2 * Copyright (c) 2015, Facebook, Inc.
5 * This source code is licensed under the BSD-style license found in the
6 * LICENSE file in the root directory of this source tree. An additional grant
7 * of patent rights can be found in the PATENTS file in the same directory.
13 #include <folly/io/async/SSLContext.h>
17 * SSLContextConfig helps to describe the configs/options for
18 * a SSL_CTX. For example:
20 * 1. Filename of X509, private key and its password.
23 * 4. Is session cache enabled?
24 * 5. Is it the default X509 in SNI operation?
25 * 6. .... and a few more
29 struct SSLContextConfig {
31 ~SSLContextConfig() {}
33 struct CertificateInfo {
36 std::string passwordPath;
40 * Helpers to set/add a certificate
42 void setCertificate(const std::string& certPath,
43 const std::string& keyPath,
44 const std::string& passwordPath) {
46 addCertificate(certPath, keyPath, passwordPath);
49 void addCertificate(const std::string& certPath,
50 const std::string& keyPath,
51 const std::string& passwordPath) {
52 certificates.emplace_back(CertificateInfo{certPath, keyPath, passwordPath});
56 * Set the optional list of protocols to advertise via TLS
57 * Next Protocol Negotiation. An empty list means NPN is not enabled.
59 void setNextProtocols(const std::list<std::string>& inNextProtocols) {
60 nextProtocols.clear();
61 nextProtocols.push_back({1, inNextProtocols});
64 typedef std::function<bool(char const* server_name)> SNINoMatchFn;
66 std::vector<CertificateInfo> certificates;
67 folly::SSLContext::SSLVersion sslVersion{
68 folly::SSLContext::TLSv1};
69 bool sessionCacheEnabled{true};
70 bool sessionTicketEnabled{true};
71 bool clientHelloParsingEnabled{false};
72 std::string sslCiphers{
73 "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:"
74 "ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:"
75 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:"
76 "AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:"
77 "ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA:RC4-MD5:"
78 "ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA"};
79 std::string eccCurveName;
80 // Ciphers to negotiate if TLS version >= 1.1
81 std::string tls11Ciphers{""};
82 // Weighted lists of NPN strings to advertise
83 std::list<folly::SSLContext::NextProtocolsItem>
85 bool isLocalPrivateKey{true};
86 // Should this SSLContextConfig be the default for SNI purposes
87 bool isDefault{false};
88 // Callback function to invoke when there are no matching certificates
89 // (will only be invoked once)
90 SNINoMatchFn sniNoMatchFn;
91 // File containing trusted CA's to validate client certificates
92 std::string clientCAFile;