Merge pull request #474 from klickverbot/ssl

SSL client certificate support
vibe-d · Jan 21, 2014 · 7fcb4e6 · 7fcb4e6
2 parents a4af111 + 1f23d8d
commit 7fcb4e6
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 8 deletions.
diff --git a/source/vibe/http/server.d b/source/vibe/http/server.d
@@ -390,11 +390,7 @@ class HTTPServerSettings {
 	/// Sets a custom handler for displaying error pages for HTTP errors
 	HTTPServerErrorPageHandler errorPageHandler = null;
 
-	/** If set, a HTTPS server will be started instead of plain HTTP
-
-		Please use sslContext in new code instead of setting the key/cert file. Those fileds
-		will be deprecated at some point.
-	*/
+	/// If set, a HTTPS server will be started instead of plain HTTP.
 	SSLContext sslContext;
 
 	/// Session management is enabled if a session store instance is provided
@@ -426,7 +422,6 @@ class HTTPServerSettings {
 		auto ret = new HTTPServerSettings;
 		foreach (mem; __traits(allMembers, HTTPServerSettings)) {
 			static if (mem == "bindAddresses") ret.bindAddresses = bindAddresses.dup;
-			else static if (mem == "sslCertFile" || mem == "sslKeyFile") {}
 			else static if (__traits(compiles, __traits(getMember, ret, mem) = __traits(getMember, this, mem)))
 				__traits(getMember, ret, mem) = __traits(getMember, this, mem);
 		}

diff --git a/source/vibe/stream/ssl.d b/source/vibe/stream/ssl.d
@@ -354,10 +354,50 @@ class SSLContext {
 		enforce(SSL_CTX_use_certificate_chain_file(m_ctx, toStringz(path)), "Failed to load certificate file " ~ path);
 	}
 
-	/// Sets a certificate file to use for negotiating the excryption
+	/// Sets the private key to use for authenticating to the remote peer based
+	/// on the configured certificate chain file.
 	void usePrivateKeyFile(string path)
 	{
-		enforce(SSL_CTX_use_PrivateKey_file(m_ctx, toStringz(path), SSL_FILETYPE_PEM), "Failed to load certificate file " ~ path);
+		enforce(SSL_CTX_use_PrivateKey_file(m_ctx, toStringz(path), SSL_FILETYPE_PEM), "Failed to load private key file " ~ path);
+	}
+
+	/// Sets the list of certificates to considers trusted when verifying the
+	/// certificate presented by the peer.
+	///
+	/// If this is a server context, this also entails that the given
+	/// certificates are advertised to connecting clients during handshake.
+	void useTrustedCertificateFile(string path)
+	{
+		immutable cPath = toStringz(path);
+		enforce(SSL_CTX_load_verify_locations(m_ctx, cPath, null),
+			"Failed to load trusted certificate file " ~ path);
+
+		if (m_kind == SSLContextKind.server) {
+			auto certNames = enforce(SSL_load_client_CA_file(cPath),
+				"Failed to load client CA name list from file " ~ path);
+			SSL_CTX_set_client_CA_list(m_ctx, certNames);
+		}
+	}
+
+	/// Whether to verify that the certificate presented by the peer has been
+	/// signed by a trusted entity.
+	///
+	/// Defaults to no.
+	///
+	/// $(RED Important Note:) Currently, it is not verified whether the peer
+	/// certificate contains a host name/IP address matching the connection
+	/// information. In short, this means that peer verification does not
+	/// protect against man-in-the-middle attacks yet (if the attacker can
+	/// present any valid certificate).
+	void verifyPeer(bool required) @property {
+		int mode;
+		if (required) {
+			mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
+				SSL_VERIFY_CLIENT_ONCE;
+		} else {
+			mode = SSL_VERIFY_NONE;
+		}
+		SSL_CTX_set_verify(m_ctx, mode, null);
 	}
 
 	/// Creates an SSL client context usable for a concrete SSLStream.