11 #include "coap_config.h" 47 #include <openssl/ssl.h> 48 #include <openssl/err.h> 49 #include <openssl/rand.h> 50 #include <openssl/hmac.h> 51 #include <openssl/x509v3.h> 53 #if OPENSSL_VERSION_NUMBER < 0x10100000L 54 #error Must be compiled against OpenSSL 1.1.0 or later 58 #define UNUSED __attribute__((unused)) 64 #ifndef TLSEXT_TYPE_client_certificate_type 65 #define TLSEXT_TYPE_client_certificate_type 19 67 #ifndef TLSEXT_TYPE_server_certificate_type 68 #define TLSEXT_TYPE_server_certificate_type 20 72 typedef struct coap_dtls_context_t {
75 HMAC_CTX *cookie_hmac;
78 } coap_dtls_context_t;
80 typedef struct coap_tls_context_t {
88 typedef struct sni_entry {
90 #if OPENSSL_VERSION_NUMBER < 0x10101000L 97 typedef struct coap_openssl_context_t {
98 coap_dtls_context_t dtls;
99 coap_tls_context_t tls;
103 sni_entry *sni_entry_list;
104 } coap_openssl_context_t;
107 if (SSLeay() < 0x10100000L) {
111 #if OPENSSL_VERSION_NUMBER >= 0x10101000L 119 if (SSLeay() < 0x10101000L) {
128 if (SSLeay() < 0x10100000L) {
132 #if OPENSSL_VERSION_NUMBER >= 0x10101000L 133 if (SSLeay() < 0x10101000L) {
151 SSL_load_error_strings();
158 dtls_log_level = level;
165 typedef struct coap_ssl_st {
173 static int coap_dgram_create(BIO *a) {
174 coap_ssl_data *data = NULL;
175 data = malloc(
sizeof(coap_ssl_data));
179 BIO_set_data(a, data);
180 memset(data, 0x00,
sizeof(coap_ssl_data));
184 static int coap_dgram_destroy(BIO *a) {
188 data = (coap_ssl_data *)BIO_get_data(a);
194 static int coap_dgram_read(BIO *a,
char *out,
int outl) {
196 coap_ssl_data *data = (coap_ssl_data *)BIO_get_data(a);
199 if (data != NULL && data->pdu_len > 0) {
200 if (outl < (
int)data->pdu_len) {
201 memcpy(out, data->pdu, outl);
204 memcpy(out, data->pdu, data->pdu_len);
205 ret = (int)data->pdu_len;
207 if (!data->peekmode) {
214 BIO_clear_retry_flags(a);
216 BIO_set_retry_read(a);
221 static int coap_dgram_write(BIO *a,
const char *in,
int inl) {
223 coap_ssl_data *data = (coap_ssl_data *)BIO_get_data(a);
226 if (data->session->sock.flags ==
COAP_SOCKET_EMPTY && data->session->endpoint == NULL) {
228 BIO_clear_retry_flags(a);
232 BIO_clear_retry_flags(a);
234 BIO_set_retry_write(a);
236 BIO_clear_retry_flags(a);
242 static int coap_dgram_puts(BIO *a,
const char *pstr) {
243 return coap_dgram_write(a, pstr, (
int)strlen(pstr));
246 static long coap_dgram_ctrl(BIO *a,
int cmd,
long num,
void *ptr) {
248 coap_ssl_data *data = BIO_get_data(a);
253 case BIO_CTRL_GET_CLOSE:
254 ret = BIO_get_shutdown(a);
256 case BIO_CTRL_SET_CLOSE:
257 BIO_set_shutdown(a, (
int)num);
260 case BIO_CTRL_DGRAM_SET_PEEK_MODE:
261 data->peekmode = (unsigned)num;
263 case BIO_CTRL_DGRAM_CONNECT:
266 case BIO_CTRL_DGRAM_SET_DONT_FRAG:
267 case BIO_CTRL_DGRAM_GET_MTU:
268 case BIO_CTRL_DGRAM_SET_MTU:
269 case BIO_CTRL_DGRAM_QUERY_MTU:
270 case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
275 case BIO_CTRL_DGRAM_MTU_DISCOVER:
276 case BIO_CTRL_DGRAM_SET_CONNECTED:
279 case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
280 data->timeout =
coap_ticks_from_rt_us((uint64_t)((
struct timeval*)ptr)->tv_sec * 1000000 + ((
struct timeval*)ptr)->tv_usec);
284 case BIO_C_FILE_SEEK:
285 case BIO_C_FILE_TELL:
287 case BIO_CTRL_PENDING:
288 case BIO_CTRL_WPENDING:
289 case BIO_CTRL_DGRAM_GET_PEER:
290 case BIO_CTRL_DGRAM_SET_PEER:
291 case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
292 case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
293 case BIO_CTRL_DGRAM_SET_SEND_TIMEOUT:
294 case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
295 case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
296 case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP:
297 case BIO_CTRL_DGRAM_MTU_EXCEEDED:
298 case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
306 static int coap_dtls_generate_cookie(SSL *ssl,
unsigned char *cookie,
unsigned int *cookie_len) {
307 coap_dtls_context_t *dtls = (coap_dtls_context_t *)SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl));
308 coap_ssl_data *data = (coap_ssl_data*)BIO_get_data(SSL_get_rbio(ssl));
309 int r = HMAC_Init_ex(dtls->cookie_hmac, NULL, 0, NULL, NULL);
310 r &= HMAC_Update(dtls->cookie_hmac, (
const uint8_t*)&data->session->local_addr.addr, (
size_t)data->session->local_addr.size);
311 r &= HMAC_Update(dtls->cookie_hmac, (
const uint8_t*)&data->session->remote_addr.addr, (
size_t)data->session->remote_addr.size);
312 r &= HMAC_Final(dtls->cookie_hmac, cookie, cookie_len);
316 static int coap_dtls_verify_cookie(SSL *ssl,
const uint8_t *cookie,
unsigned int cookie_len) {
319 if (coap_dtls_generate_cookie(ssl, hmac, &len) && cookie_len == len && memcmp(cookie, hmac, len) == 0)
325 static unsigned coap_dtls_psk_client_callback(SSL *ssl,
const char *hint,
char *identity,
unsigned int max_identity_len,
unsigned char *buf,
unsigned max_len) {
326 size_t hint_len = 0, identity_len = 0, psk_len;
330 hint_len = strlen(hint);
340 if (identity_len < max_identity_len)
341 identity[identity_len] = 0;
342 return (
unsigned)psk_len;
345 static unsigned coap_dtls_psk_server_callback(SSL *ssl,
const char *identity,
unsigned char *buf,
unsigned max_len) {
346 size_t identity_len = 0;
350 identity_len = strlen(identity);
355 (
int)identity_len, identity);
363 static void coap_dtls_info_callback(
const SSL *ssl,
int where,
int ret) {
366 int w = where &~SSL_ST_MASK;
368 if (w & SSL_ST_CONNECT)
369 pstr =
"SSL_connect";
370 else if (w & SSL_ST_ACCEPT)
375 if (where & SSL_CB_LOOP) {
379 }
else if (where & SSL_CB_ALERT) {
380 pstr = (where & SSL_CB_READ) ?
"read" :
"write";
385 SSL_alert_type_string_long(ret),
386 SSL_alert_desc_string_long(ret));
387 if ((where & (SSL_CB_WRITE|SSL_CB_READ)) && (ret >> 8) == SSL3_AL_FATAL)
389 }
else if (where & SSL_CB_EXIT) {
395 while ((e = ERR_get_error()))
398 ERR_lib_error_string(e), ERR_func_error_string(e));
400 }
else if (ret < 0) {
402 int err = SSL_get_error(ssl, ret);
403 if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE && err != SSL_ERROR_WANT_CONNECT && err != SSL_ERROR_WANT_ACCEPT && err != SSL_ERROR_WANT_X509_LOOKUP) {
407 while ((e = ERR_get_error()))
410 ERR_lib_error_string(e), ERR_func_error_string(e));
416 if (where == SSL_CB_HANDSHAKE_START && SSL_get_state(ssl) == TLS_ST_OK)
420 static int coap_sock_create(BIO *a) {
425 static int coap_sock_destroy(BIO *a) {
430 static int coap_sock_read(BIO *a,
char *out,
int outl) {
437 BIO_set_retry_read(a);
440 BIO_clear_retry_flags(a);
446 static int coap_sock_write(BIO *a,
const char *in,
int inl) {
451 BIO_clear_retry_flags(a);
453 BIO_set_retry_read(a);
456 BIO_clear_retry_flags(a);
461 static int coap_sock_puts(BIO *a,
const char *pstr) {
462 return coap_sock_write(a, pstr, (
int)strlen(pstr));
465 static long coap_sock_ctrl(BIO *a,
int cmd,
long num,
void *ptr) {
476 case BIO_CTRL_SET_CLOSE:
482 case BIO_CTRL_GET_CLOSE:
490 coap_openssl_context_t *context;
493 context = (coap_openssl_context_t *)
coap_malloc(
sizeof(coap_openssl_context_t));
497 memset(context, 0,
sizeof(coap_openssl_context_t));
500 context->dtls.ctx = SSL_CTX_new(DTLS_method());
501 if (!context->dtls.ctx)
503 SSL_CTX_set_min_proto_version(context->dtls.ctx, DTLS1_2_VERSION);
504 SSL_CTX_set_app_data(context->dtls.ctx, &context->dtls);
505 SSL_CTX_set_read_ahead(context->dtls.ctx, 1);
506 SSL_CTX_set_cipher_list(context->dtls.ctx,
"TLSv1.2:TLSv1.0");
507 if (!RAND_bytes(cookie_secret, (
int)
sizeof(cookie_secret))) {
510 "Insufficient entropy for random cookie generation");
511 prng(cookie_secret,
sizeof(cookie_secret));
513 context->dtls.cookie_hmac = HMAC_CTX_new();
514 if (!HMAC_Init_ex(context->dtls.cookie_hmac, cookie_secret, (
int)
sizeof(cookie_secret), EVP_sha256(), NULL))
516 SSL_CTX_set_cookie_generate_cb(context->dtls.ctx, coap_dtls_generate_cookie);
517 SSL_CTX_set_cookie_verify_cb(context->dtls.ctx, coap_dtls_verify_cookie);
518 SSL_CTX_set_info_callback(context->dtls.ctx, coap_dtls_info_callback);
519 SSL_CTX_set_options(context->dtls.ctx, SSL_OP_NO_QUERY_MTU);
520 context->dtls.meth = BIO_meth_new(BIO_TYPE_DGRAM,
"coapdgram");
521 if (!context->dtls.meth)
523 context->dtls.bio_addr = BIO_ADDR_new();
524 if (!context->dtls.bio_addr)
526 BIO_meth_set_write(context->dtls.meth, coap_dgram_write);
527 BIO_meth_set_read(context->dtls.meth, coap_dgram_read);
528 BIO_meth_set_puts(context->dtls.meth, coap_dgram_puts);
529 BIO_meth_set_ctrl(context->dtls.meth, coap_dgram_ctrl);
530 BIO_meth_set_create(context->dtls.meth, coap_dgram_create);
531 BIO_meth_set_destroy(context->dtls.meth, coap_dgram_destroy);
534 context->tls.ctx = SSL_CTX_new(TLS_method());
535 if (!context->tls.ctx)
537 SSL_CTX_set_app_data(context->tls.ctx, &context->tls);
538 SSL_CTX_set_min_proto_version(context->tls.ctx, TLS1_VERSION);
539 SSL_CTX_set_cipher_list(context->tls.ctx,
"TLSv1.2:TLSv1.0");
540 SSL_CTX_set_info_callback(context->tls.ctx, coap_dtls_info_callback);
541 context->tls.meth = BIO_meth_new(BIO_TYPE_SOCKET,
"coapsock");
542 if (!context->tls.meth)
544 BIO_meth_set_write(context->tls.meth, coap_sock_write);
545 BIO_meth_set_read(context->tls.meth, coap_sock_read);
546 BIO_meth_set_puts(context->tls.meth, coap_sock_puts);
547 BIO_meth_set_ctrl(context->tls.meth, coap_sock_ctrl);
548 BIO_meth_set_create(context->tls.meth, coap_sock_create);
549 BIO_meth_set_destroy(context->tls.meth, coap_sock_destroy);
561 const char *identity_hint,
564 coap_openssl_context_t *context = ((coap_openssl_context_t *)ctx->
dtls_context);
568 SSL_CTX_set_psk_server_callback(context->dtls.ctx, coap_dtls_psk_server_callback);
569 SSL_CTX_set_psk_server_callback(context->tls.ctx, coap_dtls_psk_server_callback);
570 SSL_CTX_use_psk_identity_hint(context->dtls.ctx, identity_hint ? identity_hint :
"");
571 SSL_CTX_use_psk_identity_hint(context->tls.ctx, identity_hint ? identity_hint :
"");
573 if (!context->dtls.ssl) {
575 context->dtls.ssl = SSL_new(context->dtls.ctx);
576 if (!context->dtls.ssl)
578 bio = BIO_new(context->dtls.meth);
580 SSL_free (context->dtls.ssl);
581 context->dtls.ssl = NULL;
584 SSL_set_bio(context->dtls.ssl, bio, bio);
585 SSL_set_app_data(context->dtls.ssl, NULL);
586 SSL_set_options(context->dtls.ssl, SSL_OP_COOKIE_EXCHANGE);
589 context->psk_pki_enabled |= IS_PSK;
594 map_key_type(
int asn1_private_key_type
596 switch (asn1_private_key_type) {
614 "*** setup_pki: DTLS: Unknown Private Key type %d for ASN1\n",
615 asn1_private_key_type);
620 static uint8_t coap_alpn[] = { 4,
'c',
'o',
'a',
'p' };
623 server_alpn_callback (SSL *ssl
UNUSED,
624 const unsigned char **out,
625 unsigned char *outlen,
626 const unsigned char *in,
630 unsigned char *tout = NULL;
633 return SSL_TLSEXT_ERR_NOACK;
634 ret = SSL_select_next_proto(&tout,
641 return (ret != OPENSSL_NPN_NEGOTIATED) ? SSL_TLSEXT_ERR_NOACK : SSL_TLSEXT_ERR_OK;
645 add_ca_to_cert_store(X509_STORE *st, X509 *x509)
650 while ((e = ERR_get_error()) != 0) {
653 if (!X509_STORE_add_cert(st, x509)) {
654 while ((e = ERR_get_error()) != 0) {
655 int r = ERR_GET_REASON(e);
656 if (r != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
659 ERR_reason_error_string(e),
660 ERR_lib_error_string(e),
661 ERR_func_error_string(e));
667 #if OPENSSL_VERSION_NUMBER < 0x10101000L 669 setup_pki_server(SSL_CTX *ctx,
676 if (!(SSL_CTX_use_certificate_file(ctx,
678 SSL_FILETYPE_PEM))) {
680 "*** setup_pki: (D)TLS: %s: Unable to configure " 681 "Server Certificate\n",
688 "*** setup_pki: (D)TLS: No Server Certificate defined\n");
694 if (!(SSL_CTX_use_PrivateKey_file(ctx,
696 SSL_FILETYPE_PEM))) {
698 "*** setup_pki: (D)TLS: %s: Unable to configure " 699 "Server Private Key\n",
706 "*** setup_pki: (D)TLS: No Server Private Key defined\n");
712 STACK_OF(X509_NAME) *cert_names;
718 if (cert_names != NULL)
719 SSL_CTX_set_client_CA_list(ctx, cert_names);
722 "*** setup_pki: (D)TLS: %s: Unable to configure " 727 st = SSL_CTX_get_cert_store(ctx);
728 in = BIO_new(BIO_s_file());
731 if (!BIO_read_filename(in, rw_var)) {
738 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
740 add_ca_to_cert_store(st, x);
750 if (!(SSL_CTX_use_certificate_ASN1(ctx,
754 "*** setup_pki: (D)TLS: %s: Unable to configure " 755 "Server Certificate\n",
762 "*** setup_pki: (D)TLS: No Server Certificate defined\n");
769 if (!(SSL_CTX_use_PrivateKey_ASN1(pkey_type, ctx,
773 "*** setup_pki: (D)TLS: %s: Unable to configure " 774 "Server Private Key\n",
781 "*** setup_pki: (D)TLS: No Server Private Key defined\n");
791 if (!x509 || !SSL_CTX_add_client_CA(ctx, x509)) {
793 "*** setup_pki: (D)TLS: %s: Unable to configure " 799 st = SSL_CTX_get_cert_store(ctx);
800 add_ca_to_cert_store(st, x509);
806 "*** setup_pki: (D)TLS: Unknown key type %d\n",
816 setup_pki_ssl(SSL *ssl,
823 if (!(SSL_use_certificate_file(ssl,
825 SSL_FILETYPE_PEM))) {
827 "*** setup_pki: (D)TLS: %s: Unable to configure " 838 "*** setup_pki: (D)TLS: No %s Certificate defined\n",
844 if (!(SSL_use_PrivateKey_file(ssl,
846 SSL_FILETYPE_PEM))) {
848 "*** setup_pki: (D)TLS: %s: Unable to configure " 849 "Client Private Key\n",
858 "*** setup_pki: (D)TLS: No %s Private Key defined\n",
868 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
873 if (cert_names != NULL)
874 SSL_set_client_CA_list(ssl, cert_names);
877 "*** setup_pki: (D)TLS: %s: Unable to configure " 886 in = BIO_new(BIO_s_file());
889 if (!BIO_read_filename(in, rw_var)) {
894 st = SSL_CTX_get_cert_store(ctx);
896 if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
898 add_ca_to_cert_store(st, x);
908 if (!(SSL_use_certificate_ASN1(ssl,
912 "*** setup_pki: (D)TLS: %s: Unable to configure " 923 "*** setup_pki: (D)TLS: No %s Certificate defined\n",
930 if (!(SSL_use_PrivateKey_ASN1(pkey_type, ssl,
934 "*** setup_pki: (D)TLS: %s: Unable to configure " 945 "*** setup_pki: (D)TLS: No %s Private Key defined",
955 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
958 if (!x509 || !SSL_add_client_CA(ssl, x509)) {
960 "*** setup_pki: (D)TLS: %s: Unable to configure " 969 st = SSL_CTX_get_cert_store(ctx);
970 add_ca_to_cert_store(st, x509);
976 "*** setup_pki: (D)TLS: Unknown key type %d\n",
984 get_common_name_from_cert(X509* x509) {
988 STACK_OF(GENERAL_NAME) *san_list;
991 san_list = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
993 int san_count = sk_GENERAL_NAME_num(san_list);
995 for (n = 0; n < san_count; n++) {
996 const GENERAL_NAME * name = sk_GENERAL_NAME_value (san_list, n);
998 if (name->type == GEN_DNS) {
999 const char *dns_name = (
const char *)ASN1_STRING_get0_data(name->d.dNSName);
1002 if (ASN1_STRING_length(name->d.dNSName) != (int)strlen (dns_name))
1004 cn = OPENSSL_strdup(dns_name);
1005 sk_GENERAL_NAME_pop_free(san_list, GENERAL_NAME_free);
1009 sk_GENERAL_NAME_pop_free(san_list, GENERAL_NAME_free);
1012 X509_NAME_oneline(X509_get_subject_name(x509), buffer,
sizeof(buffer));
1015 n = strlen(buffer) - 3;
1018 if (((cn[0] ==
'C') || (cn[0] ==
'c')) &&
1019 ((cn[1] ==
'N') || (cn[1] ==
'n')) &&
1028 char * ecn = strchr(cn,
'/');
1030 return OPENSSL_strndup(cn, ecn-cn);
1033 return OPENSSL_strdup(cn);
1041 tls_verify_call_back(
int preverify_ok, X509_STORE_CTX *ctx) {
1042 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
1043 SSL_get_ex_data_X509_STORE_CTX_idx());
1045 coap_openssl_context_t *context =
1048 int depth = X509_STORE_CTX_get_error_depth(ctx);
1049 int err = X509_STORE_CTX_get_error(ctx);
1050 X509 *x509 = X509_STORE_CTX_get_current_cert(ctx);
1051 char *cn = get_common_name_from_cert(x509);
1052 int keep_preverify_ok = preverify_ok;
1054 if (!preverify_ok) {
1056 case X509_V_ERR_CERT_NOT_YET_VALID:
1057 case X509_V_ERR_CERT_HAS_EXPIRED:
1061 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
1065 case X509_V_ERR_UNABLE_TO_GET_CRL:
1069 case X509_V_ERR_CRL_NOT_YET_VALID:
1070 case X509_V_ERR_CRL_HAS_EXPIRED:
1077 if (!preverify_ok) {
1079 " %s: %s: '%s' depth=%d\n",
1081 X509_verify_cert_error_string(err), cn ? cn :
"?", depth);
1083 keep_preverify_ok = 1;
1087 " %s: %s: overridden: '%s' depth=%d\n",
1089 X509_verify_cert_error_string(err), cn ? cn :
"?", depth);
1094 int length = i2d_X509(x509, NULL);
1096 uint8_t *base_buf2 = base_buf = OPENSSL_malloc(length);
1099 i2d_X509(x509, &base_buf2);
1101 depth, preverify_ok,
1104 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
1107 X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_CA);
1111 OPENSSL_free(base_buf);
1114 return preverify_ok;
1117 #if OPENSSL_VERSION_NUMBER < 0x10101000L 1126 tls_secret_call_back(SSL *ssl,
1127 void *secret UNUSED,
1128 int *secretlen UNUSED,
1129 STACK_OF(SSL_CIPHER) *peer_ciphers,
1130 const SSL_CIPHER **cipher UNUSED,
1134 int psk_requested = 0;
1140 for (ii = 0; ii < sk_SSL_CIPHER_num (peer_ciphers); ii++) {
1141 const SSL_CIPHER *peer_cipher = sk_SSL_CIPHER_value(peer_ciphers, ii);
1143 if (strstr (SSL_CIPHER_get_name (peer_cipher),
"PSK")) {
1149 if (!psk_requested) {
1161 SSL_VERIFY_CLIENT_ONCE |
1162 SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1163 tls_verify_call_back);
1168 SSL_VERIFY_CLIENT_ONCE,
1169 tls_verify_call_back);
1173 SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
1182 X509_VERIFY_PARAM *param;
1184 param = X509_VERIFY_PARAM_new();
1185 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
1186 SSL_set1_param(ssl, param);
1187 X509_VERIFY_PARAM_free(param);
1205 SSL_set_cipher_list (ssl,
"PSK:!NULL");
1206 SSL_set_psk_server_callback(ssl, coap_dtls_psk_server_callback);
1224 tls_server_name_call_back(SSL *ssl,
1231 return SSL_TLSEXT_ERR_NOACK;
1237 coap_openssl_context_t *context =
1239 const char *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
1242 if (!sni || !sni[0]) {
1245 for (i = 0; i < context->sni_count; i++) {
1246 if (!strcmp(sni, context->sni_entry_list[i].sni)) {
1250 if (i == context->sni_count) {
1256 return SSL_TLSEXT_ERR_ALERT_FATAL;
1261 ctx = SSL_CTX_new(DTLS_method());
1264 SSL_CTX_set_min_proto_version(ctx, DTLS1_2_VERSION);
1265 SSL_CTX_set_app_data(ctx, &context->dtls);
1266 SSL_CTX_set_read_ahead(ctx, 1);
1267 SSL_CTX_set_cipher_list(ctx,
"TLSv1.2:TLSv1.0");
1268 SSL_CTX_set_cookie_generate_cb(ctx, coap_dtls_generate_cookie);
1269 SSL_CTX_set_cookie_verify_cb(ctx, coap_dtls_verify_cookie);
1270 SSL_CTX_set_info_callback(ctx, coap_dtls_info_callback);
1271 SSL_CTX_set_options(ctx, SSL_OP_NO_QUERY_MTU);
1275 ctx = SSL_CTX_new(TLS_method());
1278 SSL_CTX_set_app_data(ctx, &context->tls);
1279 SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
1280 SSL_CTX_set_cipher_list(ctx,
"TLSv1.2:TLSv1.0");
1281 SSL_CTX_set_info_callback(ctx, coap_dtls_info_callback);
1282 SSL_CTX_set_alpn_select_cb(ctx, server_alpn_callback, NULL);
1284 memset(&sni_setup_data, 0,
sizeof(sni_setup_data));