+ if (crlfile.empty() && crlpath.empty())
+ return;
+
+ /* Set CRL mode */
+ unsigned long crlflags = X509_V_FLAG_CRL_CHECK;
+ if (crlmode == "chain")
+ {
+ crlflags |= X509_V_FLAG_CRL_CHECK_ALL;
+ }
+ else if (crlmode != "leaf")
+ {
+ throw ModuleException("Unknown mode '" + crlmode + "'; expected either 'chain' (default) or 'leaf'");
+ }
+
+ /* Load CRL files */
+ X509_STORE* store = SSL_CTX_get_cert_store(ctx);
+ if (!store)
+ {
+ throw ModuleException("Unable to get X509_STORE from SSL context; this should never happen");
+ }
+ ERR_clear_error();
+ if (!X509_STORE_load_locations(store,
+ crlfile.empty() ? NULL : crlfile.c_str(),
+ crlpath.empty() ? NULL : crlpath.c_str()))
+ {
+ int err = ERR_get_error();
+ throw ModuleException("Unable to load CRL file '" + crlfile + "' or CRL path '" + crlpath + "': '" + (err ? ERR_error_string(err, NULL) : "unknown") + "'");
+ }
+
+ /* Set CRL mode */
+ if (X509_STORE_set_flags(store, crlflags) != 1)
+ {
+ throw ModuleException("Unable to set X509 CRL flags");
+ }
+ }
+
+
+ long GetDefaultContextOptions() const
+ {
+ return ctx_options;
+ }
+
+ long SetRawContextOptions(long setoptions, long clearoptions)
+ {
+ // Clear everything
+ SSL_CTX_clear_options(ctx, SSL_CTX_get_options(ctx));
+
+ // Set the default options and what is in the conf
+ SSL_CTX_set_options(ctx, ctx_options | setoptions);
+ return SSL_CTX_clear_options(ctx, clearoptions);
+ }
+
+ void SetVerifyCert()
+ {
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+ }
+
+ SSL* CreateServerSession()
+ {
+ SSL* sess = SSL_new(ctx);
+ SSL_set_accept_state(sess); // Act as server
+ return sess;
+ }
+
+ SSL* CreateClientSession()
+ {
+ SSL* sess = SSL_new(ctx);
+ SSL_set_connect_state(sess); // Act as client
+ return sess;