|
pure virtual |
Initializes the socket for use with SSL/TLS.
p6ITcpSocket::initialize() MUST be called successfuly before calling this method to initialize SSL/TLS for this socket.
To setup client authentication, the client certificate and private key will need to be imported into the keystore (either the platform global keystore if running under P6Platform, or the keystore passed in the pKeystore argument. To successfully make a connection using client authenitcation, three item will need to be present in the keystore:
Type
Namespace
Name
Description
cert
p6r.trustedroot
subject_hash
The cert stored in the p6r.trustedroot namespace us the root certificate for the server you are connecting to. This allows you to make a connection to the server.
cert
p6r.clientauth
remote_hostname
The next cert is the client certificate issued by the server and is sent to the server as the means of authentication.
key
p6r.clientauth
remote_hostname
The private key associated with the client certificate.
To enable client authentication, after importing the required information into the keystore, call initSecureSocket() with fSecureFlags containing P6SSF_SECURE_CLIENT_AUTH. The SSL implementation will attemp to lookup the client certificate and private key in the keystore using the "p6r.clientauth" namespace and pszHostname as the "name". If not found, this method will fail, otherwise the information will sent to the server.
pKeystore | [ in ] (optional) A pointer to a p6IKeystore interface that is populated with the certificates and keys needed for SSL/TLS encryption. If NULL platforms default keystore will be used. |
pFactory | [ in ] A pointer to an p6IIoBufferFactory interface. This interface is used to allocate I/O buffer which the underlying SSL engine will use to store intermediate data. It's important to not that a connect/read/write etc can cause multiple round trips to the happen on the connection. When, for example a caller invokes a write() on the socket, the SSL engine may require that a read happen first in order to complete the write. The I/O buffers in this pool are used to store data for these underlying reads and writes. |
pszHostname | [ in ] (required for client sockets) A pointer to a NULL terminated wide character string containing the hostname of the server that a connection is being made to. SSL/TLS requires this information to verify that the certificate provided by the server matches the hostname the caller is trying to connect to. |
pszCiphers | [ in ] (optional) A pointer to a NULL terminated wide character string containing the OpenSSL cipher command (see http://www.openssl.org/docs/apps/ciphers.html). If NULL the secure default will be automatically be used "TLSv1+HIGH:TLSv1.2+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH" which enables TLSv1.1 and TLSv1.2, disables SSLv2, disables ciphers that do not use authentication, disables 3DES, and prefers the strongest ciphers fist. It does leave SSLv3 enabled however for compatability. This SHOULD be disabled in a production environement. You can disable SSLv3 by passing in the following string: "TLSv1+HIGH:TLSv1.2+HIGH:!SSLv2:!SSLv3:!aNULL:!eNULL:!3DES:@STRENGTH". |
fSecureFlags | [ in ] If the P6SF_SECURESSL flag is specified in mFlags, then the P6SECURESOCKETFLAGS are required to specify the type (client|server) and the crypto method to use for the secure connection. |