git - Merge pull request #309 from DinoTools/ssl_certificate

Improve handling of custom certificate files
DinoTools · Nov 16, 2020 · eef9c57 · eef9c57
2 parents c68c114 + 11408f9
commit eef9c57
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 8 deletions.
diff --git a/conf/dionaea.cfg.cmake b/conf/dionaea.cfg.cmake
@@ -25,6 +25,15 @@ listen.mode=getifaddrs
 # Organizational Unit
 # ssl.default.ou=
 
+# Provide certificate files
+# The provided certificate must be in the PEM format.
+# The certificates must be sorted starting with the server certificate
+# followed by intermediate CA certificates if applicable and ending at
+# the highest level CA.
+# ssl.default.cert=@DIONAEA_CONFDIR@/ssl/your-certificate-with-chain.crt
+# The provided key must be in the PEM format.
+# ssl.default.key=@DIONAEA_CONFDIR@/ssl/your-private-key.key
+
 [logging]
 default.filename=@DIONAEA_LOGDIR@/dionaea.log
 default.levels=all

diff --git a/include/connection.h b/include/connection.h
@@ -356,7 +356,7 @@ void connection_tls_io_out_cb(struct ev_loop *loop, struct ev_io *w, int revents
 void connection_tls_shutdown_cb(struct ev_loop *loop, struct ev_io *w, int revents);
 void connection_tls_disconnect(struct connection *con);
 void connection_tls_error(struct connection *con);
-bool connection_tls_set_certificate(struct connection *con, const char *path, int type);
+bool connection_tls_set_certificate(struct connection *con, const char *path);
 bool connection_tls_set_key(struct connection *con, const char *path, int type);
 bool connection_tls_mkcert(struct connection *con);
 

diff --git a/src/connection.c b/src/connection.c
@@ -417,7 +417,7 @@ bool connection_listen(struct connection *con, int len)
 		}
 		if(cert_filename != NULL && key_filename != NULL) {
 			g_info("Use '%s' as key and '%s' as cert file", key_filename, cert_filename);
-			connection_tls_set_certificate(con, cert_filename, SSL_FILETYPE_PEM);
+			connection_tls_set_certificate(con, cert_filename);
 			connection_tls_set_key(con, key_filename, SSL_FILETYPE_PEM);
 		} else {
 			connection_tls_mkcert(con);

diff --git a/src/connection_tls.c b/src/connection_tls.c
@@ -112,18 +112,35 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
 	return(DH *)c->transport.tls.pTmpKeys[idx];
 }
 
-bool connection_tls_set_certificate(struct connection *con, const char *path, int type)
+/*
+ * Loads a certificate chain from a file and adds it to the SSL context of the connection.
+ * The certificates must be in the PEM format.
+ *
+ * @param con The connection
+ * @param path The filepath of the certificate chain.
+ *
+ * @return true on success | false if something went wrong
+ */
+bool connection_tls_set_certificate(struct connection *con, const char *path)
 {
-	g_debug("%s con %p path %s type %i",__PRETTY_FUNCTION__, con, path, type);
-	int ret = SSL_CTX_use_certificate_file(con->transport.tls.ctx, path, type);
-	if( ret != 1 )
-	{
-		perror("SSL_CTX_use_certificate_file");
+	g_debug("%s con %p path %s",__PRETTY_FUNCTION__, con, path);
+	int ret = SSL_CTX_use_certificate_chain_file(con->transport.tls.ctx, path);
+	if( ret != 1 ) {
+		perror("SSL_CTX_use_certificate_chain_file");
 		return false;
 	}
 	return true;
 }
 
+/*
+ * Loads the first private key from a file and adds it to the SSL context of the connection.
+ *
+ * @param con The connection
+ * @param path The filepath of the certificate chain
+ * @param type The type of the key. SSL_FILETYPE_PEM or SSL_FILETYPE_ASN1.
+ *
+ * @return true on success | false if something went wrong
+ */
 bool connection_tls_set_key(struct connection *con, const char *path, int type)
 {
 	g_debug("%s con %p path %s type %i",__PRETTY_FUNCTION__, con, path, type);