Permalink
Browse files

locate-ca-store and CAFILE for https/tls

  • Loading branch information...
pulpofred
pulpofred committed Apr 5, 2016
1 parent cff426b commit ca19c21abe6f6a8b8b4290426828ada84f291848
Showing with 96 additions and 17 deletions.
  1. +3 −2 build.tcl
  2. +32 −0 fruho/certs/ca-certificates.crt
  3. +17 −9 fruho/main.tcl
  4. +10 −1 fruho/model.tcl
  5. +34 −5 sklib/https.tcl
@@ -248,10 +248,11 @@ proc push-update {os arch tohost} {
set ::FRUHO_VERSION 0.0.19
prepare-lib sklib 0.0.0
build linux x86_64 sample base-tk-[base-ver x86_64] {sklib-0.0.0 tls-1.6.7.1 Tclx-8.4 cmdline-1.5 json-1.3.3 uri-1.2.5 base64-2.4.2 tktray-1.3.9}
#build linux x86_64 sample base-tk-[base-ver x86_64] {sklib-0.0.0 tls-1.6.7.1 Tclx-8.4 cmdline-1.5 json-1.3.3 uri-1.2.5 base64-2.4.2 tktray-1.3.9}
#build-total
#build-total x86_64
#build-total ix86
build-total x86_64
#package require i18n
#i18n code2msg ./fruho/main.tcl {es pl} ./fruho/messages.txt
@@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
MIIFhzCCA2+gAwIBAgIJAOK0pBhdsCbLMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAklFMREwDwYDVQQIDAhVbml2ZXJzZTERMA8GA1UEBwwISW50ZXJuZXQxDjAM
BgNVBAoMBUZydWhvMRUwEwYDVQQDDAxjYS5mcnVoby5jb20wHhcNMTUwNzI4MTYx
OTI1WhcNMzUwNzI4MTYxOTI1WjBaMQswCQYDVQQGEwJJRTERMA8GA1UECAwIVW5p
dmVyc2UxETAPBgNVBAcMCEludGVybmV0MQ4wDAYDVQQKDAVGcnVobzEVMBMGA1UE
AwwMY2EuZnJ1aG8uY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
9PUHsP4qKdWrB9PZN9JY7COHTcXughN2lWv/ylAEWV4W6BxLaDOh2BfM0X3s2jhC
fusOdztQIzRL0uE/27yr299CQ78F42CTN+hvUSWpQ0EI4gP11DoWZaL0VYPO2Prx
ku/Q9flHgTU+R6eWsE8uGqfcBSIfaBTjpGWLKvDH9OXjGv1Cxpi9uK51QKnwzZZn
vFIznCeLjxj12Sg8byR2/7+wV28hybckJcM2lyOZzVLN+4CX+SFzXQG5pqFHord3
pY/AfUeu+H+mnbBIJLAzOYa3zX0x1s8s5nxlhhAlhMNkrI4MVnxquGMpuxeznLDJ
GvTM+m5Q8MCt8WTUZOd3e+VhRzQ4cYQbEoOQJSAc3kpU2F+fmex8WtWLbuNIJtvr
f8W1sYDiEnLZIvotWrYXvmTcnsznE4SjwBiZL/FaDHONJayPylbpG1ViFd9JZSOx
JyJTYkcZLu5qqNDQC8lzBfEco4WM0SGHDqR1u62c+AG5VnshecVyFxSLmDLX55Rh
I69Obro4CqoF/dHOqVJHjlVS0v/ZzquiNxSvqr7c123WDdlw9ltjNR+nw7Lu6N0z
Ap+4MsGhftHXuaI8BGdnnULrOulS1OLfmryrmcwcFkpr937c19B8y2Uw0tEVKkNi
Rp/DcRhMamOraSPeOAXpWwKUBxawBvvPOnVOxlLHkQkCAwEAAaNQME4wHQYDVR0O
BBYEFHFr4k3PM0lyjGIzr0z5MeW7GSi+MB8GA1UdIwQYMBaAFHFr4k3PM0lyjGIz
r0z5MeW7GSi+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAEEkOspT
U2PQx2u5lRHvK/1uYt7mio6SkxthUFHpycaqMTO3Ew2uD4gecl/qr5Aiv4Wc8igT
k1XrhodSo+Z6IvyvRmeJNYHvwphkkZyQ3F8Zgtn3R+sDJMQymv4JJc2xDZu52XNE
BuWFx/ON4Ybf9L0dYmar2yP1iTfcAN1CiiEMzUhpRdLyT975CiI11vltP8aV9olh
lob9yrVOU5hp+Pv6WEW3ZOyt4N+yqjj/RfEdpiB1d1a63CTfyQefCNhryI/mNrRJ
9rA37AOFB+3198C8YRUQ3sRK47GD/iz5iVNPLA/Vrxssm4WR6B80oUejdApjb41B
lUFJhKSfrxp5grN5WFJMOBUkW9oI0itH86M/aZvL8GW3e6XHnirIe2HqYUBNfKlL
m389sa4UIP9TtfD+3hNts195DhVp3miqtLK5f85Jt3ilEsyfyE2ggtMUQuUODTYe
eFVXR3Lz4Yxi/yfXmhlJcGeA1qlKPHivAUuq3SN9L1AcFO0pzfKfXn2Pnqiv80B1
P9mYXsDI6dwE5aETGJ/czcA1zSNJJJ6mmyryQ5CPaGwaKftqCiFoAANfV363b382
LBlsS7ulx7UOIozD9umfanBS2yEL014nq5iiseKF/QdfpvIiAA/THYHti9drhJ/t
vOhxKEg3lXbCENQqhD4NfdCsJ2vI1eXfubG4
-----END CERTIFICATE-----
@@ -150,9 +150,19 @@ proc main {} {
model load
# Copy cadir because it must be accessible from outside of the starkit
# Copy cadir outside of the vfs starkit because it must be accessible from outside (tls package requires regular filestystem)
# Overwrites certs on every run
copy-merge [file join [file dir [info script]] certs] [model CADIR]
copy-merge [file join [file dir [info script]] certs] [model FRUHO_CADIR]
if {$::model::ca_bundle eq ""} {
set castore [https locate-ca-store]
# if castore location not detected, as a last resort set cafile location to fruho provided bundle
if {$castore eq ""} {
set castore [model FRUHO_CAFILE]
}
set ::model::ca_bundle $castore
}
if {$params(cli) || ![unix is-x-running] || $params(build) || $params(version) || $params(id) || $params(generate-keys) || $params(add-launcher) || $params(remove-launcher) || $params(dump-profile-golang) ne ""} {
set ::model::Ui cli
@@ -911,14 +921,12 @@ proc is-config-received {profileid} {
}
proc curl-dispatch {chout cherr hostport args} {
if {[string match bootstrap:* $hostport]} {
# in cadir rename crts to have hash names: openssl x509 -hash -in your.crt -noout
curl-retry $chout $cherr -hostports $::model::Hostports -hindex ::model::hostport_lastok -expected_hostname vbox.fruho.com -cadir [model CADIR] {*}$args
# if CADIR used: in cadir rename crts to have hash names: openssl x509 -hash -in your.crt -noout
curl-retry $chout $cherr -hostports $::model::Hostports -hindex ::model::hostport_lastok -expected_hostname vbox.fruho.com -cafile [model FRUHO_CAFILE] {*}$args
} else {
curl-retry $chout $cherr -hostports [lrepeat 3 $hostport] {*}$args
curl-retry $chout $cherr -hostports [lrepeat 3 $hostport] -cafile $::model::ca_bundle {*}$args
}
}
@@ -2869,7 +2877,7 @@ proc ffread-loop {} {
set line [<- $::model::Chan_ffread]
switch -regexp -matchvar tokens $line {
{^ctrl: (.*)$} {
log OPENVPN CTRL: [lindex $tokens 1]
log fruhod>> $line
switch -regexp -matchvar details [lindex $tokens 1] {
{^Config loaded} {
ffwrite start
@@ -2903,6 +2911,7 @@ proc ffread-loop {} {
}
}
{^ovpn: (.*)$} {
log fruhod>> $line
catch {
puts $::model::Openvpnlog [lindex $tokens 1]
flush $::model::Openvpnlog
@@ -2942,7 +2951,6 @@ proc ffread-loop {} {
$::model::Chan_stat_report <- $stat
}
}
log fruhod>> $line
}
} on error {e1 e2} {
puts stderr [log $e1 $e2]
@@ -112,6 +112,9 @@ namespace eval ::model {
# number of total/traffic probes saved and used for moving average - this is to be saved in config
variable previous_total_probes 5
# auto detected but configurable location of the CA store
variable ca_bundle ""
variable Gui_openvpn_connection_timeout 25
variable openvpn_connection_timeout 25
@@ -165,9 +168,15 @@ proc ::model::PROFILEDIR {} {
proc ::model::UPGRADEDIR {} {
return [file join [model CONFIGDIR] upgrade]
}
proc ::model::CADIR {} {
# we switched to use CAFILE instead
proc ::model::FRUHO_CADIR {} {
return [file join [model CONFIGDIR] certs]
}
# fruho provided CA certificates
proc ::model::FRUHO_CAFILE {} {
return [file join [model FRUHO_CADIR] ca-certificates.crt]
}
# Display all model variables to stderr
proc ::model::print {} {
@@ -17,7 +17,7 @@ namespace eval ::https {
variable sock2host
variable sock2error
variable host2expected
namespace export curl curl-async wget wget-async socket init parseurl
namespace export curl curl-async wget wget-async socket init parseurl locate-ca-store
namespace ensemble create
}
@@ -37,10 +37,39 @@ proc ::https::debug-http {tok} {
# -cadir dir # Provide the directory containing the CA certificates.
# -cafile filename # Provide the CA file.
# -certfile filename # Provide the certificate to use.
# "" # Only unregister current https handler
proc ::https::init {args} {
catch {http::unregister https}
# We cannot use the original tls::socket because it does not validate Host against Common Name
http::register https 443 [list https::socket -require 1 -command ::https::tls-callback -ssl2 0 -ssl3 0 -tls1 1 {*}$args]
if {$args ne ""} {
# We cannot use the original tls::socket because it does not validate Host against Common Name
http::register https 443 [list https::socket -require 1 -command ::https::tls-callback -ssl2 0 -ssl3 0 -tls1 1 {*}$args]
}
}
# Try various locations of CA store
# returns <cafile>
# TODO if necesary return "-cadir <cadir>" or "-cafile <cafile>"
proc ::https::locate-ca-store {} {
set cafiles {}
lappend cafiles "/etc/ssl/certs/ca-certificates.crt" ;# Debian/Ubuntu/Gentoo etc.
lappend cafiles "/etc/pki/tls/certs/ca-bundle.crt" ;# Fedora/RHEL
lappend cafiles "/etc/pki/tls/certs/ca-bundle.trust.crt" ;# Extended Validation certs Fedora/RHEL
lappend cafiles "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
lappend cafiles "/etc/ssl/ca-bundle.pem" ;# OpenSUSE
lappend cafiles "/etc/pki/tls/cacert.pem" ;# OpenELEC
lappend cafiles "/etc/ssl/certs/ca-bundle.crt"
foreach cafile $cafiles {
if {[file isfile $cafile] && [file size $cafile] > 1000} {
return $cafile
}
}
#set cadirs {}
#lappend cadirs "/etc/ssl/certs"
return ""
}
@@ -322,6 +351,6 @@ proc ::https::wget-callback {tok} {
}
# Do default initialization with Linux cert store location
::https::init -cadir /etc/ssl/certs
#model castore option
::https::init -cafile [::https::locate-ca-store]

0 comments on commit ca19c21

Please sign in to comment.