Be more flexible in the way we accept certificate chains.

src/cpp/ripple/PeerDoor.cpp

@@ -59,4 +59,68 @@ void PeerDoor::handleConnect(Peer::pointer new_connection,
 	startListening();
 }
 
+void initSSLContext(boost::asio::ssl::context& context,
+	std::string key_file, std::string cert_file, std::string chain_file)
+{
+	SSL_CTX* sslContext = context.native_handle();
+
+	context.set_options(boost::asio::ssl::context::default_workarounds |
+		boost::asio::ssl::context::no_sslv2 |
+		boost::asio::ssl::context::single_dh_use);
+
+	bool cert_set = false;
+
+	if (!cert_file.empty())
+	{
+		boost::system::error_code error;
+		context.use_certificate_file(cert_file, boost::asio::ssl::context::pem, error);
+		if (error)
+			throw std::runtime_error("Unable to use certificate file");
+		cert_set = true;
+	}
+
+	if (!chain_file.empty())
+	{
+		FILE *f = fopen(chain_file.c_str(), "r");
+		if (!f)
+			throw std::runtime_error("Unable to open chain file");
+		try
+		{
+			while (true)
+			{
+				X509 *x = PEM_read_X509(f, NULL, NULL, NULL);
+				if (x == NULL)
+					break;
+				if (!cert_set)
+				{
+					if (SSL_CTX_use_certificate(sslContext, x) != 1)
+						throw std::runtime_error("Unable to get certificate from chain file");
+					cert_set = true;
+				}
+				else if (SSL_CTX_add_extra_chain_cert(sslContext, x) != 1)
+				{
+					X509_free(x);
+					throw std::runtime_error("Unable to add chain certificate");
+				}
+			}
+		}
+		catch (...)
+		{
+			fclose(f);
+			throw;
+		}
+	}
+
+	if (!key_file.empty())
+	{
+		boost::system::error_code error;
+		context.use_private_key_file(key_file, boost::asio::ssl::context::pem, error);
+		if (error)
+			throw std::runtime_error("Unable to use private key file");
+	}
+
+	if (SSL_CTX_check_private_key(sslContext) != 1)
+		throw std::runtime_error("Private key not valid");
+}
+
 // vim:ts=4