Seastar
High performance C++ framework for concurrent servers
|
Extending certificates and keys for server usage. More probably goes in here...
#include <seastar/net/tls.hh>
Public Member Functions | |
server_credentials (shared_ptr< dh_params >) | |
server_credentials (const dh_params &) | |
server_credentials (server_credentials &&) noexcept | |
server_credentials & | operator= (server_credentials &&) noexcept |
server_credentials (const server_credentials &)=delete | |
server_credentials & | operator= (const server_credentials &)=delete |
void | set_client_auth (client_auth) |
void | set_x509_trust (const blob &, x509_crt_format) override |
void | set_x509_crl (const blob &, x509_crt_format) override |
void | set_x509_key (const blob &cert, const blob &key, x509_crt_format) override |
void | set_simple_pkcs12 (const blob &, x509_crt_format, const sstring &password) override |
future | set_system_trust () |
void | set_priority_string (const sstring &) |
void | set_dn_verification_callback (dn_callback) |
virtual future | set_x509_trust_file (const sstring &cafile, x509_crt_format) |
virtual future | set_x509_crl_file (const sstring &crlfile, x509_crt_format) |
virtual future | set_x509_key_file (const sstring &cf, const sstring &kf, x509_crt_format) |
virtual future | set_simple_pkcs12_file (const sstring &pkcs12file, x509_crt_format, const sstring &password) |
|
inherited |
Register a callback for receiving Distinguished Name (DN) information during the TLS handshake, extracted from the certificate as sent by the peer.
The callback is not invoked in case the peer did not send a certificate. (This could e.g. happen when we are the server, and a client connects while client_auth is not set to REQUIRE.)
If, based upon the extracted DN information, you want to abort the handshake, then simply throw an exception (e.g., from the callback) like verification_error.
Registering this callback does not bypass the 'standard' certificate verification procedure; instead it merely extracts the DN information from the peer certificate (i.e., the 'leaf' certificate from the chain of certificates sent by the peer) and allows for extra checks.
To keep the API simple, you can unregister the callback by means of registering an empty callback, i.e. dn_callback{}
The callback prototype is documented in the dn_callback typedef.
|
inherited |
TLS handshake priority string. See gnutls docs and syntax at https://gnutls.org/manual/html_node/Priority-Strings.html
Allows specifying order and allowance for handshake alg.
|
inherited |
Loads default system cert trust file into this object.