1568
1697
Init_ossl_ssl_session();
1572
* The following attributes are available but don't show up in rdoc.
1573
* All attributes must be set before calling SSLSocket.new(io, ctx).
1699
/* Document-class: OpenSSL::SSL::SSLContext
1701
* An SSLContext is used to set various options regarding certificates,
1702
* algorithms, verification, session caching, etc. The SSLContext is
1703
* used to create an SSLSocket.
1705
* All attributes must be set before creating an SSLSocket as the
1706
* SSLContext will be frozen afterward.
1708
* The following attributes are available but don't show up in rdoc:
1574
1709
* * ssl_version, cert, key, client_ca, ca_file, ca_path, timeout,
1575
1710
* * verify_mode, verify_depth client_cert_cb, tmp_dh_callback,
1576
1711
* * session_id_context, session_add_cb, session_new_cb, session_remove_cb
1578
1713
cSSLContext = rb_define_class_under(mSSL, "SSLContext", rb_cObject);
1579
1714
rb_define_alloc_func(cSSLContext, ossl_sslctx_s_alloc);
1580
for(i = 0; i < numberof(ossl_sslctx_attrs); i++)
1581
rb_attr(cSSLContext, rb_intern(ossl_sslctx_attrs[i]), 1, 1, Qfalse);
1717
* Context certificate
1719
rb_attr(cSSLContext, rb_intern("cert"), 1, 1, Qfalse);
1722
* Context private key
1724
rb_attr(cSSLContext, rb_intern("key"), 1, 1, Qfalse);
1727
* A certificate or Array of certificates that will be sent to the client.
1729
rb_attr(cSSLContext, rb_intern("client_ca"), 1, 1, Qfalse);
1732
* The path to a file containing a PEM-format CA certificate
1734
rb_attr(cSSLContext, rb_intern("ca_file"), 1, 1, Qfalse);
1737
* The path to a directory containing CA certificates in PEM format.
1739
* Files are looked up by subject's X509 name's hash value.
1741
rb_attr(cSSLContext, rb_intern("ca_path"), 1, 1, Qfalse);
1744
* Maximum session lifetime.
1746
rb_attr(cSSLContext, rb_intern("timeout"), 1, 1, Qfalse);
1749
* Session verification mode.
1751
* Valid modes are VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE,
1752
* VERIFY_FAIL_IF_NO_PEER_CERT and defined on OpenSSL::SSL
1754
rb_attr(cSSLContext, rb_intern("verify_mode"), 1, 1, Qfalse);
1757
* Number of CA certificates to walk when verifying a certificate chain.
1759
rb_attr(cSSLContext, rb_intern("verify_depth"), 1, 1, Qfalse);
1762
* A callback for additional certificate verification. The callback is
1763
* invoked for each certificate in the chain.
1765
* The callback is invoked with two values. +preverify_ok+ indicates
1766
* indicates if the verification was passed (true) or not (false).
1767
* +store_context+ is an OpenSSL::X509::StoreContext containing the
1768
* context used for certificate verification.
1770
* If the callback returns false verification is stopped.
1772
rb_attr(cSSLContext, rb_intern("verify_callback"), 1, 1, Qfalse);
1775
* Sets various OpenSSL options.
1777
rb_attr(cSSLContext, rb_intern("options"), 1, 1, Qfalse);
1780
* An OpenSSL::X509::Store used for certificate verification
1782
rb_attr(cSSLContext, rb_intern("cert_store"), 1, 1, Qfalse);
1785
* An Array of extra X509 certificates to be added to the certificate
1788
rb_attr(cSSLContext, rb_intern("extra_chain_cert"), 1, 1, Qfalse);
1791
* A callback invoked when a client certificate is requested by a server
1792
* and no certificate has been set.
1794
* The callback is invoked with a Session and must return an Array
1795
* containing an OpenSSL::X509::Certificate and an OpenSSL::PKey. If any
1796
* other value is returned the handshake is suspended.
1798
rb_attr(cSSLContext, rb_intern("client_cert_cb"), 1, 1, Qfalse);
1801
* A callback invoked when DH parameters are required.
1803
* The callback is invoked with the Session for the key exchange, an
1804
* flag indicating the use of an export cipher and the keylength
1807
* The callback must return an OpenSSL::PKey::DH instance of the correct
1810
rb_attr(cSSLContext, rb_intern("tmp_dh_callback"), 1, 1, Qfalse);
1813
* Sets the context in which a session can be reused. This allows
1814
* sessions for multiple applications to be distinguished, for exapmle, by
1817
rb_attr(cSSLContext, rb_intern("session_id_context"), 1, 1, Qfalse);
1820
* A callback invoked on a server when a session is proposed by the client
1821
* but the session could not be found in the server's internal cache.
1823
* The callback is invoked with the SSLSocket and session id. The
1824
* callback may return a Session from an external cache.
1826
rb_attr(cSSLContext, rb_intern("session_get_cb"), 1, 1, Qfalse);
1829
* A callback invoked when a new session was negotiatied.
1831
* The callback is invoked with an SSLSocket. If false is returned the
1832
* session will be removed from the internal cache.
1834
rb_attr(cSSLContext, rb_intern("session_new_cb"), 1, 1, Qfalse);
1837
* A callback invoked when a session is removed from the internal cache.
1839
* The callback is invoked with an SSLContext and a Session.
1841
rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse);
1843
#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
1845
* A callback invoked at connect time to distinguish between multiple
1848
* The callback is invoked with an SSLSocket and a server name. The
1849
* callback must return an SSLContext for the server name or nil.
1851
rb_attr(cSSLContext, rb_intern("servername_cb"), 1, 1, Qfalse);
1582
1854
rb_define_alias(cSSLContext, "ssl_timeout", "timeout");
1583
1855
rb_define_alias(cSSLContext, "ssl_timeout=", "timeout=");
1584
1856
rb_define_method(cSSLContext, "initialize", ossl_sslctx_initialize, -1);
1589
1861
rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0);
1865
* No session caching for client or server
1592
1867
rb_define_const(cSSLContext, "SESSION_CACHE_OFF", LONG2FIX(SSL_SESS_CACHE_OFF));
1870
* Client sessions are added to the session cache
1593
1872
rb_define_const(cSSLContext, "SESSION_CACHE_CLIENT", LONG2FIX(SSL_SESS_CACHE_CLIENT)); /* doesn't actually do anything in 0.9.8e */
1875
* Server sessions are added to the session cache
1594
1877
rb_define_const(cSSLContext, "SESSION_CACHE_SERVER", LONG2FIX(SSL_SESS_CACHE_SERVER));
1880
* Both client and server sessions are added to the session cache
1595
1882
rb_define_const(cSSLContext, "SESSION_CACHE_BOTH", LONG2FIX(SSL_SESS_CACHE_BOTH)); /* no different than CACHE_SERVER in 0.9.8e */
1885
* Normally the sesison cache is checked for expired sessions every 255
1886
* connections. Since this may lead to a delay that cannot be controlled,
1887
* the automatic flushing may be disabled and #flush_sessions can be
1888
* called explicitly.
1596
1890
rb_define_const(cSSLContext, "SESSION_CACHE_NO_AUTO_CLEAR", LONG2FIX(SSL_SESS_CACHE_NO_AUTO_CLEAR));
1893
* Always perform external lookups of sessions even if they are in the
1896
* This flag has no effect on clients
1597
1898
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_LOOKUP", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP));
1901
* Never automatically store sessions in the internal store.
1598
1903
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL_STORE", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL_STORE));
1906
* Enables both SESSION_CACHE_NO_INTERNAL_LOOKUP and
1907
* SESSION_CACHE_NO_INTERNAL_STORE.
1599
1909
rb_define_const(cSSLContext, "SESSION_CACHE_NO_INTERNAL", LONG2FIX(SSL_SESS_CACHE_NO_INTERNAL));
1600
1911
rb_define_method(cSSLContext, "session_add", ossl_sslctx_session_add, 1);
1601
1912
rb_define_method(cSSLContext, "session_remove", ossl_sslctx_session_remove, 1);
1602
1913
rb_define_method(cSSLContext, "session_cache_mode", ossl_sslctx_get_session_cache_mode, 0);