IXWebSocket/ixwebsocket/IXSocketTLSOptions.h

/*
 *  IXSocketTLSOptions.h
 *  Author: Matt DeBoer
 *  Copyright (c) 2019 Machine Zone, Inc. All rights reserved.
 */

#pragma once

#include <string>

namespace ix
{
    struct SocketTLSOptions
    {
    public:
        // check validity of the object
        bool isValid() const;

        // the certificate presented to peers
        std::string certFile;

        // the key used for signing/encryption
        std::string keyFile;

        // the ca certificate (or certificate bundle) file containing
        // certificates to be trusted by peers; use 'SYSTEM' to
        // leverage the system defaults, use 'NONE' to disable peer verification
        std::string caFile = "SYSTEM";

        // list of ciphers (rsa, etc...)
        std::string ciphers = "DEFAULT";

        // whether tls is enabled, used for server code
        bool tls = false;

        // whether to skip validating the peer's hostname against the certificate presented
        bool disable_hostname_validation = false;

        bool hasCertAndKey() const;

        bool isUsingSystemDefaults() const;

        bool isUsingInMemoryCAs() const;

        bool isPeerVerifyDisabled() const;

        bool isUsingDefaultCiphers() const;

        const std::string& getErrorMsg() const;

        std::string getDescription() const;

    private:
        mutable std::string _errMsg;
        mutable bool _validated = false;
    };
} // namespace ix
WIP: support configurable certificates/keys, and root trust CAs (#114) * wip: tls options implemented in openssl * update naming, remove #define guard * assert compiled with USE_TLS for tls options * apply autoformatter * include tls options impl * style cleanup; auto ssl_err * ssl_err -> sslErr * be explicit about SSL_VERIFY_NONE 2019-09-22 18:06:15 -07:00			`/*`
			`* IXSocketTLSOptions.h`
SocketTLSOptions: more methods (contributed by Matt DeBoer) 2019-09-29 17:35:18 -07:00			`* Author: Matt DeBoer`
			`* Copyright (c) 2019 Machine Zone, Inc. All rights reserved.`
WIP: support configurable certificates/keys, and root trust CAs (#114) * wip: tls options implemented in openssl * update naming, remove #define guard * assert compiled with USE_TLS for tls options * apply autoformatter * include tls options impl * style cleanup; auto ssl_err * ssl_err -> sslErr * be explicit about SSL_VERIFY_NONE 2019-09-22 18:06:15 -07:00			`*/`

			`#pragma once`

			`#include <string>`

			`namespace ix`
			`{`
			`struct SocketTLSOptions`
			`{`
SocketTLSOptions: more methods (contributed by Matt DeBoer) 2019-09-29 17:35:18 -07:00			`public:`
			`// check validity of the object`
			`bool isValid() const;`
WIP: support configurable certificates/keys, and root trust CAs (#114) * wip: tls options implemented in openssl * update naming, remove #define guard * assert compiled with USE_TLS for tls options * apply autoformatter * include tls options impl * style cleanup; auto ssl_err * ssl_err -> sslErr * be explicit about SSL_VERIFY_NONE 2019-09-22 18:06:15 -07:00
			`// the certificate presented to peers`
			`std::string certFile;`
Add --tls option to pass to ws server command, to enable/disable tls 2019-10-01 13:54:46 -07:00
WIP: support configurable certificates/keys, and root trust CAs (#114) * wip: tls options implemented in openssl * update naming, remove #define guard * assert compiled with USE_TLS for tls options * apply autoformatter * include tls options impl * style cleanup; auto ssl_err * ssl_err -> sslErr * be explicit about SSL_VERIFY_NONE 2019-09-22 18:06:15 -07:00			`// the key used for signing/encryption`
			`std::string keyFile;`
Add --tls option to pass to ws server command, to enable/disable tls 2019-10-01 13:54:46 -07:00
reformat everything with clang-format 2019-09-23 10:25:23 -07:00			`// the ca certificate (or certificate bundle) file containing`
WIP: support configurable certificates/keys, and root trust CAs (#114) * wip: tls options implemented in openssl * update naming, remove #define guard * assert compiled with USE_TLS for tls options * apply autoformatter * include tls options impl * style cleanup; auto ssl_err * ssl_err -> sslErr * be explicit about SSL_VERIFY_NONE 2019-09-22 18:06:15 -07:00			`// certificates to be trusted by peers; use 'SYSTEM' to`
			`// leverage the system defaults, use 'NONE' to disable peer verification`
			`std::string caFile = "SYSTEM";`

Add --tls option to pass to ws server command, to enable/disable tls 2019-10-01 13:54:46 -07:00			`// list of ciphers (rsa, etc...)`
SocketTLSOptions: more methods (contributed by Matt DeBoer) 2019-09-29 17:35:18 -07:00			`std::string ciphers = "DEFAULT";`

Add --tls option to pass to ws server command, to enable/disable tls 2019-10-01 13:54:46 -07:00			`// whether tls is enabled, used for server code`
			`bool tls = false;`

Add option to disable hostname check (#399) * Suppress compiler warnings about unused elements. * Enable CMake's compilation database. * Add TLS option to disable checking a certificate's host name. * Add `--disable-hostname-validation` to `ws`. * Add test for disabling hostname validation. 2022-10-12 15:41:32 +02:00			`// whether to skip validating the peer's hostname against the certificate presented`
			`bool disable_hostname_validation = false;`

SocketTLSOptions: more methods (contributed by Matt DeBoer) 2019-09-29 17:35:18 -07:00			`bool hasCertAndKey() const;`
WIP: support configurable certificates/keys, and root trust CAs (#114) * wip: tls options implemented in openssl * update naming, remove #define guard * assert compiled with USE_TLS for tls options * apply autoformatter * include tls options impl * style cleanup; auto ssl_err * ssl_err -> sslErr * be explicit about SSL_VERIFY_NONE 2019-09-22 18:06:15 -07:00
			`bool isUsingSystemDefaults() const;`
clang-format 2020-04-24 15:34:00 -07:00
Implement API for adding custom roots via a string (#178) * Implement API for adding custom roots via a string. SocketTLSOptions API design needs work, but the IXSocketOpenSSL implementation feels good to me. * Improve API design for specifying roots from memory. * Add in-memory root CAs mbedtls implementation. * Fix bug in newer versions of OpenSSL with in-memory certificate handling. 2020-04-24 18:32:11 -04:00			`bool isUsingInMemoryCAs() const;`
WIP: support configurable certificates/keys, and root trust CAs (#114) * wip: tls options implemented in openssl * update naming, remove #define guard * assert compiled with USE_TLS for tls options * apply autoformatter * include tls options impl * style cleanup; auto ssl_err * ssl_err -> sslErr * be explicit about SSL_VERIFY_NONE 2019-09-22 18:06:15 -07:00
			`bool isPeerVerifyDisabled() const;`
SocketTLSOptions: more methods (contributed by Matt DeBoer) 2019-09-29 17:35:18 -07:00
			`bool isUsingDefaultCiphers() const;`

			`const std::string& getErrorMsg() const;`

(tls) add a simple description of the TLS configuration routine for debugging 2019-12-20 15:18:04 -08:00			`std::string getDescription() const;`

SocketTLSOptions: more methods (contributed by Matt DeBoer) 2019-09-29 17:35:18 -07:00			`private:`
			`mutable std::string _errMsg;`
(tls options client) TLSOptions struct _validated member should be initialized to false 2019-12-17 14:10:28 -08:00			`mutable bool _validated = false;`
WIP: support configurable certificates/keys, and root trust CAs (#114) * wip: tls options implemented in openssl * update naming, remove #define guard * assert compiled with USE_TLS for tls options * apply autoformatter * include tls options impl * style cleanup; auto ssl_err * ssl_err -> sslErr * be explicit about SSL_VERIFY_NONE 2019-09-22 18:06:15 -07:00			`};`
			`} // namespace ix`