Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS: PKCS 12 support #1636

Merged
merged 3 commits into from Aug 30, 2017
Merged

TLS: PKCS 12 support #1636

merged 3 commits into from Aug 30, 2017

Conversation

MrAnno
Copy link
Collaborator

@MrAnno MrAnno commented Aug 2, 2017
edited

The new pkcs12-file() TLS option can be used to specify a PKCS #12 file container that can store
a private key, a certificate and CA certs.
pkcs12-file() works together with the ca-dir() option, but this is optional since the p12 file may contain CA certificates as well.

If this option is used in the configuration file, the value of key-file() and cert-file() will be omitted.
Passphrase is currently not supported.

Example:

openssl pkcs12 -export -inkey serverkey.pem -in servercert.pem -certfile cacert.pem -out server.p12

Example config:

source s_tls {
    syslog(
        transport(tls)
        tls(
            pkcs12-file("/path/to/server.p12")
            ca-dir("/path/to/cadir") # optional
            peer-verify(yes)
        )
    );
};

@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

lbudai
lbudai reviewed Aug 11, 2017
View reviewed changes
lib/tlscontext.c Outdated
if (!p12_file)
return FALSE;

PKCS12 *pkcs12 = d2i_PKCS12_fp(p12_file, NULL);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you factor out a static PKCS12 *_load_pkcs12_file(const gchar *filename); function?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course :)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

lib/tlscontext.c
return FALSE;
}

PKCS12_free(pkcs12);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about a static gboolean _load_pkcs12_content(PKCS12 *pkcs12, EVP_PKEY **private_key, X509 **cert,STACK_OF(X509) **ca_list); function?

Copy link
Collaborator Author

@MrAnno MrAnno Aug 11, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like it. :) The only reason I had this complexity in one single function was the fact that this module is already full of helper functions from different levels of abstractions.

Should I place these functions to the OpenSSL compat layer or just create a openssl_utils unit?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it can goes to the compat layer.

@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@furiel
Copy link
Collaborator

furiel commented Aug 25, 2017

Let's signal error when both p12 and cert/keys are provided in the config.

@MrAnno MrAnno changed the title TLS: PKCS 12 support WIP! TLS: PKCS 12 support Aug 25, 2017
@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@MrAnno
Copy link
Collaborator Author

MrAnno commented Aug 28, 2017

@furiel Good idea, thanks.

@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@MrAnno
tlscontext: extract load_key_and_cert() from setup_context()
70dfd1f 
Signed-off-by: László Várady <laszlo.varady@balabit.com>
@MrAnno
tlscontext: add PKCS 12 support
273e90e 
Passphrase is not implemented yet.

Signed-off-by: László Várady <laszlo.varady@balabit.com>
@MrAnno
tlscontext: add PKCS 12-related warning message
906b608 
Signed-off-by: László Várady <laszlo.varady@balabit.com>
@MrAnno MrAnno changed the title WIP! TLS: PKCS 12 support TLS: PKCS 12 support Aug 30, 2017
@kira-syslogng
Copy link
Contributor

Build SUCCESS, the tests were executed on test branch: master and test suite: functions

@lbudai lbudai merged commit 3c1b630 into syslog-ng:master Aug 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbudai lbudai lbudai approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@MrAnno @kira-syslogng @furiel @lbudai