MCPcopy Create free account
hub / github.com/Snapchat/KeyDB / tlsConfigure

Function tlsConfigure

src/tls.cpp:316–450  ·  view source on GitHub ↗

Attempt to configure/reconfigure TLS. This operation is atomic and will * leave the SSL_CTX unchanged if fails. */

Source from the content-addressed store, hash-verified

314 * leave the SSL_CTX unchanged if fails.
315 */
316int tlsConfigure(redisTLSContextConfig *ctx_config) {
317 char errbuf[256];
318 SSL_CTX *ctx = NULL;
319 SSL_CTX *client_ctx = NULL;
320 int protocols;
321
322 if (!ctx_config->cert_file) {
323 serverLog(LL_WARNING, "No tls-cert-file configured!");
324 goto error;
325 }
326
327 if (!ctx_config->key_file) {
328 serverLog(LL_WARNING, "No tls-key-file configured!");
329 goto error;
330 }
331
332 if (((g_pserver->tls_auth_clients != TLS_CLIENT_AUTH_NO) || g_pserver->tls_cluster || g_pserver->tls_replication) &&
333 !ctx_config->ca_cert_file && !ctx_config->ca_cert_dir) {
334 serverLog(LL_WARNING, "Either tls-ca-cert-file or tls-ca-cert-dir must be specified when tls-cluster, tls-replication or tls-auth-clients are enabled!");
335 goto error;
336 }
337
338 /* Update the last modified times for the TLS elements */
339 ctx_config->key_file_last_modified = getLastModifiedTime(ctx_config->key_file);
340 ctx_config->cert_file_last_modified = getLastModifiedTime(ctx_config->cert_file);
341 ctx_config->client_cert_file_last_modified = getLastModifiedTime(ctx_config->client_cert_file);
342 ctx_config->client_key_file_last_modified = getLastModifiedTime(ctx_config->client_key_file);
343 ctx_config->ca_cert_dir_last_modified = getLastModifiedTime(ctx_config->ca_cert_dir);
344 ctx_config->ca_cert_file_last_modified = getLastModifiedTime(ctx_config->ca_cert_file);
345
346 protocols = parseProtocolsConfig(ctx_config->protocols);
347 if (protocols == -1) goto error;
348
349 /* Create server side/generla context */
350 ctx = createSSLContext(ctx_config, protocols, 0);
351 if (!ctx) goto error;
352
353 if (ctx_config->session_caching) {
354 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
355 SSL_CTX_sess_set_cache_size(ctx, ctx_config->session_cache_size);
356 SSL_CTX_set_timeout(ctx, ctx_config->session_cache_timeout);
357 SSL_CTX_set_session_id_context(ctx, (const unsigned char *) "KeyDB", 5);
358 } else {
359 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
360 }
361
362#ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
363 SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
364#endif
365
366 if (ctx_config->prefer_server_ciphers)
367 SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
368
369#if ((OPENSSL_VERSION_NUMBER < 0x30000000L) && defined(SSL_CTX_set_ecdh_auto))
370 SSL_CTX_set_ecdh_auto(ctx, 1);
371#endif
372 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
373

Callers 4

initServerFunction · 0.85
tlsReloadFunction · 0.85
updateTlsCfgFunction · 0.85
updateTLSPortFunction · 0.85

Calls 4

serverLogFunction · 0.85
getLastModifiedTimeFunction · 0.85
parseProtocolsConfigFunction · 0.85
createSSLContextFunction · 0.85

Tested by

no test coverage detected