tport: new tag TPTAG_TLS_VERIFY_PEER

With this tag, the verification of certificates can be controlled:
0: no verify certificates.
1: on server mode, the certificate returned by client is checked and
   if fail the TLS/SSL handshake is immediately terminated.
1: on client mode, the server certificate is verified and
   if fail the TLS/SSL handshake is immediately terminated.

I added this tag, because I'd like that my application not connected to a
server with a untrusted certificate.

darcs-hash:20081126184231-daa5a-26fe2a4f958d2f931d3f7e9b31bc0426e7250a1f.gz
parent 08287d39
......@@ -186,6 +186,12 @@ TPORT_DLL extern tag_typedef_t tptag_tls_version;
TPORT_DLL extern tag_typedef_t tptag_tls_version_ref;
#define TPTAG_TLS_VERSION_REF(x) tptag_tls_version_ref, tag_uint_vr(&(x))
TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer;
#define TPTAG_TLS_VERIFY_PEER(x) tptag_tls_verify_peer, tag_uint_v((x))
TPORT_DLL extern tag_typedef_t tptag_tls_verify_peer_ref;
#define TPTAG_TLS_VERIFY_PEER_REF(x) tptag_tls_verify_peer_ref, tag_uint_vr(&(x))
#if 0
TPORT_DLL extern tag_typedef_t tptag_trusted;
#define TPTAG_TRUSTED(x) tptag_trusted, tag_bool_v((x))
......
......@@ -1448,7 +1448,7 @@ int tport_bind_set(tport_master_t *mr,
*
* @TAGS
* TPTAG_SERVER(), TPTAG_PUBLIC(), TPTAG_IDENT(), TPTAG_HTTP_CONNECT(),
* TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), and tags used with
* TPTAG_CERTIFICATE(), TPTAG_TLS_VERSION(), TPTAG_TLS_VERIFY_PEER, and tags used with
* tport_set_params(), especially TPTAG_QUEUESIZE().
*/
int tport_tbind(tport_t *self,
......
......@@ -280,6 +280,20 @@ tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment);
*/
tag_typedef_t tptag_tls_version = UINTTAG_TYPEDEF(tls_version);
/**@def TPTAG_TLS_VERIFY_PEER(x)
*
* The verification of certificates can be controlled:
* 0: no verify certificates;
* 1: on server mode, the certificate returned by client is checked
* if fail the TLS/SSL handshake is immediately terminated;
* 1: on client mode, the server certificate is verified
* if fail the TLS/SSL handshake is immediately terminated;
*
* Use with tport_tbind(), nua_create(), nta_agent_create(),
* nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
*/
tag_typedef_t tptag_tls_verify_peer = UINTTAG_TYPEDEF(tls_verify_peer);
/**@def TPTAG_QUEUESIZE(x)
*
* Specify the number of messages that can be queued per connection.
......
......@@ -166,7 +166,7 @@ int tls_verify_cb(int ok, X509_STORE_CTX *store)
SU_DEBUG_1((" err %i:%s\n", err, X509_verify_cert_error_string(err)));
}
return 1; /* Always return "ok" */
return ok;
}
static
......@@ -265,8 +265,7 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
SSL_CTX_set_verify(tls->ctx,
getenv("SSL_VERIFY_PEER") ? SSL_VERIFY_PEER : SSL_VERIFY_NONE
/* SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT */,
ti->verify_peer == 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
tls_verify_cb);
if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {
......
......@@ -48,7 +48,9 @@ typedef struct tls_s tls_t;
extern char const tls_version[];
typedef struct tls_issues_s {
int verify_depth; /* if 0, then do nothing */
int verify_peer; /* 0: no verify certificate, *
* 1: if fail the TLS/SSL handshake is terminated. */
int verify_depth; /* if 0, then do nothing */
int configured; /* If non-zero, complain about certificate errors */
char *cert; /* CERT file name. File format is PEM */
char *key; /* Private key file. PEM format */
......
......@@ -161,6 +161,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
char *tbf = NULL;
char const *path = NULL;
unsigned tls_version = 1;
unsigned tls_verify = 0;
su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
tls_issues_t ti = {0};
......@@ -172,6 +173,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
tl_gets(tags,
TPTAG_CERTIFICATE_REF(path),
TPTAG_TLS_VERSION_REF(tls_version),
TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
TAG_END());
if (!path) {
......@@ -182,6 +184,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
}
if (path) {
ti.verify_peer = tls_verify;
ti.verify_depth = 2;
ti.configured = path != tbf;
ti.randFile = su_sprintf(autohome, "%s/%s", path, "tls_seed.dat");
......@@ -189,6 +192,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
ti.cert = ti.key;
ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
ti.version = tls_version;
ti.CApath = su_strdup(autohome, path);
SU_DEBUG_9(("%s(%p): tls key = %s\n", __func__, (void *)pri, ti.key));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment