The rsocket_sni class provides a specialized interface for collecting a group of SNI (Server Name Identifier) contexts for TLS connections. More...
#include <randolf/rsocket_sni>
Collaboration diagram for randolf::rsocket_sni:Public Member Functions | |
| rsocket_sni (SSL_CTX *ctx=nullptr, const bool is_server_method=true) | |
| Instantiate a new rsocket_sni object. | |
| ~rsocket_sni () noexcept | |
| Destructor for rsocket_sni object, which deletes all SNI hostnames and their associated TLS contexts, updating OpenSSL's internal TLS context reference counters accordingly. | |
| rsocket_sni & | add (const std::string &hostname) |
Add one new hostname, which will be associated with the current TLS context. SNI wildcards are supported (e.g., *.example.com). | |
| template<class... Hs> | |
| rsocket_sni & | add (const std::string &hostname, Hs... hostnames) |
Add one or more new hostnames, which will be associated with the current TLS context. SNI wildcards are supported (e.g., *.example.com). | |
| rsocket_sni & | del (const std::string &hostname) |
| Delete one hostname. | |
| template<class... Hs> | |
| rsocket_sni & | del (const std::string &hostname, Hs... hostnames) |
| Delete one or more hostnames. | |
| SSL_CTX * | get_ctx (const std::string &hostname, const bool enable_sni_wildcards=true, SSL_CTX *default_tls_ctx=nullptr) |
Return the TLS context for a given hostname. If any SNI wildcards satisfy hostname-matching criteria (e.g., www.example.com matches a *.example.com wildcard), the respective TLS context for it will be returned (as expected). | |
| SSL_CTX * | tls_ctx () noexcept |
| Find out what the current TLS context is set to. | |
| rsocket_sni & | tls_ctx (SSL_CTX *ctx, const bool is_server_method=true) |
| Set the current TLS context to a specific context or create a new one. | |
| rsocket_sni & | tls_ctx_check_privatekey () |
| Check the private key it to ensure it's consistent with the corresponding TLS certificate chain. | |
| rsocket_sni & | tls_ctx_use_certificate_chain_and_privatekey_files (const char *chain_file, const char *key_file) |
| Load a TLS certificate chain and private key in PEM format from text files and use them in the TLS context. | |
| rsocket_sni & | tls_ctx_use_certificate_chain_and_privatekey_files (const std::string &chain_file, const std::string &key_file) |
| Load a TLS certificate chain and private key in PEM format from text files and use them in the TLS context. | |
| rsocket_sni & | tls_ctx_use_certificate_chain_and_privatekey_pems (const char *cert_pem_data, const char *key_pem_data, size_t cert_len=0, size_t key_len=0, const bool random_fill=true) |
| Load a TLS certificate chain and a TLS private key in PEM format from memory and use them in the TLS context. | |
| rsocket_sni & | tls_ctx_use_certificate_chain_file (const char *file) |
| Load a TLS certificate chain in PEM format from a text file and use it in the TLS context. | |
| rsocket_sni & | tls_ctx_use_certificate_chain_file (const std::string &file) |
| Load a TLS certificate chain in PEM format from a text file and use it in the TLS context. | |
| rsocket_sni & | tls_ctx_use_certificate_chain_pem (const char *pem_data, size_t len=0, const bool random_fill=true) |
| Load a TLS certificate chain in PEM format from memory and use it in the TLS context. | |
| rsocket_sni & | tls_ctx_use_privatekey_file (const char *file) |
| Load a TLS private key in PEM format from a text file and use it in the TLS context. | |
| rsocket_sni & | tls_ctx_use_privatekey_file (const std::string &file) |
| Load a TLS private key in PEM format from a text file and use it in the TLS context. | |
| rsocket_sni & | tls_ctx_use_privatekey_pem (const char *pem_data, size_t len=0, const bool random_fill=true) |
| Load a TLS private key in PEM format from memory and use it in the TLS context. | |
The rsocket_sni class provides a specialized interface for collecting a group of SNI (Server Name Identifier) contexts for TLS connections.
|
inline |
Instantiate a new rsocket_sni object.
| ctx | OpenSSL's TLS context to use (if set to nullptr, this rsocket's TLS context will be paired with the specified hostname{s}) |
| is_server_method | When ctx is nullptr, indicates whether to initialize the new TLS context with the TLS_server_method() or the TLS_client_method() function (the default is true, which is the . |
|
inlinenoexcept |
Destructor for rsocket_sni object, which deletes all SNI hostnames and their associated TLS contexts, updating OpenSSL's internal TLS context reference counters accordingly.
|
inline |
Add one new hostname, which will be associated with the current TLS context. SNI wildcards are supported (e.g., *.example.com).
| hostname | Hostname to add |
|
inline |
Add one or more new hostnames, which will be associated with the current TLS context. SNI wildcards are supported (e.g., *.example.com).
| hostname | First hostname (required) |
| hostnames | Additional hostnames (optional) |
|
inline |
Delete one hostname.
| hostname | Hostname to delete |
|
inline |
Delete one or more hostnames.
| hostname | First hostname (required) |
| hostnames | Additional hostnames (optional) |
|
inline |
Return the TLS context for a given hostname. If any SNI wildcards satisfy hostname-matching criteria (e.g., www.example.com matches a *.example.com wildcard), the respective TLS context for it will be returned (as expected).
For wildcard comparisons, OpenSSL's functions are used for matching to ensure consistency with what's expected, and in order to support any unforseen changes to future standards in wildcard naming rules. (In other words, we're relying on OpenSSL to do what it already does efficiently and correctly.)
Exact matches are always checked before wildcards because the exact matching algorithm is faster (uses fewer CPU cycles) than comparing wildcards.
nullptr (or default_tls_ctx override) if hostname doesn't match any SNI entries | hostname | Hostname |
| enable_sni_wildcards | SNI supports wildcards, but if an exact match is needed then setting this parameter to false will skip attempts to also match wildcards (the default is true) |
| default_tls_ctx | Override the default context nullptr that is returned to indicate that the hostname didn't match |
|
inlinenoexcept |
Find out what the current TLS context is set to.
|
inline |
Set the current TLS context to a specific context or create a new one.
| ctx | OpenSSL's TLS context to use (if set to nullptr, this rsocket's TLS context will be paired with the specified hostname{s}) |
| is_server_method | When ctx is nullptr, indicates whether to initialize the new TLS context with the TLS_server_method(), which is the default. If set to false, then the TLS_client_method() function will be called as part of initializing a new TLS context. |
|
inline |
Check the private key it to ensure it's consistent with the corresponding TLS certificate chain.
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
|
inline |
Load a TLS certificate chain and private key in PEM format from text files and use them in the TLS context.
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| chain_file | Pointer to ASCIIZ path and filename to certificate chain file (nullptr will simply be ignored) |
| key_file | Pointer to ASCIIZ path and filename to private key file (nullptr will simply be ignored) |
|
inline |
Load a TLS certificate chain and private key in PEM format from text files and use them in the TLS context.
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| chain_file | Pointer to ASCIIZ path and filename to certificate chain file (an empty string will simply be ignored) |
| key_file | Pointer to ASCIIZ path and filename to private key file (an empty string will simply be ignored) |
|
inline |
Load a TLS certificate chain and a TLS private key in PEM format from memory and use them in the TLS context.
Although this functionality doesn't exist in OpenSSL (at the time of writing this method), it's provided here in a manner that has exactly the same effect as the tls_ctx_use_certificate_chain_and_privatekey_files() methods, but without needing the PEM-formatted certificate chain stored in files beforehand.
cert_pem_data and key_pem_data parameters are pointers to the memory locations that holds the PEM formatted certificate chain data and private key data, respectively. If the corresponding lengths of each of these data aren't specified or are set to zero (default), then they will be treated as multiline ASCIIZ strings.Behind the scenes, we're just writing the cert_pem_data and key_pem_data memory to temporary files with severely-limited permissions (), then optionally overwriting those temporary files with random data prior to deleting them (this is the default, since better security practices should be the default, but on a secured system it may not be necessary and so this option can also be disabled to save CPU cycles and reduce overall disk-write I/O operations).
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| cert_pem_data | Pointer to certificate chain data in PEM format |
| key_pem_data | Pointer to private key data in PEM format |
| cert_len | Length of cert_pem_data (in bytes), or 0 to auto-detect length if cert_pem_data is an ASCIIZ string |
| key_len | Length of key_pem_data (in bytes), or 0 to auto-detect length if key_pem_data is an ASCIIZ string |
| random_fill | Whether to overwrite the temporary files with random data before deleting them |
|
inline |
Load a TLS certificate chain in PEM format from a text file and use it in the TLS context.
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| file | Pointer to ASCIIZ path and filename to certificate chain file |
|
inline |
Load a TLS certificate chain in PEM format from a text file and use it in the TLS context.
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| file | Path and filename to certificate chain file |
|
inline |
Load a TLS certificate chain in PEM format from memory and use it in the TLS context.
Although this functionality doesn't exist in OpenSSL (at the time of writing this method), it's provided here in a manner that has exactly the same effect as the tls_ctx_use_certificate_chain_file() methods, but without needing the PEM-formatted certificate chain stored in a file beforehand.
pem_data parameter is a pointer to the memory location that holds the PEM formatted certificate chain data. If the length of this data isn't specified or is set to zero (default), then it will be treated as a multiline ASCIIZ string.Behind the scenes, we're just writing the pem_data memory to a temporary file with severely-limited permissions (), then optionally overwriting that temporary file with random data prior to deleting it (this is the default, since better security practices should be the default, but on a secured system it may not be necessary and so this option can also be disabled to save CPU cycles and reduce overall disk-write I/O operations).
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| pem_data | Pointer to certificate chain data in PEM format |
| len | Length of pem_data (in bytes), or 0 to auto-detect length if pem_data is an ASCIIZ string |
| random_fill | Whether to overwrite the temporary file with random data before deleting it |
|
inline |
Load a TLS private key in PEM format from a text file and use it in the TLS context.
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| file | Pointer to ASCIIZ path and filename to private key file |
|
inline |
Load a TLS private key in PEM format from a text file and use it in the TLS context.
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| file | Path and filename to private key file |
|
inline |
Load a TLS private key in PEM format from memory and use it in the TLS context.
Although this functionality doesn't exist in OpenSSL (at the time of writing this method), it's provided here in a manner that has exactly the same effect as the tls_ctx_use_privatekey_file() methods, but without needing the PEM-formatted private key stored in a file beforehand.
pem_data parameter is a pointer to the memory location that holds the PEM formatted private key data. If the length of this data isn't specified or is set to zero (default), then it will be treated as a multiline ASCIIZ string.Behind the scenes, we're just writing the pem_data memory to a temporary file (with severely-limited permissions), then optionally overwriting that temporary file with random data prior to deleting it (this is the default, since better security practices should be the default, but on a secured system it may not be necessary and so this option can also be disabled to save CPU cycles and reduce overall disk-write I/O operations).
| randolf::rex::xALL | Catch this exception for now (at this time, the OpenSSL library doesn't document which errors may be returned) |
| pem_data | Pointer to private key data in PEM format |
| len | Length of pem_data (in bytes), or 0 to auto-detect length if pem_data is an ASCIIZ string |
| random_fill | Whether to overwrite the temporary file with random data before deleting it |
1.14.0