mirror of https://git.kore.io/kore.git
Add configurable x509 chain validation depth.
You can now per domain configure the depth for x509 chain validation: client_verify_depth 1 By default this is 1. While here change around some log messages and properly set the callback for x509 verification rather then via hoops and loops.
This commit is contained in:
parent
9e12b2c6dd
commit
e475bd0c92
|
@ -351,6 +351,7 @@ struct kore_domain {
|
|||
char *certfile;
|
||||
char *certkey;
|
||||
SSL_CTX *ssl_ctx;
|
||||
int x509_verify_depth;
|
||||
#endif
|
||||
TAILQ_HEAD(, kore_module_handle) handlers;
|
||||
TAILQ_ENTRY(kore_domain) list;
|
||||
|
|
23
src/config.c
23
src/config.c
|
@ -70,6 +70,7 @@ static int configure_certkey(char *);
|
|||
static int configure_tls_version(char *);
|
||||
static int configure_tls_cipher(char *);
|
||||
static int configure_tls_dhparam(char *);
|
||||
static int configure_client_verify_depth(char *);
|
||||
static int configure_client_certificates(char *);
|
||||
#endif
|
||||
|
||||
|
@ -143,6 +144,7 @@ static struct {
|
|||
{ "certfile", configure_certfile },
|
||||
{ "certkey", configure_certkey },
|
||||
{ "client_certificates", configure_client_certificates },
|
||||
{ "client_verify_depth", configure_client_verify_depth },
|
||||
#endif
|
||||
#if !defined(KORE_NO_HTTP)
|
||||
{ "static", configure_static_handler },
|
||||
|
@ -434,6 +436,27 @@ configure_tls_dhparam(char *path)
|
|||
return (KORE_RESULT_OK);
|
||||
}
|
||||
|
||||
static int
|
||||
configure_client_verify_depth(char *value)
|
||||
{
|
||||
int err, depth;
|
||||
|
||||
if (current_domain == NULL) {
|
||||
printf("client_verify_depth not specified in domain context\n");
|
||||
return (KORE_RESULT_ERROR);
|
||||
}
|
||||
|
||||
depth = kore_strtonum(value, 10, 0, INT_MAX, &err);
|
||||
if (err != KORE_RESULT_OK) {
|
||||
printf("bad client_verify_depth value: %s\n", value);
|
||||
return (KORE_RESULT_ERROR);
|
||||
}
|
||||
|
||||
current_domain->x509_verify_depth = depth;
|
||||
|
||||
return (KORE_RESULT_OK);
|
||||
}
|
||||
|
||||
static int
|
||||
configure_client_certificates(char *options)
|
||||
{
|
||||
|
|
14
src/domain.c
14
src/domain.c
|
@ -184,6 +184,7 @@ kore_domain_new(char *domain)
|
|||
dom->ssl_ctx = NULL;
|
||||
dom->certfile = NULL;
|
||||
dom->crlfile = NULL;
|
||||
dom->x509_verify_depth = 1;
|
||||
#endif
|
||||
dom->domain = kore_strdup(domain);
|
||||
TAILQ_INIT(&(dom->handlers));
|
||||
|
@ -245,7 +246,6 @@ kore_domain_tlsinit(struct kore_domain *dom)
|
|||
EVP_PKEY *pkey;
|
||||
STACK_OF(X509_NAME) *certs;
|
||||
EC_KEY *eckey;
|
||||
X509_STORE *store;
|
||||
const SSL_METHOD *method;
|
||||
#if !defined(OPENSSL_NO_EC)
|
||||
EC_KEY *ecdh;
|
||||
|
@ -370,15 +370,10 @@ kore_domain_tlsinit(struct kore_domain *dom)
|
|||
}
|
||||
|
||||
SSL_CTX_load_verify_locations(dom->ssl_ctx, dom->cafile, NULL);
|
||||
SSL_CTX_set_verify_depth(dom->ssl_ctx, 1);
|
||||
SSL_CTX_set_verify_depth(dom->ssl_ctx, dom->x509_verify_depth);
|
||||
SSL_CTX_set_client_CA_list(dom->ssl_ctx, certs);
|
||||
SSL_CTX_set_verify(dom->ssl_ctx, SSL_VERIFY_PEER |
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
|
||||
|
||||
if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL)
|
||||
fatal("SSL_CTX_get_cert_store(): %s", ssl_errno_s);
|
||||
|
||||
X509_STORE_set_verify_cb(store, domain_x509_verify);
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, domain_x509_verify);
|
||||
}
|
||||
|
||||
SSL_CTX_set_session_id_context(dom->ssl_ctx,
|
||||
|
@ -469,7 +464,8 @@ domain_load_crl(struct kore_domain *dom)
|
|||
return;
|
||||
|
||||
if (dom->crlfile == NULL) {
|
||||
kore_log(LOG_WARNING, "WARNING: Running without CRL");
|
||||
kore_log(LOG_WARNING, "WARNING: no CRL configured for '%s'",
|
||||
dom->domain);
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue