Be more flexible in the way we accept certificate chains.

src/cpp/ripple/PeerDoor.cpp

@@ -59,4 +59,68 @@ void PeerDoor::handleConnect(Peer::pointer new_connection,
 	startListening();
 }
 
+void initSSLContext(boost::asio::ssl::context& context,
+	std::string key_file, std::string cert_file, std::string chain_file)
+{
+	SSL_CTX* sslContext = context.native_handle();
+
+	context.set_options(boost::asio::ssl::context::default_workarounds |
+		boost::asio::ssl::context::no_sslv2 |
+		boost::asio::ssl::context::single_dh_use);
+
+	bool cert_set = false;
+
+	if (!cert_file.empty())
+	{
+		boost::system::error_code error;
+		context.use_certificate_file(cert_file, boost::asio::ssl::context::pem, error);
+		if (error)
+			throw std::runtime_error("Unable to use certificate file");
+		cert_set = true;
+	}
+
+	if (!chain_file.empty())
+	{
+		FILE *f = fopen(chain_file.c_str(), "r");
+		if (!f)
+			throw std::runtime_error("Unable to open chain file");
+		try
+		{
+			while (true)
+			{
+				X509 *x = PEM_read_X509(f, NULL, NULL, NULL);
+				if (x == NULL)
+					break;
+				if (!cert_set)
+				{
+					if (SSL_CTX_use_certificate(sslContext, x) != 1)
+						throw std::runtime_error("Unable to get certificate from chain file");
+					cert_set = true;
+				}
+				else if (SSL_CTX_add_extra_chain_cert(sslContext, x) != 1)
+				{
+					X509_free(x);
+					throw std::runtime_error("Unable to add chain certificate");
+				}
+			}
+		}
+		catch (...)
+		{
+			fclose(f);
+			throw;
+		}
+	}
+
+	if (!key_file.empty())
+	{
+		boost::system::error_code error;
+		context.use_private_key_file(key_file, boost::asio::ssl::context::pem, error);
+		if (error)
+			throw std::runtime_error("Unable to use private key file");
+	}
+
+	if (SSL_CTX_check_private_key(sslContext) != 1)
+		throw std::runtime_error("Private key not valid");
+}
+
 // vim:ts=4

src/cpp/ripple/WSHandler.h

@@ -5,6 +5,9 @@
 #include "Config.h"
 #include "Log.h"
 
+extern void initSSLContext(boost::asio::ssl::context& context,
+	std::string key_file, std::string cert_file, std::string chain_file);
+
 template <typename endpoint_type>
 class WSConnection;
 
@@ -134,49 +137,8 @@ public:
 			// create a tls context, init, and return.
 			boost::shared_ptr<boost::asio::ssl::context> context(new boost::asio::ssl::context(boost::asio::ssl::context::tlsv1));
 			try {
-				context->set_options(boost::asio::ssl::context::default_workarounds |
+				initSSLContext(*context, theConfig.WEBSOCKET_SSL_KEY,
-					boost::asio::ssl::context::no_sslv2 |
+					theConfig.WEBSOCKET_SSL_CERT, theConfig.WEBSOCKET_SSL_CHAIN);
-					boost::asio::ssl::context::single_dh_use);
-//				context->set_password_callback(boost::bind(&type::get_password, this));
-				if (!theConfig.WEBSOCKET_SSL_CERT.empty())
-				{
-					boost::system::error_code error;
-					context->use_certificate_file(theConfig.WEBSOCKET_SSL_CERT, boost::asio::ssl::context::pem, error);
-					if (error)
-					{
-						Log(lsFATAL) << "Unable to set certificate: " << error;
-						assert(false);
-					}
-					else Log(lsINFO) << "cert set";
-				}
-				if (!theConfig.WEBSOCKET_SSL_CHAIN.empty())
-				{
-					boost::system::error_code error;
-					context->use_certificate_chain_file(theConfig.WEBSOCKET_SSL_CHAIN, error);
-					if (error)
-					{
-						Log(lsFATAL) << "Unable to set certificate chain: " << error;
-						assert(false);
-					}
-					else Log(lsINFO) << "chain set";
-				}
-				if (!theConfig.WEBSOCKET_SSL_KEY.empty())
-				{
-					boost::system::error_code error;
-					context->use_private_key_file(theConfig.WEBSOCKET_SSL_KEY, boost::asio::ssl::context::pem, error);
-					if (error)
-					{
-						Log(lsFATAL) << "Unable to set private key: " << error;
-						assert(false);
-					}
-					else Log(lsINFO) << "key set";
-				}
-				if (SSL_CTX_check_private_key(context->native_handle()) != 1)
-				{
-					Log(lsFATAL) << "private key not valid";
-					assert(false);
-				}
-				//context->use_tmp_dh_file("../../src/ssl/dh512.pem");
 			} catch (std::exception& e) {
 				std::cout << e.what() << std::endl;
 			}