Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

SSL docs and new options #42

Merged
3 commits merged into from

2 participants

@avtobiff

Hi!

This pull request adds support in Yaws for new SSL options (verify_none, verify_peer, and fail_if_no_peer_cert). It also contains commits which elaborates a bit in the docs on the
SSL verify option(s).

Have a look and please review.

Per

avtobiff added some commits
@avtobiff avtobiff Fixed and updated SSL verify options.
* Fixed documentation for verify values to correspond to Erlang's SSL
  implementation.
* Updated documentation to include new SSL implementation options.
* Updated #ssl{} and yaws:ssl_listen_opts/2 to include
  fail_if_no_peer_cert.
b6cbbe5
@avtobiff avtobiff Added handling of SSL option.
* Added access functions for fail_if_no_peer_cert.
* Handle new SSL verify and fail_if_no_peer_cert options in config.
6d5b980
@avtobiff avtobiff Merge branch 'master' of git://github.com/klacke/yaws
Conflicts:
	man/yaws.conf.5
20f58c8
@klacke
Owner

Very nice patch, applied and pushed. Thanks

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 1, 2010
  1. @avtobiff

    Fixed and updated SSL verify options.

    avtobiff authored
    * Fixed documentation for verify values to correspond to Erlang's SSL
      implementation.
    * Updated documentation to include new SSL implementation options.
    * Updated #ssl{} and yaws:ssl_listen_opts/2 to include
      fail_if_no_peer_cert.
  2. @avtobiff

    Added handling of SSL option.

    avtobiff authored
    * Added access functions for fail_if_no_peer_cert.
    * Handle new SSL verify and fail_if_no_peer_cert options in config.
Commits on Oct 6, 2010
  1. @avtobiff

    Merge branch 'master' of git://github.com/klacke/yaws

    avtobiff authored
    Conflicts:
    	man/yaws.conf.5
This page is out of date. Refresh to see the latest.
View
36 doc/yaws.tex
@@ -2320,14 +2320,34 @@ \section{Server Part}
all the certificates of the acceptable
signers for the client certs.
-\item \verb+verify = 1 | 2 | 3+
- Specifies the level of verification the
- server does on client certs. 1 means nothing
- , 2 means the the server will ask the
- client for a cert but not fail if the client
- doesn't supply a client cert, 3 means that
- the server requires the client to supply a
- client cert.
+\item \verb+verify = 0 | 1 | 2 | verify_none | verify_peer+
+ Specifies the level of verification the server does
+ on client certs. 0 means that the server will not
+ ask for a cert (\verb+verify_none+), 1 means that
+ the server will ask the client for a cert but not
+ fail if the client does not supply a client cert
+ (\verb+verify_peer+, \verb+fail_if_no_peer_cert+
+ = \verb+false+), 2 means that the server requires
+ the client to supply a client cert
+ (\verb+verify_peer+, \verb+fail_if_no_peer_cert+ =
+ \verb+true+).
+
+ Setting \verb+verify_none+ means that the x509
+ validation will be skipped (no certificate request
+ is sent to the client), \verb+verify_peer+ means
+ that a certificate request is sent to the client
+ (x509 validation is performed.
+
+ You might want to use \verb+fail_if_no_peer_cert+
+ in combination with \verb+verify_peer+.
+
+\item \verb+fail_if_no_peer_cert = true | false+
+ If verify is set to \verb+verify_peer+ and set
+ to \verb+true+ the connection will fail if the
+ client does not send a certificate (i.e. an empty
+ certificate). If set to false the server will
+ fail only if an invalid certificate is supplied
+ (an empty certificate is considered valid).
\item \verb+depth = Int+
Specifies the depth of certificate chains
View
1  include/yaws.hrl
@@ -105,6 +105,7 @@
keyfile,
certfile,
verify = 0,
+ fail_if_no_peer_cert,
depth = 1,
password,
cacertfile,
View
22 man/yaws.conf.5
@@ -546,11 +546,25 @@ and to use when attempting to build the server certificate chain.
The list is also used in the list of acceptable client CAs passed to
the client when a certificate is requested.
.TP
-\fBverify = 0 | 1 | 2\fR
+\fBverify = 0 | 1 | 2 | verify_none | verify_peer\fR
Specifies the level of verification the server does on client certs.
-0 means nothing, 1 means the the server will ask the client for a cert but
-not fail if the client does not supply a client cert, 2 means that the server
-requires the client to supply a client cert.
+0 means that the server will not ask for a cert (verify_none), 1 means that the
+server will ask the client for a cert but not fail if the client does not
+supply a client cert (verify_peer, fail_if_no_peer_cert = false), 2 means that
+the server requires the client to supply a client cert (verify_peer,
+fail_if_no_peer_cert = true).
+
+Setting verify_none means that the x509 validation will be skipped (no
+certificate request is sent to the client), verify_peer means that a
+certificate request is sent to the client (x509 validation is performed.
+
+You might want to use fail_if_no_peer_cert in combination with verify_peer.
+.TP
+\fBfail_if_no_peer_cert = true | false\fR
+If verify is set to verify_peer and set to true the connection will fail if the
+client does not send a certificate (i.e. an empty certificate). If set to false
+the server will fail only if an invalid certificate is supplied (an empty
+certificate is considered valid).
.TP
\fBdepth = Int\fR
Specifies the depth of certificate chains the server is prepared to follow
View
34 src/yaws.erl
@@ -155,23 +155,25 @@ create_sconf(DocRoot, SL) when is_list(DocRoot), is_list(SL) ->
%%% Access functions for the SSL record.
new_ssl() -> #ssl{}.
%%
-ssl_keyfile(S) -> S#ssl.keyfile.
-ssl_certfile(S) -> S#ssl.certfile.
-ssl_verify(S) -> S#ssl.verify.
-ssl_depth(S) -> S#ssl.depth.
-ssl_password(S) -> S#ssl.password.
-ssl_cacertfile(S) -> S#ssl.cacertfile.
-ssl_ciphers(S) -> S#ssl.ciphers.
-ssl_cachetimeout(S) -> S#ssl.cachetimeout.
+ssl_keyfile(S) -> S#ssl.keyfile.
+ssl_certfile(S) -> S#ssl.certfile.
+ssl_verify(S) -> S#ssl.verify.
+ssl_fail_if_no_peer_cert(S) -> S#ssl.fail_if_no_peer_cert.
+ssl_depth(S) -> S#ssl.depth.
+ssl_password(S) -> S#ssl.password.
+ssl_cacertfile(S) -> S#ssl.cacertfile.
+ssl_ciphers(S) -> S#ssl.ciphers.
+ssl_cachetimeout(S) -> S#ssl.cachetimeout.
%%
-ssl_keyfile(S, Keyfile) -> S#ssl{keyfile = Keyfile}.
-ssl_certfile(S, Certfile) -> S#ssl{certfile = Certfile}.
-ssl_verify(S, Verify) -> S#ssl{verify = Verify}.
-ssl_depth(S, Depth) -> S#ssl{depth = Depth}.
-ssl_password(S, Password) -> S#ssl{password = Password}.
-ssl_cacertfile(S, Cacertfile) -> S#ssl{cacertfile = Cacertfile}.
-ssl_ciphers(S, Ciphers) -> S#ssl{ciphers = Ciphers}.
-ssl_cachetimeout(S, Cachetimeout) -> S#ssl{cachetimeout = Cachetimeout}.
+ssl_keyfile(S, Keyfile) -> S#ssl{keyfile = Keyfile}.
+ssl_certfile(S, Certfile) -> S#ssl{certfile = Certfile}.
+ssl_verify(S, Verify) -> S#ssl{verify = Verify}.
+ssl_fail_if_no_peer_cert(S, FailIfNoPeerCert) -> S#ssl{fail_if_no_peer_cert = FailIfNoPeerCert}.
+ssl_depth(S, Depth) -> S#ssl{depth = Depth}.
+ssl_password(S, Password) -> S#ssl{password = Password}.
+ssl_cacertfile(S, Cacertfile) -> S#ssl{cacertfile = Cacertfile}.
+ssl_ciphers(S, Ciphers) -> S#ssl{ciphers = Ciphers}.
+ssl_cachetimeout(S, Cachetimeout) -> S#ssl{cachetimeout = Cachetimeout}.
setup_gconf([], GC) -> GC;
View
21 src/yaws_config.erl
@@ -1127,8 +1127,13 @@ fload(FD, ssl, GC, C, Cs, Lno, Chars) ->
{error, ?F("Expect existing file at line ~w", [Lno])}
end;
["verify", '=', Val0] ->
- Val = (catch list_to_integer(Val0)),
- case lists:member(Val, [1,2,3]) of
+ Val =
+ try
+ list_to_integer(Val0)
+ catch error:badarg ->
+ list_to_atom(Val0)
+ end,
+ case lists:member(Val, [0,1,2,verify_peer,verify_none]) of
true when is_record(C#sconf.ssl, ssl) ->
C2 = C#sconf{ssl = (C#sconf.ssl)#ssl{verify = Val}},
fload(FD, ssl, GC, C2, Cs, Lno+1, Next);
@@ -1136,7 +1141,17 @@ fload(FD, ssl, GC, C, Cs, Lno, Chars) ->
{error, ?F("Need to set option ssl to true before line ~w",
[Lno])};
_ ->
- {error, ?F("Expect integer at line ~w", [Lno])}
+ {error, ?F("Expect integer or verify_none, verify_peer at line ~w", [Lno])}
+ end;
+ ["fail_if_no_peer_cert", '=', Val0] ->
+ Val = (catch list_to_atom(Val0)),
+ if
+ is_record(C#sconf.ssl, ssl) ->
+ C2 = C#sconf{ssl = (C#sconf.ssl)#ssl{fail_if_no_peer_cert = Val}},
+ fload(FD, ssl, GC, C2, Cs, Lno+1, Next);
+ true ->
+ {error, ?F("Need to set option fail_if_no_peer_cert to true before line ~w",
+ [Lno])}
end;
["depth", '=', Val0] ->
Val = (catch list_to_integer(Val0)),
View
6 src/yaws_server.erl
@@ -872,6 +872,12 @@ ssl_listen_opts(GC, SSL) ->
false
end,
+ if SSL#ssl.fail_if_no_peer_cert /= undefined ->
+ {fail_if_no_peer_cert, SSL#ssl.fail_if_no_peer_cert};
+ true ->
+ false
+ end,
+
if SSL#ssl.password /= undefined ->
{password, SSL#ssl.password};
true ->
Something went wrong with that request. Please try again.