mirror of https://git.kore.io/kore.git
Add support for client certificates
This commit is contained in:
Joris Vink
parent
08a2fff5a5
commit
f2aa206f3b
|
|
@ -199,6 +199,7 @@ struct kore_domain {
|
|||
char *domain;
|
||||
char *certfile;
|
||||
char *certkey;
|
||||
char *cafile;
|
||||
int accesslog;
|
||||
SSL_CTX *ssl_ctx;
|
||||
TAILQ_HEAD(, kore_module_handle) handlers;
|
||||
|
|
|
|||
|
|
@ -81,7 +81,11 @@ ssl_no_compression
|
|||
#
|
||||
# Additionally you can specify the following in a domain configuration:
|
||||
#
|
||||
# accesslog: File where all requests are logged.
|
||||
# accesslog
|
||||
# - File where all requests are logged.
|
||||
# require_client_cert
|
||||
# - Asks the client to present a certificate
|
||||
# matching the CA given to require_client_cert
|
||||
#
|
||||
# Handlers
|
||||
#
|
||||
|
|
@ -132,9 +136,11 @@ domain localhost {
|
|||
}
|
||||
|
||||
#domain domain.com {
|
||||
# certfile cert/other/server.crt
|
||||
# certkey cert/other/server.key
|
||||
# accesslog /var/log/other_kore_access.log
|
||||
# certfile cert/other/server.crt
|
||||
# certkey cert/other/server.key
|
||||
# accesslog /var/log/other_kore_access.log
|
||||
# require_client_cert cert/other/ca.crt
|
||||
|
||||
# static /css/style.css serve_style_css
|
||||
# static / serve_index
|
||||
# dynamic ^/[a-z0-9_]*$ serve_profile
|
||||
|
|
|
|||
25
src/config.c
25
src/config.c
|
|
@ -49,6 +49,7 @@ static int configure_http_keepalive_time(char **);
|
|||
static int configure_validator(char **);
|
||||
static int configure_params(char **);
|
||||
static int configure_validate(char **);
|
||||
static int configure_require_client_cert(char **);
|
||||
static void domain_sslstart(void);
|
||||
|
||||
static struct {
|
||||
|
|
@ -73,6 +74,7 @@ static struct {
|
|||
{ "accesslog", configure_accesslog },
|
||||
{ "certfile", configure_certfile },
|
||||
{ "certkey", configure_certkey },
|
||||
{ "require_client_cert", configure_require_client_cert },
|
||||
{ "kore_cb", configure_kore_cb },
|
||||
{ "kore_cb_worker", configure_kore_cb_worker },
|
||||
{ "kore_cb_interval", configure_kore_cb_interval },
|
||||
|
|
@ -318,6 +320,29 @@ configure_handler(char **argv)
|
|||
return (KORE_RESULT_OK);
|
||||
}
|
||||
|
||||
static int
|
||||
configure_require_client_cert(char **argv)
|
||||
{
|
||||
if (current_domain == NULL) {
|
||||
printf("missing domain page require_client_cert\n");
|
||||
return (KORE_RESULT_ERROR);
|
||||
}
|
||||
|
||||
if (argv[1] == NULL) {
|
||||
printf("missing argument for require_client_cert\n");
|
||||
return (KORE_RESULT_ERROR);
|
||||
}
|
||||
|
||||
if (current_domain->cafile != NULL) {
|
||||
printf("require_client_cert already set for %s\n",
|
||||
current_domain->domain);
|
||||
return (KORE_RESULT_ERROR);
|
||||
}
|
||||
|
||||
current_domain->cafile = kore_strdup(argv[1]);
|
||||
return (KORE_RESULT_OK);
|
||||
}
|
||||
|
||||
static int
|
||||
configure_chroot(char **argv)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -141,7 +141,8 @@ kore_connection_handle(struct connection *c)
|
|||
|
||||
r = SSL_get_verify_result(c->ssl);
|
||||
if (r != X509_V_OK) {
|
||||
kore_debug("SSL_get_verify_result(): %s", ssl_errno_s);
|
||||
kore_debug("SSL_get_verify_result(): %d, %s",
|
||||
r, ssl_errno_s);
|
||||
return (KORE_RESULT_ERROR);
|
||||
}
|
||||
|
||||
|
|
|
|||
23
src/domain.c
23
src/domain.c
|
|
@ -16,6 +16,8 @@
|
|||
|
||||
#include "kore.h"
|
||||
|
||||
#define SSL_SESSION_ID "kore_ssl_sessionid"
|
||||
|
||||
struct kore_domain_h domains;
|
||||
struct kore_domain *primary_dom = NULL;
|
||||
DH *ssl_dhparam = NULL;
|
||||
|
|
@ -39,9 +41,10 @@ kore_domain_new(char *domain)
|
|||
|
||||
dom = kore_malloc(sizeof(*dom));
|
||||
dom->accesslog = -1;
|
||||
dom->certfile = NULL;
|
||||
dom->cafile = NULL;
|
||||
dom->certkey = NULL;
|
||||
dom->ssl_ctx = NULL;
|
||||
dom->certfile = NULL;
|
||||
dom->domain = kore_strdup(domain);
|
||||
TAILQ_INIT(&(dom->handlers));
|
||||
TAILQ_INSERT_TAIL(&domains, dom, list);
|
||||
|
|
@ -55,6 +58,8 @@ kore_domain_new(char *domain)
|
|||
void
|
||||
kore_domain_sslstart(struct kore_domain *dom)
|
||||
{
|
||||
STACK_OF(X509_NAME) *certs;
|
||||
|
||||
#if !defined(OPENSSL_NO_EC)
|
||||
EC_KEY *ecdh;
|
||||
#endif
|
||||
|
|
@ -93,6 +98,22 @@ kore_domain_sslstart(struct kore_domain *dom)
|
|||
if (ssl_no_compression)
|
||||
SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_COMPRESSION);
|
||||
|
||||
if (dom->cafile != NULL) {
|
||||
if ((certs = SSL_load_client_CA_file(dom->cafile)) == NULL) {
|
||||
fatal("SSL_load_client_CA_file(%s): %s",
|
||||
dom->cafile, ssl_errno_s);
|
||||
}
|
||||
|
||||
SSL_CTX_load_verify_locations(dom->ssl_ctx, dom->cafile, NULL);
|
||||
SSL_CTX_set_verify_depth(dom->ssl_ctx, 1);
|
||||
SSL_CTX_set_client_CA_list(dom->ssl_ctx, certs);
|
||||
SSL_CTX_set_verify(dom->ssl_ctx, SSL_VERIFY_PEER |
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
|
||||
}
|
||||
|
||||
SSL_CTX_set_session_id_context(dom->ssl_ctx,
|
||||
(unsigned char *)SSL_SESSION_ID, strlen(SSL_SESSION_ID));
|
||||
|
||||
SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||
SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||
|
||||
|
|
|
|||
|
|
@ -135,6 +135,14 @@ kore_ssl_sni_cb(SSL *ssl, int *ad, void *arg)
|
|||
if (sname != NULL && (dom = kore_domain_lookup(sname)) != NULL) {
|
||||
kore_debug("kore_ssl_sni_cb(): Using %s CTX", sname);
|
||||
SSL_set_SSL_CTX(ssl, dom->ssl_ctx);
|
||||
|
||||
if (dom->cafile != NULL) {
|
||||
SSL_set_verify(ssl, SSL_VERIFY_PEER |
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
|
||||
} else {
|
||||
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
|
||||
}
|
||||
|
||||
return (SSL_TLSEXT_ERR_OK);
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue