Rudiments
|
#include <tls.h>
Inherits securitycontext.
The tlscontext class implements the securitycontext interface for TLS/SSL.
tlscontext::tlscontext | ( | ) |
Creates a new instance of the tlscontext class.
|
virtual |
Deletes this instance of the tlscontext class.
bool tlscontext::accept | ( | ) |
Accepts a security context from the client with whom a connection is already established across the filedescriptor previously set using setFileDescriptor().
Note that if this instance is set as the current GSS context of a child of the socketserver class, then this method is called implicitly during a successful call to accept().
Returns true on success and false on failure.
bool tlscontext::close | ( | ) |
bool tlscontext::connect | ( | ) |
Initiates a security context with the server with whom a connection is already established across the filedescriptor previously set using setFileDescriptor().
Note that if this instance is set as the current security context of a child of the socketclient class, then this method is called implicitly during a successful call to connect().
Returns true on success and false on failure.
int32_t tlscontext::getError | ( | ) |
Returns the error code of the most recently failed call.
Returns the error string of the most recently failed call.
|
virtual |
Returns the file descrptor that will be used to communicate with the peer during the next call to connect() or accept().
Implements socketlayer.
tlscertificate * tlscontext::getPeerCertificate | ( | ) |
size_t tlscontext::getPendingSize | ( | ) |
Returns the number of bytes that are buffered and available for immediate read.
size_t tlscontext::getSizeMax | ( | ) |
bool tlscontext::getValidatePeer | ( | ) |
uint16_t tlscontext::getValidationDepth | ( | ) |
Reads from the file descriptor previously configured by setFileDescriptor() into "buf" until "size" bytes have been read. Returns the number of bytes that were written to "buf" or RESULT_ERROR if an error occurred.
Sets the location of the certificate store that contains the certificate of the certificate authority (CA cert) to use when validating the peer's certificate during the next call to connect() or accept().
If "ca" is NULL or empty then no validation of the peer certificate will occur during the next call to connect() or accept().
Otherwise...
On non-Windows systems, "ca" can be either a file name or directory name. If it a file name, then only that file will be used, though the file may contain multiple CA certs. If it is a directory name, then all certificate store files found in that directory will be used.
On Windows platforms, "ca" may refer to a file or to a Windows Certificate Store. If it a file name, then only that file will be used, though the file may contain multiple CA certs. If it is a Windows Certificate Store, then all certificates in the store will be used.
Note that the supported file formats may vary between platforms. A variety of formats are generally supported on Linux and Unix platforms (.pem, .pfx, etc.) but only .pfx files are currently supported on Windows.
To specify a Windows Certificate Store, "ca" must be specified in one of the following formats: location:store store
The "location" parameter identifies the certificate store location, and must be one of the following: CURRENT_USER LOCAL_MACHINE CURRENT_SERVICE SERVICES USERS CURRENT_USER_GROUP_POLICY LOCAL_MACHINE_GROUP_POLICY LOCAL_MACHINE_ENTERPRISE If "location" is omitted then it defaults to CURRENT_USER.
The "store" parameter identifies the certificate store, and must be one of the following: MY Root Trust CA If "store" is omitted then it defaults to MY.
Sets the location of the certificate chain file to use during the next call to connect() or accept().
If "filename" is NULL or empty then no certificate will be sent to the peer.
Otherwise...
On non-Windows platforms, "filename" must refer to an actual file. On Windows platforms, it may refer to an actual file or to a certificate found in a Windows Certificate Store.
Actual files must contain the client's certificate and the chain of signing certificates, terminating in a certificate for a root certificate authority. On Windows platforms, the file must also contain the client's private key. On non-Windows platforms, the private key may be stored in a separate file, specified by setPrivateKeyFile().
Note that the supported file formats may vary between platforms. A variety of formats are generally supported on Linux and Unix platforms (.pem, .pfx, etc.) but only .pfx files are currently supported on Windows.
Certificates in a Windows Certificate Store must have an associated private key and associated chain of signing certificates, terminating in a certificate for a root certificate authority.
To specify an entry in a Windows Certificate Store, "filename" must be specified in one of the following formats: location:store:subject store:subject subject
The "location" parameter identifies the certificate store location, and must be one of the following: CURRENT_USER LOCAL_MACHINE CURRENT_SERVICE SERVICES USERS CURRENT_USER_GROUP_POLICY LOCAL_MACHINE_GROUP_POLICY LOCAL_MACHINE_ENTERPRISE If "location" is omitted then it defaults to CURRENT_USER.
The "store" parameter identifies the certificate store, and must be one of the following: MY Root Trust CA If "store" is omitted then it defaults to MY.
The "subject" parameter identifies the certificate. The first certificate in the specified location/store who's Subject contains "subject" (case-insensitive) will be used. Note that the order of the certificates in the store is not guaranteed, so "subject" should contain enough information to uniquely identify a certificate.
Sets the list of ciphers to allow during the next call to connect() or accept(). Ciphers may be separated by spaces, commas, or colons. If "ciphers" is NULL or empty then a default set of ciphers will be used.
For a list of valid ciphers on Linux and Unix platforms, see: man ciphers
For a list of valid ciphers on Windows platforms, see: https://msdn.microsoft.com/en-us/library/windows/desktop/aa375549%28v=vs.85%29.aspx On Windows platforms, the ciphers (alg_id's) should omit CALG_ and may be given with underscores or dashes. For example: 3DES_112
|
virtual |
Sets the file descriptor that will be used to communicate with the peer during the next call to connect() or accept().
Implements socketlayer.
Ignored on Windows platforms.
On non-Windows platforms:
Sets the location of the private key file to use during the next call to connect() or accept().
If no private key file is specified via this call, either because the call is omitted, or because "filename" is NULL or empty, then the certificate chain file will be searched for the private key.
Note that the supported file formats may vary between platforms. A variety of formats are generally supported on Linux and Unix platforms (.pem, .pfx, etc.) but only the .pfx format is currently supported on Windows.
Sets the protocol version to use during the next call to connect() or accept().
Valid values include SSL2, SSL3, TLS1, TLS1.1, TLS1.2 or any more recent version of TLS, as supported by and enabled in the underlying TLS/SSL library. If left blank or empty then the highest supported version will be negotiated.
Sets the validation depth to use when validating the peer's certificate during the next call to connect() or accept().
There could be any number of intermediate signing authorities between the peer's certificate and a top-level certificate authority.
For example, the certificate chain could consist of:
Setting the validation depth instructs the context to only allow "depth" certificates between the peer certificate and a top-level authority.
The default, and maximum depth is 9. Setting a depth greater than 9 has the same effect as setting it to 9. Setting the depth to 0 also has the same effect as setting it to 9.
Writes "size" bytes from "buf" to the file descriptor previously configured by setFileDescriptor(). Returns the number of bytes that were written or RESULT_ERROR if an error occurred.