func SetUpFIPSMode(opts *ToolOptions) error { if err := openssl.FIPSModeSet(opts.SSLFipsMode); err != nil { return fmt.Errorf("couldn't set FIPS mode to %v: %v", opts.SSLFipsMode, err) } return nil }
// Creates and configures an openssl.Ctx func setupCtx(opts options.ToolOptions) (*openssl.Ctx, error) { var ctx *openssl.Ctx var err error if err := openssl.FIPSModeSet(opts.SSLFipsMode); err != nil { return nil, fmt.Errorf("couldn't set FIPS mode to %v: %v", opts.SSLFipsMode, err) } if ctx, err = openssl.NewCtxWithVersion(openssl.AnyVersion); err != nil { return nil, fmt.Errorf("failure creating new openssl context with "+ "NewCtxWithVersion(AnyVersion): %v", err) } // OpAll - Activate all bug workaround options, to support buggy client SSL's. // NoSSLv2 - Disable SSL v2 support ctx.SetOptions(openssl.OpAll | openssl.NoSSLv2) // HIGH - Enable strong ciphers // !EXPORT - Disable export ciphers (40/56 bit) // !aNULL - Disable anonymous auth ciphers // @STRENGTH - Sort ciphers based on strength ctx.SetCipherList("HIGH:!EXPORT:!aNULL@STRENGTH") // add the PEM key file with the cert and private key, if specified if opts.SSLPEMKeyFile != "" { if err = ctx.UseCertificateChainFile(opts.SSLPEMKeyFile); err != nil { return nil, fmt.Errorf("UseCertificateChainFile: %v", err) } // TODO support password encrypted key files if err = ctx.UsePrivateKeyFile(opts.SSLPEMKeyFile, openssl.FiletypePEM); err != nil { return nil, fmt.Errorf("UsePrivateKeyFile: %v", err) } // Verify that the certificate and the key go together. if err = ctx.CheckPrivateKey(); err != nil { return nil, fmt.Errorf("CheckPrivateKey: %v", err) } } // If renegotiation is needed, don't return from recv() or send() until it's successful. // Note: this is for blocking sockets only. ctx.SetMode(openssl.AutoRetry) // Disable session caching (see SERVER-10261) ctx.SetSessionCacheMode(openssl.SessionCacheOff) if opts.SSLCAFile != "" { calist, err := openssl.LoadClientCAFile(opts.SSLCAFile) if err != nil { return nil, fmt.Errorf("LoadClientCAFile: %v", err) } ctx.SetClientCAList(calist) if err = ctx.LoadVerifyLocations(opts.SSLCAFile, ""); err != nil { return nil, fmt.Errorf("LoadVerifyLocations: %v", err) } var verifyOption openssl.VerifyOptions if opts.SSLAllowInvalid { verifyOption = openssl.VerifyNone } else { verifyOption = openssl.VerifyPeer } ctx.SetVerify(verifyOption, nil) } if opts.SSLCRLFile != "" { store := ctx.GetCertificateStore() store.SetFlags(openssl.CRLCheck) lookup, err := store.AddLookup(openssl.X509LookupFile()) if err != nil { return nil, fmt.Errorf("AddLookup(X509LookupFile()): %v", err) } lookup.LoadCRLFile(opts.SSLCRLFile) } return ctx, nil }