290 ssl_context.set_options(boost::asio::ssl::context::default_workarounds);
291 ssl_context.set_options(boost::asio::ssl::context::no_sslv2);
292 ssl_context.set_options(boost::asio::ssl::context::no_sslv3);
293 ssl_context.set_options(boost::asio::ssl::context::no_tlsv1);
294 ssl_context.set_options(boost::asio::ssl::context::no_tlsv1_1);
297 SSL_CTX_set_cipher_list(ssl_context.native_handle(),
"ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256");
300 SSL_CTX *ctx = ssl_context.native_handle();
302 SSL_CTX_clear_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT);
303 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
304 #ifdef SSL_OP_NO_TICKET 305 SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
307 #ifdef SSL_OP_NO_RENEGOTIATION 308 SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
310 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 311 SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
313 #ifdef SSL_OP_NO_COMPRESSION 314 SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
316 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE 317 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
319 SSL_CTX_set_ecdh_auto(ctx, 1);
324 ssl_context.set_default_verify_paths();
327 ssl_context.set_verify_depth(0);
332 const boost::system::error_code err = load_ca_file(ssl_context,
ca_path);
334 throw boost::system::system_error{err,
"Failed to load user CA file at " +
ca_path};
348 #ifdef USE_EXTRA_EC_CERT 351 if (!SSL_CTX_use_PrivateKey(ctx, pkey))
352 MERROR(
"Failed to use generated EC private key for " << NID_secp256k1);
361 if (!SSL_CTX_use_PrivateKey(ctx, pkey))
362 MERROR(
"Failed to use generated RSA private key for RSA");
#define CHECK_AND_ASSERT_THROW_MES(expr, message)
bool create_rsa_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
void use_ssl_certificate(boost::asio::ssl::context &ssl_context) const
Load private_key_path and certificate_path into ssl_context.
std::string certificate_path
Certificate used for authentication to peer.
Verify peer via system ca only (do not inspect user certificates)
Verify peer via specific (possibly chain) certificate(s) only.
ssl_authentication_t auth
std::unique_ptr< void, terminate > context
Unique ZMQ context handle, calls zmq_term on destruction.
Verify peer via specific (non-chain) certificate(s) only.
bool create_ec_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
ssl_verification_t verification
std::string private_key_path
Private key used for authentication.