Add framework for switching certs based on signature_algorithms TLS extension.

Summary: Added support for switching SSLContexts based on the signature_algorithms
extension.
This diff does not currently include any logic for determining which certs use
SHA1 or not.

Some thoughts:
- This is a little scary since it defaults to SHA1 (assuming the client can't support
SHA256 if we don't see SHA256 specifically in the hello extension). We need to
be 100% sure that all clients that are going to reject SHA1 are sending this,
and that we identify it correctly.
- We should add logging to see when we think a client needs SHA1, when we
actually give SHA1, etc. I'm not sure what the best way to do this is with our
logging infrastructure.
- This is not setup to serve any SHA1 certs to SHA256 supporting clients.

Reviewed By: @siyengar

Differential Revision: D2408773

fb-gh-sync-id: 48ad9cdfaae25e144c0964b9bfb1c342b137ffca

diff --git a/folly/io/async/AsyncSSLSocket.cpp b/folly/io/async/AsyncSSLSocket.cpp
index e7a556c0d92b6aa5a546e954031c485bba66de0b..9ca8e8e51518ceb007780deb5047cae77fb11120 100644 (file)
--- a/folly/io/async/AsyncSSLSocket.cpp
+++ b/folly/io/async/AsyncSSLSocket.cpp
@@ -807,6 +807,15 @@ int AsyncSSLSocket::getSSLVersion() const {
   return (ssl_ != nullptr) ? SSL_version(ssl_) : 0;
 }
 
+const char *AsyncSSLSocket::getSSLCertSigAlgName() const {
+  X509 *cert = (ssl_ != nullptr) ? SSL_get_certificate(ssl_) : nullptr;
+  if (cert) {
+    int nid = OBJ_obj2nid(cert->sig_alg->algorithm);
+    return OBJ_nid2ln(nid);
+  }
+  return nullptr;
+}
+
 int AsyncSSLSocket::getSSLCertSize() const {
   int certSize = 0;
   X509 *cert = (ssl_ != nullptr) ? SSL_get_certificate(ssl_) : nullptr;