SSL in EmbeddedTestServer

net/socket/ssl_server_socket_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/ssl_server_socket_openssl.h"
 
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 
 #include "base/callback_helpers.h"
@@ skipping 11 matching lines @@
 namespace net {
 
 void EnableSSLServerSockets() {
   // No-op because CreateSSLServerSocket() calls crypto::EnsureOpenSSLInit().
 }
 
 scoped_ptr<SSLServerSocket> CreateSSLServerSocket(
     scoped_ptr<StreamSocket> socket,
     X509Certificate* certificate,
     crypto::RSAPrivateKey* key,
-    const SSLConfig& ssl_config) {
+    const SSLServerConfig& ssl_config) {
   crypto::EnsureOpenSSLInit();
   return scoped_ptr<SSLServerSocket>(
       new SSLServerSocketOpenSSL(socket.Pass(), certificate, key, ssl_config));
 }
 
 SSLServerSocketOpenSSL::SSLServerSocketOpenSSL(
     scoped_ptr<StreamSocket> transport_socket,
     scoped_refptr<X509Certificate> certificate,
     crypto::RSAPrivateKey* key,
-    const SSLConfig& ssl_config)
+    const SSLServerConfig& ssl_config)
     : transport_send_busy_(false),
       transport_recv_busy_(false),
       transport_recv_eof_(false),
       user_read_buf_len_(0),
       user_write_buf_len_(0),
       transport_write_error_(OK),
       ssl_(NULL),
       transport_bio_(NULL),
       transport_socket_(transport_socket.Pass()),
       ssl_config_(ssl_config),
@@ skipping 554 matching lines @@
   ResetAndReturn(&user_write_callback_).Run(rv);
 }
 
 int SSLServerSocketOpenSSL::Init() {
   DCHECK(!ssl_);
   DCHECK(!transport_bio_);
 
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
   ScopedSSL_CTX ssl_ctx(SSL_CTX_new(SSLv23_server_method()));
+
+  if (ssl_config_.require_client_cert)
+    SSL_CTX_set_verify(ssl_ctx.get(), SSL_VERIFY_PEER, NULL);

[davidben, 2015/10/13 19:43:47]

So, I don't see any tests that currently use this. Are you sure this does what
you want? I believe SSL_VERIFY_PEER, without also using
SSL_CTX_set_cert_verify_callback will make verification failures fatal. It also
still allows no certificates without SSL_VERIFY_FAIL_IF_NO_PEER_CERT.

See
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#C...
Although that documentation is just from me reading the source.

Cast will also eventually want to actually verify the certificate, so we'll
probably need to route in some ClientCertVerifier interface eventually. But for
now it can just blindly accept all certs.

[svaldez, 2015/10/13 20:54:43]

This is for the tests that check to see if the server requests a client cert.
The mass ETS migration hasn't migrated the tests that actually complete the
Client Cert procedures, since that deals with enough SSL internals that I
decided to put it off until the main migration has been completed.

+
   ssl_ = SSL_new(ssl_ctx.get());
   if (!ssl_)
     return ERR_UNEXPECTED;
 
   BIO* ssl_bio = NULL;
   // 0 => use default buffer sizes.
   if (!BIO_new_bio_pair(&ssl_bio, 0, &transport_bio_, 0))
     return ERR_UNEXPECTED;
   DCHECK(ssl_bio);
   DCHECK(transport_bio_);
@@ skipping 47 matching lines @@
   SSL_clear_options(ssl_, options.clear_mask);
 
   // Same as above, this time for the SSL mode.
   SslSetClearMask mode;
 
   mode.ConfigureFlag(SSL_MODE_RELEASE_BUFFERS, true);
 
   SSL_set_mode(ssl_, mode.set_mask);
   SSL_clear_mode(ssl_, mode.clear_mask);
 
-  // See SSLConfig::disabled_cipher_suites for description of the suites
+  // See SSLServerConfig::disabled_cipher_suites for description of the suites
   // disabled by default. Note that !SHA256 and !SHA384 only remove HMAC-SHA256
   // and HMAC-SHA384 cipher suites, not GCM cipher suites with SHA256 or SHA384
   // as the handshake hash.
   std::string command("DEFAULT:!SHA256:!SHA384:!AESGCM+AES256:!aPSK");
 
   if (ssl_config_.require_ecdhe)
     command.append(":!kRSA:!kDHE");
 
   // Remove any disabled ciphers.
   for (uint16_t id : ssl_config_.disabled_cipher_suites) {
     const SSL_CIPHER* cipher = SSL_get_cipher_by_value(id);
     if (cipher) {
       command.append(":!");
       command.append(SSL_CIPHER_get_name(cipher));
     }
   }
 
   int rv = SSL_set_cipher_list(ssl_, command.c_str());
   // If this fails (rv = 0) it means there are no ciphers enabled on this SSL.
   // This will almost certainly result in the socket failing to complete the
   // handshake at which point the appropriate error is bubbled up to the client.
   LOG_IF(WARNING, rv != 1) << "SSL_set_cipher_list('" << command
                            << "') returned " << rv;
 
   return OK;
 }
 
 }  // namespace net