1 | // Licensed to the Apache Software Foundation (ASF) under one |
2 | // or more contributor license agreements. See the NOTICE file |
3 | // distributed with this work for additional information |
4 | // regarding copyright ownership. The ASF licenses this file |
5 | // to you under the Apache License, Version 2.0 (the |
6 | // "License"); you may not use this file except in compliance |
7 | // with the License. You may obtain a copy of the License at |
8 | // |
9 | // http://www.apache.org/licenses/LICENSE-2.0 |
10 | // |
11 | // Unless required by applicable law or agreed to in writing, |
12 | // software distributed under the License is distributed on an |
13 | // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
14 | // KIND, either express or implied. See the License for the |
15 | // specific language governing permissions and limitations |
16 | // under the License. |
17 | |
18 | |
19 | #ifndef BRPC_SSL_OPTION_H |
20 | #define BRPC_SSL_OPTION_H |
21 | |
22 | #include <string> |
23 | #include <vector> |
24 | |
25 | namespace brpc { |
26 | |
27 | struct CertInfo { |
28 | // Certificate in PEM format. |
29 | // Note that CN and alt subjects will be extracted from the certificate, |
30 | // and will be used as hostnames. Requests to this hostname (provided SNI |
31 | // extension supported) will be encrypted using this certifcate. |
32 | // Supported both file path and raw string |
33 | std::string certificate; |
34 | |
35 | // Private key in PEM format. |
36 | // Supported both file path and raw string based on prefix: |
37 | std::string private_key; |
38 | |
39 | // Additional hostnames besides those inside the certificate. Wildcards |
40 | // are supported but it can only appear once at the beginning (i.e. *.xxx.com). |
41 | std::vector<std::string> sni_filters; |
42 | }; |
43 | |
44 | struct VerifyOptions { |
45 | // Constructed with default options |
46 | VerifyOptions(); |
47 | |
48 | // Set the maximum depth of the certificate chain for verification |
49 | // If 0, turn off the verification |
50 | // Default: 0 |
51 | int verify_depth; |
52 | |
53 | // Set the trusted CA file to verify the peer's certificate |
54 | // If empty, use the system default CA files |
55 | // Default: "" |
56 | std::string ca_file_path; |
57 | }; |
58 | |
59 | // SSL options at client side |
60 | struct ChannelSSLOptions { |
61 | // Constructed with default options |
62 | ChannelSSLOptions(); |
63 | |
64 | // Cipher suites used for SSL handshake. |
65 | // The format of this string should follow that in `man 1 ciphers'. |
66 | // Default: "DEFAULT" |
67 | std::string ciphers; |
68 | |
69 | // SSL protocols used for SSL handshake, separated by comma. |
70 | // Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2 |
71 | // Default: TLSv1, TLSv1.1, TLSv1.2 |
72 | std::string protocols; |
73 | |
74 | // When set, fill this into the SNI extension field during handshake, |
75 | // which can be used by the server to locate the right certificate. |
76 | // Default: empty |
77 | std::string sni_name; |
78 | |
79 | // Certificate used for client authentication |
80 | // Default: empty |
81 | CertInfo client_cert; |
82 | |
83 | // Options used to verify the server's certificate |
84 | // Default: see above |
85 | VerifyOptions verify; |
86 | |
87 | // TODO: Support CRL |
88 | }; |
89 | |
90 | // SSL options at server side |
91 | struct { |
92 | // Constructed with default options |
93 | (); |
94 | |
95 | // Default certificate which will be loaded into server. Requests |
96 | // without hostname or whose hostname doesn't have a corresponding |
97 | // certificate will use this certificate. MUST be set to enable SSL. |
98 | CertInfo ; |
99 | |
100 | // Additional certificates which will be loaded into server. These |
101 | // provide extra bindings between hostnames and certificates so that |
102 | // we can choose different certificates according to different hostnames. |
103 | // See `CertInfo' for detail. |
104 | std::vector<CertInfo> ; |
105 | |
106 | // When set, requests without hostname or whose hostname can't be found in |
107 | // any of the cerficates above will be dropped. Otherwise, `default_cert' |
108 | // will be used. |
109 | // Default: false |
110 | bool ; |
111 | |
112 | // When set, SSLv3 requests will be dropped. Strongly recommended since |
113 | // SSLv3 has been found suffering from severe security problems. Note that |
114 | // some old versions of browsers may use SSLv3 by default such as IE6.0 |
115 | // Default: true |
116 | bool ; |
117 | |
118 | // Flag for SSL_MODE_RELEASE_BUFFERS. When set, release read/write buffers |
119 | // when SSL connection is idle, which saves 34KB memory per connection. |
120 | // On the other hand, it introduces additional latency and reduces throughput |
121 | // Default: false |
122 | bool ; |
123 | |
124 | // Maximum lifetime for a session to be cached inside OpenSSL in seconds. |
125 | // A session can be reused (initiated by client) to save handshake before |
126 | // it reaches this timeout. |
127 | // Default: 300 |
128 | int ; |
129 | |
130 | // Maximum number of cached sessions. When cache is full, no more new |
131 | // session will be added into the cache until SSL_CTX_flush_sessions is |
132 | // called (automatically by SSL_read/write). A special value is 0, which |
133 | // means no limit. |
134 | // Default: 20480 |
135 | int ; |
136 | |
137 | // Cipher suites allowed for each SSL handshake. The format of this string |
138 | // should follow that in `man 1 ciphers'. If empty, OpenSSL will choose |
139 | // a default cipher based on the certificate information |
140 | // Default: "" |
141 | std::string ; |
142 | |
143 | // Name of the elliptic curve used to generate ECDH ephemerial keys |
144 | // Default: prime256v1 |
145 | std::string ; |
146 | |
147 | // Options used to verify the client's certificate |
148 | // Default: see above |
149 | VerifyOptions ; |
150 | |
151 | // TODO: Support NPN & ALPN |
152 | // TODO: Support OSCP stapling |
153 | }; |
154 | |
155 | // Legacy name defined in server.h |
156 | typedef ServerSSLOptions SSLOptions; |
157 | |
158 | } // namespace brpc |
159 | |
160 | #endif // BRPC_SSL_OPTION_H |
161 | |