to obtain a new SSL session.
- Returns
- A pointer to a new SSL session if successful and nil otherwise.
◆ SessionCache()
int XrdTlsContext::SessionCache |
( |
int |
opts = scNone , |
|
|
const char * |
id = 0 , |
|
|
int |
idlen = 0 |
|
) |
| |
◆ SetContextCiphers()
bool XrdTlsContext::SetContextCiphers |
( |
const char * |
ciphers | ) |
|
Set allowed ciphers for this context.
- Parameters
-
ciphers | The colon separated list of allowable ciphers. |
- Returns
- True if at least one cipher can be used; false otherwise. When false is reurned, this context is no longer usable.
◆ SetCrlRefresh()
bool XrdTlsContext::SetCrlRefresh |
( |
int |
refsec = -1 | ) |
|
Set CRL refresh time. By default, CRL's are not refreshed.
- Parameters
-
refsec | >0: The number of seconds between refreshes. A value less than 60 sets it to 60. =0: Stops automatic refreshing. <0: Starts automatic refreshing with the current setting if it has not already been started. |
- Returns
- True if the CRL refresh thread was started; false otherwise.
◆ SetDefaultCiphers()
static void XrdTlsContext::SetDefaultCiphers |
( |
const char * |
ciphers | ) |
|
|
static |
Set allowed default ciphers.
- Parameters
-
ciphers | The colon separated list of allowable ciphers. |
◆ x509Verify()
bool XrdTlsContext::x509Verify |
( |
| ) |
|
Check if certificates are being verified.
- Returns
- True if certificates are being verified, false otherwise.
◆ artON
const uint64_t XrdTlsContext::artON = 0x0000002000000000 |
|
static |
◆ crlFC
const uint64_t XrdTlsContext::crlFC = 0x000000C000000000 |
|
static |
◆ crlON
const uint64_t XrdTlsContext::crlON = 0x0000008000000000 |
|
static |
◆ crlRF
const uint64_t XrdTlsContext::crlRF = 0x00000000ffff0000 |
|
static |
Mask to isolate crl refresh in min.
◆ crlRS
const int XrdTlsContext::crlRS = 16 |
|
static |
◆ DEFAULT_CRL_REF_INT_SEC
const int XrdTlsContext::DEFAULT_CRL_REF_INT_SEC = 8 * 60 * 60 |
|
static |
Default CRL refresh interval in seconds.
◆ dnsok
const uint64_t XrdTlsContext::dnsok = 0x0000000200000000 |
|
static |
◆ hsto
const uint64_t XrdTlsContext::hsto = 0x00000000000000ff |
|
static |
Mask to isolate the hsto.
Constructor. Note that you should use isOK() to determine if construction was successful. A false return indicates failure.
- Parameters
-
cert | Pointer to the certificate file to be used. If nil, a generic context is created for client use. |
key | Pointer to the private key flle to be used. It must correspond to the certificate file. If nil, it is assumed that the key is contained in the cert file. |
cadir | path to the directory containing the CA certificates. |
cafile | path to the file containing the CA certificates. |
opts | Processing options (or'd bitwise): artON - Auto retry handshakes (i.e. block on handshake) crlON - Perform crl check on the leaf node crlFC - Apply crl check to full chain crlRF - Initial crl refresh interval in minutes. dnsok - trust DNS when verifying hostname. hsto - the handshake timeout value in seconds. logVF - Turn on verification failure logging. nopxy - Do not allow proxy cert (normally allowed) servr - This is a server-side context and x509 peer certificate validation may be turned off. vdept - The maximum depth of the certificate chain that must be validated (max is 255). |
eMsg | If non-zero, the reason for the failure is returned, |
- Note
- a) If neither cadir nor cafile is specified, certificate validation is not performed if and only if the servr option is specified. Otherwise, the cadir value is obtained from the X509_CERT_DIR envar and the cafile value is obtained from the X509_CERT_File envar. If both are nil, context creation fails. b) Additionally for client-side contructions, if cert or key is not specified their locations come from X509_USER_PROXY and X509_USER_KEY. These may be nil in which case a generic context is created with a local key-pair and no certificate. c) You should immediately call isOK() after instantiating this object. A return value of false means that construction failed. d) Failure messages are routed to the message callback function during construction. e) While the crl refresh interval is set you must engage it by calling crlRefresh() so as to avoid unnecessary refresh threads.
◆ logVF
const uint64_t XrdTlsContext::logVF = 0x0000000800000000 |
|
static |
◆ nopxy
const uint64_t XrdTlsContext::nopxy = 0x0000000100000000 |
|
static |
Do not allow proxy certs.
◆ pImpl
XrdTlsContextImpl* XrdTlsContext::pImpl |
|
private |
◆ rfCRL
const uint64_t XrdTlsContext::rfCRL = 0x0000004000000000 |
|
static |
Turn on the CRL refresh thread.
◆ scClnt
const int XrdTlsContext::scClnt = 0x00040000 |
|
static |
Turn on cache client mode.
◆ scFMax
const int XrdTlsContext::scFMax = 0x00007fff |
|
static |
Maximum flush interval in seconds When 0 keeps the current setting
◆ scIdErr
const int XrdTlsContext::scIdErr = 0x80000000 |
|
static |
Info: Id not set, is too long.
◆ scKeep
const int XrdTlsContext::scKeep = 0x40000000 |
|
static |
Info: TLS-controlled flush disabled.
◆ scNone
const int XrdTlsContext::scNone = 0x00000000 |
|
static |
Do not change any option settings.
Get or set session cache parameters for generated sessions.
- Parameters
-
opts | One or more bit or'd options (see below). |
id | The identifier to be used (may be nil to keep setting). |
idlen | The length of the identifier (may be zero as above). |
- Returns
- The cache settings prior to any changes are returned. When setting the id, the scIdErr may be returned if the name is too long. If the context has been pprroperly initialized, zero is returned. By default, the session cache is disabled as it is impossible to verify a peer certificate chain when a cached session is reused.
◆ scOff
const int XrdTlsContext::scOff = 0x00010000 |
|
static |
◆ scSrvr
const int XrdTlsContext::scSrvr = 0x00020000 |
|
static |
Turn on cache server mode (default)
◆ servr
const uint64_t XrdTlsContext::servr = 0x0000000400000000 |
|
static |
This is a server context.
◆ vdepS
const int XrdTlsContext::vdepS = 8 |
|
static |
◆ vdept
const uint64_t XrdTlsContext::vdept = 0x000000000000ff00 |
|
static |
The documentation for this class was generated from the following file: