Detailed Description
Holds certificates and keys.
Typically, credentials are shared for multiple client/server sessions. Changes to the credentials object will affect all sessions instantiated with it. You should probably set it up once, before starting client/server connections.
#include <seastar/net/tls.hh>
Public Member Functions | |
| certificate_credentials (certificate_credentials &&) noexcept | |
| certificate_credentials & | operator= (certificate_credentials &&) noexcept |
| certificate_credentials (const certificate_credentials &)=delete | |
| certificate_credentials & | operator= (const certificate_credentials &)=delete |
| void | set_x509_trust (const blob &, x509_crt_format) override |
| void | set_x509_crl (const blob &, x509_crt_format) override |
| void | set_x509_key (const blob &cert, const blob &key, x509_crt_format) override |
| void | set_simple_pkcs12 (const blob &, x509_crt_format, const sstring &password) override |
| future | set_system_trust () |
| void | set_priority_string (const sstring &) |
| void | set_dn_verification_callback (dn_callback) |
| void | set_enable_certificate_verification (bool enable) |
| virtual future | set_x509_trust_file (const sstring &cafile, x509_crt_format) |
| virtual future | set_x509_crl_file (const sstring &crlfile, x509_crt_format) |
| virtual future | set_x509_key_file (const sstring &cf, const sstring &kf, x509_crt_format) |
| virtual future | set_simple_pkcs12_file (const sstring &pkcs12file, x509_crt_format, const sstring &password) |
Member Function Documentation
◆ set_dn_verification_callback()
| void seastar::tls::certificate_credentials::set_dn_verification_callback | ( | dn_callback | ) |
Register a callback for receiving Distinguished Name (DN) information during the TLS handshake, extracted from the certificate as sent by the peer.
The callback is not invoked in case the peer did not send a certificate. (This could e.g. happen when we are the server, and a client connects while client_auth is not set to REQUIRE.)
If, based upon the extracted DN information, you want to abort the handshake, then simply throw an exception (e.g., from the callback) like verification_error.
Registering this callback does not bypass the 'standard' certificate verification procedure; instead it merely extracts the DN information from the peer certificate (i.e., the 'leaf' certificate from the chain of certificates sent by the peer) and allows for extra checks.
To keep the API simple, you can unregister the callback by means of registering an empty callback, i.e. dn_callback{}
The callback prototype is documented in the dn_callback typedef.
◆ set_enable_certificate_verification()
| void seastar::tls::certificate_credentials::set_enable_certificate_verification | ( | bool | enable | ) |
Optional override to disable certificate verification
◆ set_priority_string()
| void seastar::tls::certificate_credentials::set_priority_string | ( | const sstring & | ) |
TLS handshake priority string. See gnutls docs and syntax at https://gnutls.org/manual/html_node/Priority-Strings.html
Allows specifying order and allowance for handshake alg.
◆ set_simple_pkcs12()
|
overridevirtual |
Implements seastar::tls::abstract_credentials.
◆ set_system_trust()
| future seastar::tls::certificate_credentials::set_system_trust | ( | ) |
Loads default system cert trust file into this object.
◆ set_x509_crl()
|
overridevirtual |
Implements seastar::tls::abstract_credentials.
◆ set_x509_key()
|
overridevirtual |
Implements seastar::tls::abstract_credentials.
◆ set_x509_trust()
|
overridevirtual |
Implements seastar::tls::abstract_credentials.
The documentation for this class was generated from the following file:
- seastar/net/tls.hh
