1// Licensed to the Apache Software Foundation (ASF) under one
2// or more contributor license agreements. See the NOTICE file
3// distributed with this work for additional information
4// regarding copyright ownership. The ASF licenses this file
5// to you under the Apache License, Version 2.0 (the
6// "License"); you may not use this file except in compliance
7// with the License. You may obtain a copy of the License at
8//
9// http://www.apache.org/licenses/LICENSE-2.0
10//
11// Unless required by applicable law or agreed to in writing,
12// software distributed under the License is distributed on an
13// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14// KIND, either express or implied. See the License for the
15// specific language governing permissions and limitations
16// under the License.
17
18
19#ifndef BRPC_SSL_OPTION_H
20#define BRPC_SSL_OPTION_H
21
22#include <string>
23#include <vector>
24
25namespace brpc {
26
27struct CertInfo {
28 // Certificate in PEM format.
29 // Note that CN and alt subjects will be extracted from the certificate,
30 // and will be used as hostnames. Requests to this hostname (provided SNI
31 // extension supported) will be encrypted using this certifcate.
32 // Supported both file path and raw string
33 std::string certificate;
34
35 // Private key in PEM format.
36 // Supported both file path and raw string based on prefix:
37 std::string private_key;
38
39 // Additional hostnames besides those inside the certificate. Wildcards
40 // are supported but it can only appear once at the beginning (i.e. *.xxx.com).
41 std::vector<std::string> sni_filters;
42};
43
44struct VerifyOptions {
45 // Constructed with default options
46 VerifyOptions();
47
48 // Set the maximum depth of the certificate chain for verification
49 // If 0, turn off the verification
50 // Default: 0
51 int verify_depth;
52
53 // Set the trusted CA file to verify the peer's certificate
54 // If empty, use the system default CA files
55 // Default: ""
56 std::string ca_file_path;
57};
58
59// SSL options at client side
60struct ChannelSSLOptions {
61 // Constructed with default options
62 ChannelSSLOptions();
63
64 // Cipher suites used for SSL handshake.
65 // The format of this string should follow that in `man 1 ciphers'.
66 // Default: "DEFAULT"
67 std::string ciphers;
68
69 // SSL protocols used for SSL handshake, separated by comma.
70 // Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2
71 // Default: TLSv1, TLSv1.1, TLSv1.2
72 std::string protocols;
73
74 // When set, fill this into the SNI extension field during handshake,
75 // which can be used by the server to locate the right certificate.
76 // Default: empty
77 std::string sni_name;
78
79 // Certificate used for client authentication
80 // Default: empty
81 CertInfo client_cert;
82
83 // Options used to verify the server's certificate
84 // Default: see above
85 VerifyOptions verify;
86
87 // TODO: Support CRL
88};
89
90// SSL options at server side
91struct ServerSSLOptions {
92 // Constructed with default options
93 ServerSSLOptions();
94
95 // Default certificate which will be loaded into server. Requests
96 // without hostname or whose hostname doesn't have a corresponding
97 // certificate will use this certificate. MUST be set to enable SSL.
98 CertInfo default_cert;
99
100 // Additional certificates which will be loaded into server. These
101 // provide extra bindings between hostnames and certificates so that
102 // we can choose different certificates according to different hostnames.
103 // See `CertInfo' for detail.
104 std::vector<CertInfo> certs;
105
106 // When set, requests without hostname or whose hostname can't be found in
107 // any of the cerficates above will be dropped. Otherwise, `default_cert'
108 // will be used.
109 // Default: false
110 bool strict_sni;
111
112 // When set, SSLv3 requests will be dropped. Strongly recommended since
113 // SSLv3 has been found suffering from severe security problems. Note that
114 // some old versions of browsers may use SSLv3 by default such as IE6.0
115 // Default: true
116 bool disable_ssl3;
117
118 // Flag for SSL_MODE_RELEASE_BUFFERS. When set, release read/write buffers
119 // when SSL connection is idle, which saves 34KB memory per connection.
120 // On the other hand, it introduces additional latency and reduces throughput
121 // Default: false
122 bool release_buffer;
123
124 // Maximum lifetime for a session to be cached inside OpenSSL in seconds.
125 // A session can be reused (initiated by client) to save handshake before
126 // it reaches this timeout.
127 // Default: 300
128 int session_lifetime_s;
129
130 // Maximum number of cached sessions. When cache is full, no more new
131 // session will be added into the cache until SSL_CTX_flush_sessions is
132 // called (automatically by SSL_read/write). A special value is 0, which
133 // means no limit.
134 // Default: 20480
135 int session_cache_size;
136
137 // Cipher suites allowed for each SSL handshake. The format of this string
138 // should follow that in `man 1 ciphers'. If empty, OpenSSL will choose
139 // a default cipher based on the certificate information
140 // Default: ""
141 std::string ciphers;
142
143 // Name of the elliptic curve used to generate ECDH ephemerial keys
144 // Default: prime256v1
145 std::string ecdhe_curve_name;
146
147 // Options used to verify the client's certificate
148 // Default: see above
149 VerifyOptions verify;
150
151 // TODO: Support NPN & ALPN
152 // TODO: Support OSCP stapling
153};
154
155// Legacy name defined in server.h
156typedef ServerSSLOptions SSLOptions;
157
158} // namespace brpc
159
160#endif // BRPC_SSL_OPTION_H
161