7 files changed, 912 insertions, 140 deletions
diff --git a/drivers/openssl/SCsub b/drivers/openssl/SCsub
new file mode 100644
index 0000000000..7197364e01
--- /dev/null
+++ b/drivers/openssl/SCsub
@@ -0,0 +1,8 @@
+Import('env')
+
+env.add_source_files(env.drivers_sources,"*.cpp")
+env.add_source_files(env.drivers_sources,"*.c")
+
+Export('env')
+
+
diff --git a/drivers/openssl/curl_hostcheck.c b/drivers/openssl/curl_hostcheck.c
new file mode 100644
index 0000000000..f5d44bfaf1
--- /dev/null
+++ b/drivers/openssl/curl_hostcheck.c
@@ -0,0 +1,221 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+/* This file is an amalgamation of hostcheck.c and most of rawstr.c
+   from cURL.  The contents of the COPYING file mentioned above are:
+
+COPYRIGHT AND PERMISSION NOTICE
+
+Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>.
+
+All rights reserved.
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
+NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+OR OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of a copyright holder shall not
+be used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization of the copyright holder.
+*/
+
+#ifdef OPENSSL_ENABLED
+
+#include "curl_hostcheck.h"
+#include <string.h>
+
+/* Portable, consistent toupper (remember EBCDIC). Do not use toupper() because
+   its behavior is altered by the current locale. */
+static char Curl_raw_toupper(char in)
+{
+  switch (in) {
+  case 'a':
+    return 'A';
+  case 'b':
+    return 'B';
+  case 'c':
+    return 'C';
+  case 'd':
+    return 'D';
+  case 'e':
+    return 'E';
+  case 'f':
+    return 'F';
+  case 'g':
+    return 'G';
+  case 'h':
+    return 'H';
+  case 'i':
+    return 'I';
+  case 'j':
+    return 'J';
+  case 'k':
+    return 'K';
+  case 'l':
+    return 'L';
+  case 'm':
+    return 'M';
+  case 'n':
+    return 'N';
+  case 'o':
+    return 'O';
+  case 'p':
+    return 'P';
+  case 'q':
+    return 'Q';
+  case 'r':
+    return 'R';
+  case 's':
+    return 'S';
+  case 't':
+    return 'T';
+  case 'u':
+    return 'U';
+  case 'v':
+    return 'V';
+  case 'w':
+    return 'W';
+  case 'x':
+    return 'X';
+  case 'y':
+    return 'Y';
+  case 'z':
+    return 'Z';
+  }
+  return in;
+}
+
+/*
+ * Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant
+ * to be locale independent and only compare strings we know are safe for
+ * this.  See http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for
+ * some further explanation to why this function is necessary.
+ *
+ * The function is capable of comparing a-z case insensitively even for
+ * non-ascii.
+ */
+
+static int Curl_raw_equal(const char *first, const char *second)
+{
+  while(*first && *second) {
+    if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second))
+      /* get out of the loop as soon as they don't match */
+      break;
+    first++;
+    second++;
+  }
+  /* we do the comparison here (possibly again), just to make sure that if the
+     loop above is skipped because one of the strings reached zero, we must not
+     return this as a successful match */
+  return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second));
+}
+
+static int Curl_raw_nequal(const char *first, const char *second, size_t max)
+{
+  while(*first && *second && max) {
+    if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) {
+      break;
+    }
+    max--;
+    first++;
+    second++;
+  }
+  if(0 == max)
+    return 1; /* they are equal this far */
+
+  return Curl_raw_toupper(*first) == Curl_raw_toupper(*second);
+}
+
+/*
+ * Match a hostname against a wildcard pattern.
+ * E.g.
+ *  "foo.host.com" matches "*.host.com".
+ *
+ * We use the matching rule described in RFC6125, section 6.4.3.
+ * http://tools.ietf.org/html/rfc6125#section-6.4.3
+ */
+
+static int hostmatch(const char *hostname, const char *pattern)
+{
+  const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
+  int wildcard_enabled;
+  size_t prefixlen, suffixlen;
+  pattern_wildcard = strchr(pattern, '*');
+  if(pattern_wildcard == NULL)
+    return Curl_raw_equal(pattern, hostname) ?
+      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+
+  /* We require at least 2 dots in pattern to avoid too wide wildcard
+     match. */
+  wildcard_enabled = 1;
+  pattern_label_end = strchr(pattern, '.');
+  if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL ||
+     pattern_wildcard > pattern_label_end ||
+     Curl_raw_nequal(pattern, "xn--", 4)) {
+    wildcard_enabled = 0;
+  }
+  if(!wildcard_enabled)
+    return Curl_raw_equal(pattern, hostname) ?
+      CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+
+  hostname_label_end = strchr(hostname, '.');
+  if(hostname_label_end == NULL ||
+     !Curl_raw_equal(pattern_label_end, hostname_label_end))
+    return CURL_HOST_NOMATCH;
+
+  /* The wildcard must match at least one character, so the left-most
+     label of the hostname is at least as large as the left-most label
+     of the pattern. */
+  if(hostname_label_end - hostname < pattern_label_end - pattern)
+    return CURL_HOST_NOMATCH;
+
+  prefixlen = pattern_wildcard - pattern;
+  suffixlen = pattern_label_end - (pattern_wildcard+1);
+  return Curl_raw_nequal(pattern, hostname, prefixlen) &&
+    Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen,
+                    suffixlen) ?
+    CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+}
+
+int Tool_Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
+{
+  if(!match_pattern || !*match_pattern ||
+      !hostname || !*hostname) /* sanity check */
+    return 0;
+
+  if(Curl_raw_equal(hostname, match_pattern)) /* trivial case */
+    return 1;
+
+  if(hostmatch(hostname,match_pattern) == CURL_HOST_MATCH)
+    return 1;
+  return 0;
+}
+
+#endif
diff --git a/drivers/openssl/curl_hostcheck.h b/drivers/openssl/curl_hostcheck.h
new file mode 100644
index 0000000000..7611c6e443
--- /dev/null
+++ b/drivers/openssl/curl_hostcheck.h
@@ -0,0 +1,43 @@
+#ifndef HEADER_TOOL_CURL_HOSTCHECK_H
+#define HEADER_TOOL_CURL_HOSTCHECK_H
+
+#ifdef OPENSSL_ENABLED
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#define CURL_HOST_NOMATCH 0
+#define CURL_HOST_MATCH   1
+int Tool_Curl_cert_hostcheck(const char *match_pattern, const char *hostname);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+#endif /* HEADER_CURL_HOSTCHECK_H */
+
diff --git a/drivers/openssl/stream_peer_openssl.cpp b/drivers/openssl/stream_peer_openssl.cpp
new file mode 100644
index 0000000000..2414533df2
--- /dev/null
+++ b/drivers/openssl/stream_peer_openssl.cpp
@@ -0,0 +1,563 @@
+#include "stream_peer_openssl.h"
+
+#ifdef OPENSSL_ENABLED
+#include "globals.h"
+#include "os/file_access.h"
+#include "curl_hostcheck.h"
+//hostname matching code from curl
+
+
+//#include <openssl/applink.c> // To prevent crashing (see the OpenSSL FAQ)
+
+bool StreamPeerOpenSSL::_match_host_name(const char *name, const char *hostname) {
+
+	return Tool_Curl_cert_hostcheck(name,hostname)==CURL_HOST_MATCH;
+//	print_line("MATCH: "+String(name)+" vs "+String(hostname));
+//	return true;
+}
+
+Error StreamPeerOpenSSL::_match_common_name(const char *hostname, const X509 *server_cert) {
+
+	int common_name_loc = -1;
+	X509_NAME_ENTRY *common_name_entry = NULL;
+	ASN1_STRING *common_name_asn1 = NULL;
+	char *common_name_str = NULL;
+
+	// Find the position of the CN field in the Subject field of the certificate
+	common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *) server_cert), NID_commonName, -1);
+
+	ERR_FAIL_COND_V(common_name_loc < 0, ERR_INVALID_PARAMETER );
+
+	// Extract the CN field
+	common_name_entry = X509_NAME_get_entry(X509_get_subject_name((X509 *) server_cert), common_name_loc);
+
+	ERR_FAIL_COND_V(common_name_entry == NULL, ERR_INVALID_PARAMETER );
+
+	// Convert the CN field to a C string
+	common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
+
+	ERR_FAIL_COND_V(common_name_asn1 == NULL, ERR_INVALID_PARAMETER );
+
+	common_name_str = (char *) ASN1_STRING_data(common_name_asn1);
+
+	// Make sure there isn't an embedded NUL character in the CN
+	bool malformed_certificate = (size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str);
+
+	ERR_FAIL_COND_V(malformed_certificate, ERR_INVALID_PARAMETER );
+
+
+	// Compare expected hostname with the CN
+
+
+	return _match_host_name(common_name_str,hostname)?OK:FAILED;
+
+}
+
+
+/**
+* Tries to find a match for hostname in the certificate's Subject Alternative Name extension.
+*
+*/
+
+Error StreamPeerOpenSSL::_match_subject_alternative_name(const char *hostname, const X509 *server_cert) {
+
+	Error result = FAILED;
+	int i;
+	int san_names_nb = -1;
+	STACK_OF(GENERAL_NAME) *san_names = NULL;
+
+	// Try to extract the names within the SAN extension from the certificate
+	san_names = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i((X509 *) server_cert, NID_subject_alt_name, NULL, NULL);
+	if (san_names == NULL) {
+		return ERR_FILE_NOT_FOUND;
+	}
+	san_names_nb = sk_GENERAL_NAME_num(san_names);
+
+	// Check each name within the extension
+	for (i=0; i<san_names_nb; i++) {
+		const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
+
+		if (current_name->type == GEN_DNS) {
+			// Current name is a DNS name, let's check it
+			char *dns_name = (char *) ASN1_STRING_data(current_name->d.dNSName);
+
+			// Make sure there isn't an embedded NUL character in the DNS name
+			if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != strlen(dns_name)) {
+				result = ERR_INVALID_PARAMETER;
+				break;
+			}
+			else { // Compare expected hostname with the DNS name
+				if (_match_host_name(dns_name, hostname)) {
+					result = OK;
+					break;
+				}
+			}
+		}
+	}
+	sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
+
+	return result;
+}
+
+/* See http://archives.seul.org/libevent/users/Jan-2013/msg00039.html */
+int StreamPeerOpenSSL::_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg) {
+
+	/* This is the function that OpenSSL would call if we hadn't called
+	 * SSL_CTX_set_cert_verify_callback().  Therefore, we are "wrapping"
+	 * the default functionality, rather than replacing it. */
+
+	bool base_cert_valid = X509_verify_cert(x509_ctx);
+	if (!base_cert_valid) {
+		print_line("Cause: "+String(X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx))));
+	}
+	X509 *server_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
+
+	ERR_FAIL_COND_V(!server_cert,0);
+
+	char cert_str[256];
+	X509_NAME_oneline(X509_get_subject_name (server_cert),
+			  cert_str, sizeof (cert_str));
+
+	print_line("CERT STR: "+String(cert_str));
+	print_line("VALID: "+itos(base_cert_valid));
+
+	if (!base_cert_valid)
+		return 0;
+
+	StreamPeerOpenSSL *ssl = (StreamPeerOpenSSL *)arg;
+
+	if (ssl->validate_hostname) {
+
+		Error err = _match_subject_alternative_name(ssl->hostname.utf8().get_data(),server_cert);
+
+		if (err==ERR_FILE_NOT_FOUND) {
+
+			err = _match_common_name(ssl->hostname.utf8().get_data(),server_cert);
+		}
+
+		if (err!=OK) {
+
+			ssl->status=STATUS_ERROR_HOSTNAME_MISMATCH;
+			return 0;
+		}
+	}
+
+	return 1;
+
+}
+
+
+
+int StreamPeerOpenSSL::_bio_create( BIO *b ) {
+	b->init = 1;
+	b->num = 0;
+	b->ptr = NULL;
+	b->flags = 0;
+	return 1;
+}
+
+int StreamPeerOpenSSL::_bio_destroy( BIO *b )
+{
+	if ( b == NULL )
+		return 0;
+
+	b->ptr = NULL;		/* sb_tls_remove() will free it */
+	b->init = 0;
+	b->flags = 0;
+	return 1;
+}
+
+int StreamPeerOpenSSL::_bio_read( BIO *b, char *buf, int len ) {
+
+
+	if ( buf == NULL || len <= 0 ) return 0;
+
+	StreamPeerOpenSSL *sp = (StreamPeerOpenSSL *)b->ptr;
+
+	ERR_FAIL_COND_V( sp == NULL, 0);
+
+	BIO_clear_retry_flags( b );
+	if (sp->use_blocking) {
+
+		Error err = sp->base->get_data((uint8_t*)buf,len);
+		if (err!=OK) {
+			return -1;
+		}
+
+		return len;
+	} else {
+
+		int got;
+		Error err = sp->base->get_partial_data((uint8_t*)buf,len,got);
+		if (err!=OK) {
+			return -1;
+		}
+		if (got==0) {
+			BIO_set_retry_read( b );
+		}
+		return got;
+	}
+
+	//unreachable
+	return 0;
+}
+
+int StreamPeerOpenSSL::_bio_write( BIO *b, const char *buf, int len ) {
+
+	if ( buf == NULL || len <= 0 ) return 0;
+
+	StreamPeerOpenSSL *sp = (StreamPeerOpenSSL *)b->ptr;
+
+	ERR_FAIL_COND_V( sp == NULL, 0);
+
+	BIO_clear_retry_flags( b );
+	if (sp->use_blocking) {
+
+		Error err = sp->base->put_data((const uint8_t*)buf,len);
+		if (err!=OK) {
+			return -1;
+		}
+
+		return len;
+	} else {
+
+		int sent;
+		Error err = sp->base->put_partial_data((const uint8_t*)buf,len,sent);
+		if (err!=OK) {
+			return -1;
+		}
+		if (sent==0) {
+			BIO_set_retry_write( b );
+		}
+		return sent;
+
+	}
+
+	//unreachable
+	return 0;
+}
+
+long StreamPeerOpenSSL::_bio_ctrl( BIO *b, int cmd, long num, void *ptr )
+{
+	if ( cmd == BIO_CTRL_FLUSH ) {
+		/* The OpenSSL library needs this */
+		return 1;
+	}
+	return 0;
+}
+
+int StreamPeerOpenSSL::_bio_gets( BIO *b, char *buf, int len )
+{
+	return -1;
+}
+
+int StreamPeerOpenSSL::_bio_puts( BIO *b, const char *str )
+{
+	return _bio_write( b, str, strlen( str ) );
+}
+
+BIO_METHOD StreamPeerOpenSSL::_bio_method = {
+	/* it's a source/sink BIO */
+	( 100 | 0x400 ),
+	"streampeer glue",
+	_bio_write,
+	_bio_read,
+	_bio_puts,
+	_bio_gets,
+	_bio_ctrl,
+	_bio_create,
+	_bio_destroy
+};
+
+Error StreamPeerOpenSSL::connect(Ref<StreamPeer> p_base, bool p_validate_certs, const String& p_for_hostname) {
+
+	if (connected)
+		disconnect();
+
+
+	hostname=p_for_hostname;
+	status=STATUS_DISCONNECTED;
+
+	// Set up a SSL_CTX object, which will tell our BIO object how to do its work
+	ctx = SSL_CTX_new(SSLv23_client_method());
+	base=p_base;
+	validate_certs=p_validate_certs;
+	validate_hostname=p_for_hostname!="";
+
+	if (p_validate_certs) {
+
+
+		if (certs.size()) {
+			//yay for undocumented OpenSSL functions
+
+			X509_STORE *store = SSL_CTX_get_cert_store(ctx);
+			for(int i=0;i<certs.size();i++) {
+
+				X509_STORE_add_cert(store,certs[i]);
+
+			}
+#if 0
+			const unsigned char *in=(const unsigned char *)certs.ptr();
+			X509 *Cert = d2i_X509(NULL, &in, certs.size()-1);
+			if (!Cert) {
+				print_line(String(ERR_error_string(ERR_get_error(),NULL)));
+			}
+			ERR_FAIL_COND_V(!Cert,ERR_PARSE_ERROR);
+
+			X509_STORE *store = SSL_CTX_get_cert_store(ctx);
+			X509_STORE_add_cert(store,Cert);
+
+			//char *str = X509_NAME_oneline(X509_get_subject_name(Cert),0,0);
+			//printf ("subject: %s\n", str); /* [1] */
+#endif
+		}
+
+		//used for testing
+		//int res = SSL_CTX_load_verify_locations(ctx,"/etc/ssl/certs/ca-certificates.crt",NULL);
+		//print_line("verify locations res: "+itos(res));
+
+
+		/* Ask OpenSSL to verify the server certificate.  Note that this
+		 * does NOT include verifying that the hostname is correct.
+		 * So, by itself, this means anyone with any legitimate
+		 * CA-issued certificate for any website, can impersonate any
+		 * other website in the world.  This is not good.  See "The
+		 * Most Dangerous Code in the World" article at
+		 * https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
+		 */
+		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+		/* This is how we solve the problem mentioned in the previous
+		 * comment.  We "wrap" OpenSSL's validation routine in our
+		 * own routine, which also validates the hostname by calling
+		 * the code provided by iSECPartners.  Note that even though
+		 * the "Everything You've Always Wanted to Know About
+		 * Certificate Validation With OpenSSL (But Were Afraid to
+		 * Ask)" paper from iSECPartners says very explicitly not to
+		 * call SSL_CTX_set_cert_verify_callback (at the bottom of
+		 * page 2), what we're doing here is safe because our
+		 * cert_verify_callback() calls X509_verify_cert(), which is
+		 * OpenSSL's built-in routine which would have been called if
+		 * we hadn't set the callback.  Therefore, we're just
+		 * "wrapping" OpenSSL's routine, not replacing it. */
+		SSL_CTX_set_cert_verify_callback (ctx, _cert_verify_callback,this);
+
+		//Let the verify_callback catch the verify_depth error so that we get an appropriate error in the logfile. (??)
+		SSL_CTX_set_verify_depth(ctx,max_cert_chain_depth + 1);
+
+	}
+
+
+
+
+
+	ssl = SSL_new( ctx );
+	bio = BIO_new( &_bio_method );
+	bio->ptr = this;
+	SSL_set_bio( ssl, bio, bio );
+
+	use_blocking=true; // let handshake use blocking
+	// Set the SSL to automatically retry on failure.
+	SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+
+	// Same as before, try to connect.
+	int result = SSL_connect( ssl );
+	print_line("CONNECTION RESULT: "+itos(result));
+
+	X509 * peer = SSL_get_peer_certificate(ssl);
+
+	if (peer) {
+		bool cert_ok = SSL_get_verify_result(ssl) == X509_V_OK;
+		print_line("cert_ok: "+itos(cert_ok));
+
+	} else if (validate_certs){
+		status=STATUS_ERROR_NO_CERTIFICATE;
+	}
+
+	connected=true;
+	status=STATUS_CONNECTED;
+
+	return OK;
+}
+
+Error StreamPeerOpenSSL::accept(Ref<StreamPeer> p_base) {
+
+
+	return ERR_UNAVAILABLE;
+}
+
+void StreamPeerOpenSSL::_print_error(int err) {
+
+	err = SSL_get_error(ssl,err);
+	switch(err) {
+		case SSL_ERROR_NONE: ERR_PRINT("NO ERROR: The TLS/SSL I/O operation completed"); break;
+		case SSL_ERROR_ZERO_RETURN: ERR_PRINT("The TLS/SSL connection has been closed.");
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			ERR_PRINT("The operation did not complete."); break;
+		case SSL_ERROR_WANT_CONNECT:
+		case SSL_ERROR_WANT_ACCEPT:
+			ERR_PRINT("The connect/accept operation did not complete"); break;
+		case SSL_ERROR_WANT_X509_LOOKUP:
+			ERR_PRINT("The operation did not complete because an application callback set by SSL_CTX_set_client_cert_cb() has asked to be called again."); break;
+		case SSL_ERROR_SYSCALL:
+			ERR_PRINT("Some I/O error occurred. The OpenSSL error queue may contain more information on the error."); break;
+		case SSL_ERROR_SSL:
+			ERR_PRINT("A failure in the SSL library occurred, usually a protocol error."); break;
+
+	}
+}
+
+Error StreamPeerOpenSSL::put_data(const uint8_t* p_data,int p_bytes) {
+
+	ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED);
+
+	while(p_bytes>0) {
+		int ret = SSL_write(ssl,p_data,p_bytes);
+		if (ret<=0) {
+			_print_error(ret);
+			disconnect();
+			return ERR_CONNECTION_ERROR;
+		}
+		p_data+=ret;
+		p_bytes-=ret;
+	}
+
+	return OK;
+
+}
+
+Error StreamPeerOpenSSL::put_partial_data(const uint8_t* p_data,int p_bytes, int &r_sent){
+
+	ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED);
+	if (p_bytes==0)
+		return OK;
+
+	int s=0;
+	Error err = put_data(p_data,p_bytes);
+	if (err!=OK)
+		return err;
+
+	r_sent=p_bytes;
+	return OK;
+
+}
+
+Error StreamPeerOpenSSL::get_data(uint8_t* p_buffer, int p_bytes){
+
+	ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED);
+
+	while(p_bytes>0) {
+
+		int ret = SSL_read(ssl,p_buffer,p_bytes);
+		if (ret<=0) {
+			_print_error(ret);
+			disconnect();
+			return ERR_CONNECTION_ERROR;
+		}
+		p_buffer+=ret;
+		p_bytes-=ret;
+	}
+
+	return OK;
+}
+
+Error StreamPeerOpenSSL::get_partial_data(uint8_t* p_buffer, int p_bytes,int &r_received){
+
+	ERR_FAIL_COND_V(!connected,ERR_UNCONFIGURED);
+	if (p_bytes==0) {
+		r_received=0;
+		return OK;
+	}
+
+	Error err = get_data(p_buffer,p_bytes);
+	if (err!=OK)
+		return err;
+	r_received=p_bytes;
+	return OK;
+}
+
+StreamPeerOpenSSL::StreamPeerOpenSSL() {
+
+	ctx=NULL;
+	ssl=NULL;
+	bio=NULL;
+	connected=false;
+	use_blocking=true; //might be improved int the future, but for now it always blocks
+	max_cert_chain_depth=9;
+	flags=0;
+}
+
+void StreamPeerOpenSSL::disconnect() {
+
+	if (!connected)
+		return;
+	SSL_shutdown( ssl );
+	SSL_free( ssl );
+	SSL_CTX_free(ctx);
+	base=Ref<StreamPeer>();
+	connected=false;
+	validate_certs=false;
+	validate_hostname=false;
+	status=STATUS_DISCONNECTED;
+
+
+}
+
+StreamPeerOpenSSL::Status StreamPeerOpenSSL::get_status() const {
+
+	return status;
+}
+
+
+StreamPeerOpenSSL::~StreamPeerOpenSSL() {
+	disconnect();
+}
+
+StreamPeerSSL* StreamPeerOpenSSL::_create_func() {
+
+	return memnew( StreamPeerOpenSSL );
+}
+
+
+Vector<X509*> StreamPeerOpenSSL::certs;
+
+
+void StreamPeerOpenSSL::initialize_ssl() {
+
+	_create=_create_func;
+	CRYPTO_malloc_init(); // Initialize malloc, free, etc for OpenSSL's use
+	SSL_library_init(); // Initialize OpenSSL's SSL libraries
+	SSL_load_error_strings(); // Load SSL error strings
+	ERR_load_BIO_strings(); // Load BIO error strings
+	OpenSSL_add_all_algorithms(); // Load all available encryption algorithms
+	String certs_path =GLOBAL_DEF("ssl/certificates","");
+	Globals::get_singleton()->set_custom_property_info("ssl/certificates",PropertyInfo(Variant::STRING,"ssl/certificates",PROPERTY_HINT_FILE,"*.crt"));
+	if (certs_path!="") {
+
+		Vector<uint8_t> data = FileAccess::get_file_as_array(certs_path);;
+		if (data.size()) {
+			data.push_back(0);
+			BIO* mem = BIO_new(BIO_s_mem());
+			BIO_puts(mem,(const char*) data.ptr());
+			while(true) {
+				X509*cert = PEM_read_bio_X509(mem, NULL, 0, NULL);
+				if (!cert)
+					break;
+				certs.push_back(cert);
+			}
+			BIO_free(mem);
+		}
+		print_line("Loaded certs: "+itos(certs.size()));
+	}
+
+}
+
+void StreamPeerOpenSSL::finalize_ssl(){
+
+	for(int i=0;i<certs.size();i++) {
+		X509_free(certs[i]);
+	}
+	certs.clear();
+}
+
+#endif
diff --git a/drivers/openssl/stream_peer_openssl.h b/drivers/openssl/stream_peer_openssl.h
new file mode 100644
index 0000000000..e487cfde7c
--- /dev/null
+++ b/drivers/openssl/stream_peer_openssl.h
@@ -0,0 +1,77 @@
+#ifndef STREAM_PEER_OPEN_SSL_H
+#define STREAM_PEER_OPEN_SSL_H
+
+#ifdef OPENSSL_ENABLED
+
+#include "io/stream_peer_ssl.h"
+#include <openssl/bio.h> // BIO objects for I/O
+#include <openssl/ssl.h> // SSL and SSL_CTX for SSL connections
+#include <openssl/err.h> // Error reporting
+#include <openssl/x509v3.h>
+#include <stdio.h> // If you don't know what this is for stop reading now.
+
+class StreamPeerOpenSSL : public StreamPeerSSL {
+private:
+	static int _bio_create( BIO *b );
+	static int _bio_destroy( BIO *b );
+	static int _bio_read( BIO *b, char *buf, int len );
+	static int _bio_write( BIO *b, const char *buf, int len );
+	static long _bio_ctrl( BIO *b, int cmd, long num, void *ptr );
+	static int _bio_gets( BIO *b, char *buf, int len );
+	static int _bio_puts( BIO *b, const char *str );
+
+	static BIO_METHOD _bio_method;
+
+	static bool _match_host_name(const char *name, const char *hostname);
+	static Error _match_common_name(const char *hostname, const X509 *server_cert);
+	static Error _match_subject_alternative_name(const char *hostname, const X509 *server_cert);
+
+
+	static int _cert_verify_callback(X509_STORE_CTX *x509_ctx, void *arg);
+
+
+	Status status;
+	String hostname;
+	int max_cert_chain_depth;
+	SSL_CTX* ctx;
+	SSL* ssl;
+	BIO* bio;
+	bool connected;
+	int flags;
+	bool use_blocking;
+	bool validate_certs;
+	bool validate_hostname;
+
+	Ref<StreamPeer> base;
+
+	static StreamPeerSSL* _create_func();
+	void _print_error(int err);
+
+	static Vector<X509*> certs;
+
+protected:
+	static void _bind_methods();
+public:
+
+
+	virtual Error accept(Ref<StreamPeer> p_base);
+	virtual Error connect(Ref<StreamPeer> p_base,bool p_validate_certs=false,const String& p_for_hostname=String());
+	virtual Status get_status() const;
+
+	virtual void disconnect();
+
+	virtual Error put_data(const uint8_t* p_data,int p_bytes);
+	virtual Error put_partial_data(const uint8_t* p_data,int p_bytes, int &r_sent);
+
+	virtual Error get_data(uint8_t* p_buffer, int p_bytes);
+	virtual Error get_partial_data(uint8_t* p_buffer, int p_bytes,int &r_received);
+
+	static void initialize_ssl();
+	static void finalize_ssl();
+
+	StreamPeerOpenSSL();
+	~StreamPeerOpenSSL();
+};
+
+#endif
+#endif // STREAM_PEER_SSL_H
diff --git a/drivers/openssl/stream_peer_ssl.cpp b/drivers/openssl/stream_peer_ssl.cpp
deleted file mode 100644
index 19a17ea0cd..0000000000
--- a/drivers/openssl/stream_peer_ssl.cpp
+++ /dev/null
@@ -1,97 +0,0 @@
-#include "stream_peer_ssl.h"
-
-
-Error StreamPeerSSL::connect(const String &p_host,int p_port,int p_flags) {
-
-	// Set up a SSL_CTX object, which will tell our BIO object how to do its work
-	ctx = SSL_CTX_new(SSLv23_client_method());
-	// Create our BIO object for SSL connections.
-	BIO* bio = BIO_new_ssl_connect(ctx);
-	// Failure?
-	if (bio == NULL) {
-
-		// We need to free up the SSL_CTX before we leave.
-		ERR_FAIL_COND_V(bio==NULL,ERR_CANT_CREATE);
-	}
-	// Makes ssl point to bio's SSL object.
-	BIO_get_ssl(bio, &ssl);
-	// Set the SSL to automatically retry on failure.
-	SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
-	// We're connection to google.com on port 443.
-	BIO_set_conn_hostname(bio, (p_host+":"+itos(p_port)).utf8().get_data());
-
-	// Same as before, try to connect.
-	if (BIO_do_connect(bio) <= 0) {
-
-		ERR_EXPLAIN("Failed to connect to '"+p_host+"'' port "+itos(p_port));
-		BIO_free_all(bio);
-		SSL_CTX_free(ctx);
-		ERR_FAIL_V(ERR_CANT_CONNECT);
-	}
-
-	// Now we need to do the SSL handshake, so we can communicate.
-	if (BIO_do_handshake(bio) <= 0) {
-		ERR_EXPLAIN("Failed to handshake to '"+p_host+"'' port "+itos(p_port));
-		BIO_free_all(bio);
-		SSL_CTX_free(ctx);
-		ERR_FAIL_V(ERR_CANT_CONNECT);
-	}
-
-
-	// Create a buffer for grabbing information from the page.
-	char buf[1024];
-	memset(buf, 0, sizeof(buf));
-	// Create a buffer for the reqest we'll send to the server
-	char send[1024];
-	memset(send, 0, sizeof(send));
-	// Create our GET request.
-	strcat(send, "GET / HTTP/1.1\nHost:google.com\nUser Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\nConnection: Close\n\n");
-	// BIO_puts sends a null-terminated string to the server. In this case it's our GET request.
-	BIO_puts(bio, send);
-	// Loop while there's information to be read.
-	while (1) {
-		// BIO_read() reads data from the server into a buffer. It returns the number of characters read in.
-		int x = BIO_read(bio, buf, sizeof(buf) - 1);
-		// If we haven't read in anything, assume there's nothing more to be sent since we used Connection: Close.
-		if (x == 0) {
-			break;
-		}
-		// If BIO_read() returns a negative number, there was an error
-		else if (x < 0) {
-			// BIO_should_retry lets us know if we should keep trying to read data or not.
-			if (!BIO_should_retry(bio)) {
-				printf("\nRead Failed!\n");
-				BIO_free_all(bio);
-				SSL_CTX_free(ctx);
-				return;
-			}
-		}
-		// We actually got some data, without errors!
-		else {
-			// Null-terminate our buffer, just in case
-			buf[x] = 0;
-			// Echo what the server sent to the screen
-			printf("%s", buf);
-		}
-	}
-	// Free up that BIO object we created.
-	BIO_free_all(bio);
-	// Remember, we also need to free up that SSL_CTX object!
-	SSL_CTX_free(ctx);
-	// Return.
-
-}
-
-void StreamPeerSSL::initialize_ssl() {
-
-	CRYPTO_malloc_init(); // Initialize malloc, free, etc for OpenSSL's use
-	SSL_library_init(); // Initialize OpenSSL's SSL libraries
-	SSL_load_error_strings(); // Load SSL error strings
-	ERR_load_BIO_strings(); // Load BIO error strings
-	OpenSSL_add_all_algorithms(); // Load all available encryption algorithms
-}
-
-void StreamPeerSSL::finalize_ssl(){
-
-
-}
diff --git a/drivers/openssl/stream_peer_ssl.h b/drivers/openssl/stream_peer_ssl.h
deleted file mode 100644
index 74866c2da4..0000000000
--- a/drivers/openssl/stream_peer_ssl.h
+++ /dev/null
@@ -1,43 +0,0 @@
-#ifndef STREAM_PEER_SSL_H
-#define STREAM_PEER_SSL_H
-
-#ifdef OPENSSL_ENABLED
-
-#include "io/stream_peer.h"
-#include <openssl/applink.c> // To prevent crashing (see the OpenSSL FAQ)
-#include <openssl/bio.h> // BIO objects for I/O
-#include <openssl/ssl.h> // SSL and SSL_CTX for SSL connections
-#include <openssl/err.h> // Error reporting
-
-#include <stdio.h> // If you don't know what this is for stop reading now.
-class StreamPeerSSL : public StreamPeer {
-
-	OBJ_TYPE(StreamPeerSSL,StreamPeer);
-public:
-
-	enum ConnectFlags {
-
-		CONNECT_FLAG_BUG_WORKAROUNDS=1,
-		CONNECT_FLAG_NO_SSLV2=2,
-		CONNECT_FLAG_NO_SSLV3=4,
-		CONNECT_FLAG_NO_TLSV1=8,
-		CONNECT_FLAG_NO_COMPRESSION=16,
-	};
-
-	SSL_CTX* ctx;
-	SSL* ssl;
-	BIO* bio;
-
-
-public:
-
-
-	Error connect(const String &p_host,int p_port);
-	static void initialize_ssl();
-	static void finalize_ssl();
-
-	StreamPeerSSL();
-};
-
-#endif
-#endif // STREAM_PEER_SSL_H