自学教程：C++ ssl_error函数代码示例

int ssl_ca_certificate(struct ssl_t *ssl, const char *cafile, int depth){	STACK_OF(X509_NAME)  *list;		SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ssl_verify_callback);	SSL_CTX_set_verify_depth(ssl->ctx, depth);		if (SSL_CTX_load_verify_locations(ssl->ctx, cafile, NULL) == 0) {		hlog(LOG_ERR, "Failed to load trusted CA list from /"%s/"", cafile);		ssl_error(LOG_ERR, "SSL_CTX_load_verify_locations");		return -1;	}		list = SSL_load_client_CA_file(cafile);		if (list == NULL) {		hlog(LOG_ERR, "Failed to load client CA file from /"%s/"", cafile);		ssl_error(LOG_ERR, "SSL_load_client_CA_file");		return -1;	}		/*	 * before 0.9.7h and 0.9.8 SSL_load_client_CA_file()	 * always leaved an error in the error queue	 */		ERR_clear_error();		SSL_CTX_set_client_CA_list(ssl->ctx, list);		ssl->validate = 1;		return 0;}

voidssl_set_ecdh_curve(SSL_CTX *ctx, const char *curve){#if OPENSSL_VERSION_NUMBER >= 0x0090800fL#ifndef OPENSSL_NO_ECDH	int	nid;	EC_KEY *ecdh;	if (curve == NULL)		curve = SSL_ECDH_CURVE;	if ((nid = OBJ_sn2nid(curve)) == 0) {		ssl_error("ssl_set_ecdh_curve");		fatal("ssl_set_ecdh_curve: unknown curve name %s", curve);	}	if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {		ssl_error("ssl_set_ecdh_curve");		fatal("ssl_set_ecdh_curve: unable to create curve %s", curve);	}	SSL_CTX_set_tmp_ecdh(ctx, ecdh);	SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);	EC_KEY_free(ecdh);#endif#endif}

static value dgst_sign(value data, value key, value alg){	const mbedtls_md_info_t *md;	int r = -1;	size_t olen = 0;	value out;	unsigned char *buf;	unsigned char hash[32];	val_check(data, string);	val_check_kind(key, k_pkey);	val_check(alg, string);	md = mbedtls_md_info_from_string(val_string(alg));	if( md == NULL ){		val_throw(alloc_string("Invalid hash algorithm"));		return val_null;	}	if( (r = mbedtls_md( md, (const unsigned char *)val_string(data), val_strlen(data), hash )) != 0 )		return ssl_error(r);	out = alloc_empty_string(MBEDTLS_MPI_MAX_SIZE);	buf = (unsigned char *)val_string(out);	if( (r = mbedtls_pk_sign( val_pkey(key), mbedtls_md_get_type(md), hash, 0, buf, &olen, mbedtls_ctr_drbg_random, &ctr_drbg )) != 0 )		return ssl_error(r);	buf[olen] = 0;	val_set_size(out, olen);	return out;}

// Dynamically load SSL library. Set up ctx->ssl_ctx pointer.static int set_ssl_option(struct mg_context *ctx) {  int i, size;  const char *pem;  // If PEM file is not specified and the init_ssl callback  // is not specified, skip SSL initialization.  if ((pem = ctx->config[SSL_CERTIFICATE]) == NULL) {    //  MG_INIT_SSL    //  ctx->callbacks.init_ssl == NULL) {    return 1;  }#if !defined(NO_SSL_DL)  if (!load_dll(ctx, SSL_LIB, ssl_sw) ||      !load_dll(ctx, CRYPTO_LIB, crypto_sw)) {    return 0;  }#endif // NO_SSL_DL  // Initialize SSL library  SSL_library_init();  SSL_load_error_strings();  if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {    cry(fc(ctx), "SSL_CTX_new (server) error: %s", ssl_error());    return 0;  }  // If user callback returned non-NULL, that means that user callback has  // set up certificate itself. In this case, skip sertificate setting.  // MG_INIT_SSL  if (SSL_CTX_use_certificate_file(ctx->ssl_ctx, pem, 1) == 0 ||      SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx, pem, 1) == 0) {    cry(fc(ctx), "%s: cannot open %s: %s", __func__, pem, ssl_error());    return 0;  }  if (pem != NULL) {    (void) SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, pem);  }  // Initialize locking callbacks, needed for thread safety.  // http://www.openssl.org/support/faq.html#PROG1  size = sizeof(pthread_mutex_t) * CRYPTO_num_locks();  if ((ssl_mutexes = (pthread_mutex_t *) malloc((size_t)size)) == NULL) {    cry(fc(ctx), "%s: cannot allocate mutexes: %s", __func__, ssl_error());    return 0;  }  for (i = 0; i < CRYPTO_num_locks(); i++) {    pthread_mutex_init(&ssl_mutexes[i], NULL);  }  CRYPTO_set_locking_callback(&ssl_locking_callback);  CRYPTO_set_id_callback(&ssl_id_callback);  return 1;}

intssl_setup(SSL_CTX **ctxp, struct pki *pki,    int (*sni_cb)(SSL *,int *,void *), const char *ciphers){	SSL_CTX	*ctx;	uint8_t sid[SSL_MAX_SID_CTX_LENGTH];	ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers);	/*	 * Set session ID context to a random value.  We don't support	 * persistent caching of sessions so it is OK to set a temporary	 * session ID context that is valid during run time.	 */	arc4random_buf(sid, sizeof(sid));	if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))		goto err;	if (sni_cb)		SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);	SSL_CTX_set_dh_auto(ctx, pki->pki_dhe);	SSL_CTX_set_ecdh_auto(ctx, 1);	*ctxp = ctx;	return 1;err:	SSL_CTX_free(ctx);	ssl_error("ssl_setup");	return 0;}

intssl_setup(SSL_CTX **ctxp, struct pki *pki){	DH	*dh;	SSL_CTX	*ctx;	ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len);	if (!SSL_CTX_set_session_id_context(ctx,		(const unsigned char *)pki->pki_name,		strlen(pki->pki_name) + 1))		goto err;	if (pki->pki_dhparams_len == 0)		dh = get_dh1024();	else		dh = get_dh_from_memory(pki->pki_dhparams,		    pki->pki_dhparams_len);	ssl_set_ephemeral_key_exchange(ctx, dh);	DH_free(dh);	ssl_set_ecdh_curve(ctx, SSL_ECDH_CURVE);	*ctxp = ctx;	return 1;err:	SSL_CTX_free(ctx);	ssl_error("ssl_setup");	return 0;}

// add_key_from_file: adds an RSA key from a file location, returns// KSSL_ERROR_NONE if successful, or a KSSL_ERROR_* if a problem// occurs. Adds the private key to the list if successful.kssl_error_code add_key_from_file(const char *path, // Path to file containing key                                  pk_list list) {   // Array of private keys from new_pk_list  int rc;  BIO *bp;  kssl_error_code err = KSSL_ERROR_NONE;  bp = BIO_new(BIO_s_file());  if (bp == NULL) {    ssl_error();  }  rc = BIO_read_filename(bp, path);  if (!rc) {    write_log(1, "Failed to open private key file %s", path);    return KSSL_ERROR_INTERNAL;  }  err = add_key_from_bio(bp, list);  if (err != KSSL_ERROR_NONE) {    write_log(1, "Private RSA key from file %s is not valid", path);    BIO_free(bp);    return KSSL_ERROR_INTERNAL;  }  BIO_free(bp);  return KSSL_ERROR_NONE;}

// add_key_from_bio: adds an RSA key from a BIO pointer, returns// KSSL_ERROR_NONE if successful, or a KSSL_ERROR_* if a problem// occurs. Adds the private key to the list if successful.static kssl_error_code add_key_from_bio(BIO *key_bp,     // BIO Key value in PEM format                                        pk_list list) {  // Array of private keys   RSA *local_key;  local_key = PEM_read_bio_RSAPrivateKey(key_bp, 0, 0, 0);  if (local_key == NULL) {    ssl_error();  }  if (list->current >= list->allocated) {    write_log(1, "Private key list maximum reached");    return KSSL_ERROR_INTERNAL;  }  if (RSA_check_key(local_key) != 1) {    return KSSL_ERROR_INTERNAL;  }  list->privates[list->current].key = local_key;  digest_public_modulus(local_key, list->privates[list->current].digest);  list->current++;  return KSSL_ERROR_NONE;}

// add_key_from_buffer: adds an RSA key from a pointer, returns// KSSL_ERROR_NONE if successful, or a KSSL_ERROR_* if a problem// occurs. Adds the private key to the list if successful.kssl_error_code add_key_from_buffer(const char *key, // Key value in PEM format                                    int key_len,     // Length of key in bytes                                    pk_list list) {  // Array of private keys   BIO *bp;  kssl_error_code err = KSSL_ERROR_NONE;  if (!list) {    write_log(1, "Assigning to NULL");    return KSSL_ERROR_INTERNAL;  }  bp = BIO_new_mem_buf((void*)key, key_len);  if (bp == NULL) {    ssl_error();  }  err = add_key_from_bio(bp, list);  if (err != KSSL_ERROR_NONE) {    write_log(1, "Private RSA key is not valid");    BIO_free(bp);    return KSSL_ERROR_INTERNAL;  }  BIO_free(bp);  return KSSL_ERROR_NONE;}

static value key_from_pem(value data, value pub, value pass){	mbedtls_pk_context *pk;	int r, len;	value v;	unsigned char *buf;	val_check(data, string);	val_check(pub, bool);	if (!val_is_null(pass)) val_check(pass, string);	len = val_strlen(data)+1;	buf = (unsigned char *)alloc(len);	memcpy(buf, val_string(data), len-1);	buf[len-1] = '/0';	pk = (mbedtls_pk_context *)alloc(sizeof(mbedtls_pk_context));	mbedtls_pk_init(pk);	if( val_bool(pub) )		r = mbedtls_pk_parse_public_key( pk, buf, len );	else if( val_is_null(pass) )		r = mbedtls_pk_parse_key( pk, buf, len, NULL, 0 );	else		r = mbedtls_pk_parse_key( pk, buf, len, (const unsigned char*)val_string(pass), val_strlen(pass) );	if( r != 0 ){		mbedtls_pk_free(pk);		return ssl_error(r);	}	v = alloc_abstract(k_pkey,pk);	val_gc(v,free_pkey);	return v;}

int C_SecureSocketClient::_secure_mode() {  int L_result, L_ret ;  m_ssl = SSL_new(m_ssl_ctx);  SSL_set_connect_state(m_ssl) ;    if ((m_bio = BIO_new_socket(m_socket_id, BIO_CLOSE)) == NULL ) {    SOCKET_ERROR(0, "Unable to create the BIO- client in New TLS connection");  }      SSL_set_bio(m_ssl,m_bio,m_bio);    L_result = SSL_connect(m_ssl) ;  if ( L_result < 0 ) {    if (SSL_get_error(m_ssl, L_result) == SSL_ERROR_WANT_READ) {      m_state = E_SOCKET_STATE_INPROGESS ;      L_ret = 0 ;    } else {      ssl_error(L_result);      L_ret = -1 ;    }  } else {    L_ret = 0 ;  }  return (L_ret);  }

intio_start_tls(struct io *io, void *ssl){	int	mode;	mode = io->flags & IO_RW;	if (mode == 0 || mode == IO_RW)		errx(1, "io_start_tls(): full-duplex or unset");	if (io->ssl)		errx(1, "io_start_tls(): SSL already started");	io->ssl = ssl;	if (SSL_set_fd(io->ssl, io->sock) == 0) {		ssl_error("io_start_ssl:SSL_set_fd");		return (-1);	}	if (mode == IO_WRITE) {		io->state = IO_STATE_CONNECT_SSL;		SSL_set_connect_state(io->ssl);		io_reset(io, EV_WRITE, io_dispatch_connect_ssl);	} else {		io->state = IO_STATE_ACCEPT_SSL;		SSL_set_accept_state(io->ssl);		io_reset(io, EV_READ, io_dispatch_accept_ssl);	}	return (0);}

voidssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh){	if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh)) {		ssl_error("ssl_set_ephemeral_key_exchange");		fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh");	}}

static void ssl_clear_error(void){	while (ERR_peek_error()) {		ssl_error(LOG_INFO, "Ignoring stale SSL error");	}		ERR_clear_error();}

int C_SecureSocketClient::_call_write(unsigned char* P_data,				      size_t P_size) {  int L_result = 0 ;  L_result = SSL_write(m_ssl,P_data,P_size);  if (L_result < 0) ssl_error(L_result) ;    return (L_result) ;}

static value ssl_set_hostname( value ssl, value hostname ){	int ret;	val_check_kind(ssl,k_ssl);	val_check(hostname,string);	if( (ret = mbedtls_ssl_set_hostname(val_ssl(ssl), val_string(hostname))) != 0 )		return ssl_error(ret);	return val_true;}

SSL_CTX *ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len, const char *ciphers){	SSL_CTX	*ctx;	size_t	 pkinamelen = 0;	ctx = SSL_CTX_new(SSLv23_method());	if (ctx == NULL) {		ssl_error("ssl_ctx_create");		fatal("ssl_ctx_create: could not create SSL context");	}	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);	SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);	SSL_CTX_set_options(ctx,	    SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET);	SSL_CTX_set_options(ctx,	    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);	SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);	SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);	if (ciphers == NULL)		ciphers = SSL_CIPHERS;	if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {		ssl_error("ssl_ctx_create");		fatal("ssl_ctx_create: could not set cipher list");	}	if (cert != NULL) {		if (pkiname != NULL)			pkinamelen = strlen(pkiname) + 1;		if (!SSL_CTX_use_certificate_chain_mem(ctx, cert, cert_len)) {			ssl_error("ssl_ctx_create");			fatal("ssl_ctx_create: invalid certificate chain");		} else if (!ssl_ctx_fake_private_key(ctx,		    pkiname, pkinamelen, cert, cert_len, NULL, NULL)) {			ssl_error("ssl_ctx_create");			fatal("ssl_ctx_create: could not fake private key");		} else if (!SSL_CTX_check_private_key(ctx)) {			ssl_error("ssl_ctx_create");			fatal("ssl_ctx_create: invalid private key");		}	}	return (ctx);}

//get some characters from the bioint get_char_buf(BIO* bio, const void *buf, int size){	int messlen = BIO_read(bio, buf, size);	if(messlen < 0) {		ssl_error("Error while getting message/n");	}	//printf("GOT %d bytes from stream/n",messlen);	return messlen;}

int C_SecureSocketClient::_call_read() {   int L_result = 0 ;  L_result = SSL_read(m_ssl, m_read_buf, m_read_buf_size);  if (L_result < 0) ssl_error(L_result) ;  return (L_result) ;}

voidca_engine_init(void){	ENGINE		*e;	const char	*errstr, *name;	if ((e = ENGINE_get_default_RSA()) == NULL) {		if ((e = ENGINE_new()) == NULL) {			errstr = "ENGINE_new";			goto fail;		}		if (!ENGINE_set_name(e, rsae_method.name)) {			errstr = "ENGINE_set_name";			goto fail;		}		if ((rsa_default = RSA_get_default_method()) == NULL) {			errstr = "RSA_get_default_method";			goto fail;		}	} else if ((rsa_default = ENGINE_get_RSA(e)) == NULL) {		errstr = "ENGINE_get_RSA";		goto fail;	}	if ((name = ENGINE_get_name(e)) == NULL)		name = "unknown RSA engine";	log_debug("debug: %s: using %s", __func__, name);	if (rsa_default->flags & RSA_FLAG_SIGN_VER)		fatalx("unsupported RSA engine");	if (rsa_default->rsa_mod_exp == NULL)		rsae_method.rsa_mod_exp = NULL;	if (rsa_default->bn_mod_exp == NULL)		rsae_method.bn_mod_exp = NULL;	if (rsa_default->rsa_keygen == NULL)		rsae_method.rsa_keygen = NULL;	rsae_method.flags = rsa_default->flags |	    RSA_METHOD_FLAG_NO_CHECK;	rsae_method.app_data = rsa_default->app_data;	if (!ENGINE_set_RSA(e, &rsae_method)) {		errstr = "ENGINE_set_RSA";		goto fail;	}	if (!ENGINE_set_default_RSA(e)) {		errstr = "ENGINE_set_default_RSA";		goto fail;	}	return; fail:	ssl_error(errstr);	fatalx("%s", errstr);}

voidssl_connect(int s, short event, void *arg){	struct ctl_tcp_event	*cte = arg;	int			 retry_flag = 0;	int			 tls_err = 0;	int			 ret;	if (event == EV_TIMEOUT) {		cte->host->up = HOST_DOWN;		hce_notify_done(cte->host, HCE_TLS_CONNECT_TIMEOUT);		ssl_cleanup(cte);		return;	}	ret = SSL_connect(cte->ssl);	if (ret <= 0) {		tls_err = SSL_get_error(cte->ssl, ret);		switch (tls_err) {		case SSL_ERROR_WANT_READ:			retry_flag = EV_READ;			goto retry;		case SSL_ERROR_WANT_WRITE:			retry_flag = EV_WRITE;			goto retry;		default:			cte->host->up = HOST_DOWN;			ssl_error(cte->host->conf.name, "cannot connect");			hce_notify_done(cte->host, HCE_TLS_CONNECT_FAIL);			ssl_cleanup(cte);			return;		}	}	if (cte->table->conf.check == CHECK_TCP) {		cte->host->up = HOST_UP;		hce_notify_done(cte->host, HCE_TLS_CONNECT_OK);		ssl_cleanup(cte);		return;	}	if (cte->table->sendbuf != NULL) {		event_again(&cte->ev, cte->s, EV_TIMEOUT|EV_WRITE, ssl_write,		    &cte->tv_start, &cte->table->conf.timeout, cte);		return;	}	if ((cte->buf = ibuf_dynamic(SMALL_READ_BUF_SIZE, UINT_MAX)) == NULL)		fatalx("ssl_connect: cannot create dynamic buffer");	event_again(&cte->ev, cte->s, EV_TIMEOUT|EV_READ, ssl_read,	    &cte->tv_start, &cte->table->conf.timeout, cte);	return;retry:	event_again(&cte->ev, s, EV_TIMEOUT|retry_flag, ssl_connect,	    &cte->tv_start, &cte->table->conf.timeout, cte);}

static value conf_set_cert( value config, value cert, value key ) {	int r;	val_check_kind(config,k_ssl_conf);	val_check_kind(cert,k_cert);	val_check_kind(key,k_pkey);	if( (r = mbedtls_ssl_conf_own_cert(val_conf(config), val_cert(cert), val_pkey(key))) != 0 )		return ssl_error(r);	return val_true;}

static value ssl_new( value config ) {	int ret;	mbedtls_ssl_context *ssl;	val_check_kind(config,k_ssl_conf);	ssl = (mbedtls_ssl_context *)alloc(sizeof(mbedtls_ssl_context));	mbedtls_ssl_init(ssl);	if( (ret = mbedtls_ssl_setup(ssl, val_conf(config))) != 0 ){		mbedtls_ssl_free(ssl);		return ssl_error(ret);	}	return alloc_abstract( k_ssl, ssl );}

static value ssl_handshake( value ssl ) {	int r;	val_check_kind(ssl,k_ssl);	POSIX_LABEL(handshake_again);	r = mbedtls_ssl_handshake( val_ssl(ssl) );	if( r == SOCKET_ERROR ) {		HANDLE_EINTR(handshake_again);		return block_error();	}else if( r != 0 )		return ssl_error(r);	return val_true;}

SSL_CTX *ssl_ctx_create(struct relayd *env){	SSL_CTX	*ctx;	ctx = SSL_CTX_new(SSLv23_client_method());	if (ctx == NULL) {		ssl_error("ssl_ctx_create", "cannot create context");		fatal("could not create SSL context");	}	return (ctx);}

char *ssl_load_key(struct relayd *env, const char *name, off_t *len, char *pass){	FILE		*fp;	EVP_PKEY	*key = NULL;	BIO		*bio = NULL;	long		 size;	char		*data, *buf = NULL;	/* Initialize SSL library once */	ssl_init(env);	/*	 * Read (possibly) encrypted key from file	 */	if ((fp = fopen(name, "r")) == NULL)		return (NULL);	key = PEM_read_PrivateKey(fp, NULL, ssl_password_cb, pass);	fclose(fp);	if (key == NULL)		goto fail;	/*	 * Write unencrypted key to memory buffer	 */	if ((bio = BIO_new(BIO_s_mem())) == NULL)		goto fail;	if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL))		goto fail;	if ((size = BIO_get_mem_data(bio, &data)) <= 0)		goto fail;	if ((buf = calloc(1, size)) == NULL)		goto fail;	memcpy(buf, data, size);	BIO_free_all(bio);	EVP_PKEY_free(key);	*len = (off_t)size;	return (buf); fail:	ssl_error(__func__, name);	free(buf);	if (bio != NULL)		BIO_free_all(bio);	if (key != NULL)		EVP_PKEY_free(key);	return (NULL);}

//Experiment encryption function similar to that for files but for character buffers instead.//Was to be used as an alternative to signing the token verification with the public key//but also couldn't get it working. Not used in the endchar* decrypt_encrypt_buffer(char *inbuf, int inlen, int *len, unsigned char *key, int do_crypt){	unsigned char *outbuf = malloc(1024 + EVP_MAX_BLOCK_LENGTH);	int outlen;	unsigned char iv[] = "0";	EVP_CIPHER_CTX ctx;	EVP_CIPHER_CTX_init(&ctx);	EVP_CipherInit_ex(&ctx, EVP_des_ede3_cbc(), NULL, key, iv, do_crypt); //do_crypt 1 for enc, 0 for dec	if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen)) {		fprintf(stderr, "Cipher Update on buffer/n");		ssl_error("Cipher update");		return NULL;	}	if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) {		ssl_error("cipher final");		return NULL;	}		*len = outlen;	return outbuf;}

int ssl_create_connection(struct ssl_t *ssl, struct client_t *c, int i_am_client){	struct ssl_connection_t  *sc;		sc = hmalloc(sizeof(*sc));	sc->connection = SSL_new(ssl->ctx);		if (sc->connection == NULL) {		ssl_error(LOG_ERR, "SSL_new failed");		hfree(sc);		return -1;	}		if (SSL_set_fd(sc->connection, c->fd) == 0) {		ssl_error(LOG_ERR, "SSL_set_fd failed");		SSL_free(sc->connection);		hfree(sc);		return -1;	}		if (i_am_client) {		SSL_set_connect_state(sc->connection);	} else {		SSL_set_accept_state(sc->connection);	}		if (SSL_set_ex_data(sc->connection, ssl_connection_index, c) == 0) {		ssl_error(LOG_ERR, "SSL_set_ex_data failed");		SSL_free(sc->connection);		hfree(sc);		return -1;	}		sc->validate = ssl->validate;	c->ssl_con = sc;		return 0;}

voidssl_transaction(struct ctl_tcp_event *cte){	if (cte->ssl == NULL) {		cte->ssl = SSL_new(cte->table->ssl_ctx);		if (cte->ssl == NULL) {			ssl_error(cte->host->conf.name, "cannot create object");			fatal("cannot create SSL object");		}	}	if (SSL_set_fd(cte->ssl, cte->s) == 0) {		cte->host->up = HOST_UNKNOWN;		ssl_error(cte->host->conf.name, "cannot set fd");		ssl_cleanup(cte);		hce_notify_done(cte->host, HCE_TLS_CONNECT_ERROR);		return;	}	SSL_set_connect_state(cte->ssl);	event_again(&cte->ev, cte->s, EV_TIMEOUT|EV_WRITE, ssl_connect,	    &cte->tv_start, &cte->table->conf.timeout, cte);}

static value cert_load_path(value path){	int r;	mbedtls_x509_crt *x;	value v;	val_check(path,string);	x = (mbedtls_x509_crt *)alloc(sizeof(mbedtls_x509_crt));	mbedtls_x509_crt_init( x );	if( (r = mbedtls_x509_crt_parse_path(x, val_string(path))) != 0 ){		return ssl_error(r);	}	v = alloc_abstract(k_cert, x);	val_gc(v,free_cert);	return v;}