in libminifi/src/controllers/SSLContextService.cpp [88:142]
bool SSLContextServiceImpl::configure_ssl_context(void* raw_ctx) {
auto* const ctx = static_cast<SSL_CTX*>(raw_ctx);
if (!certificate_.empty()) {
if (isFileTypeP12(certificate_)) {
if (!addP12CertificateToSSLContext(ctx)) {
return false;
}
} else {
if (!addPemCertificateToSSLContext(ctx)) {
return false;
}
}
if (!SSL_CTX_check_private_key(ctx)) {
logger_->log_error("Private key does not match the public certificate, {}", getLatestOpenSSLErrorString());
return false;
}
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, nullptr);
if (!ca_certificate_.empty()) {
if (SSL_CTX_load_verify_locations(ctx, ca_certificate_.string().c_str(), nullptr) == 0) {
logger_->log_error("Cannot load CA certificate, exiting, {}", getLatestOpenSSLErrorString());
return false;
}
}
if (use_system_cert_store_ && certificate_.empty()) {
if (!addClientCertificateFromSystemStoreToSSLContext(ctx)) {
return false;
}
}
if (use_system_cert_store_ && ca_certificate_.empty()) {
if (!addServerCertificatesFromSystemStoreToSSLContext(ctx)) {
return false;
}
}
// Security level set to 0 for backwards compatibility to support TLS versions below v1.2
if ((minimum_tls_version_ != -1 && minimum_tls_version_ < TLS1_2_VERSION) || (maximum_tls_version_ != -1 && maximum_tls_version_ < TLS1_2_VERSION)) {
SSL_CTX_set_security_level(ctx, 0);
}
if (minimum_tls_version_ != -1) {
SSL_CTX_set_min_proto_version(ctx, minimum_tls_version_);
}
if (maximum_tls_version_ != -1) {
SSL_CTX_set_max_proto_version(ctx, maximum_tls_version_);
}
return true;
}