Skip to content

tls: set client CA list based on the ca-dir() and ca-file() options #4412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 4, 2023
Merged

tls: set client CA list based on the ca-dir() and ca-file() options #4412

merged 2 commits into from
Apr 4, 2023

Conversation

@alltilla
Copy link
Collaborator

@alltilla alltilla commented Apr 3, 2023

Filling the certificate_authorities field of the certificate request, to help clients choose certs to use.

From https://www.ietf.org/rfc/rfc5246.txt 7.4.4:

certificate_authorities
A list of the distinguished names [X501] of acceptable
certificate_authorities, represented in DER-encoded format. These
distinguished names may specify a desired distinguished name for a
root CA or for a subordinate CA; thus, this message can be used to
describe known roots as well as a desired authorization space. If
the certificate_authorities list is empty, then the client MAY
send any certificate of the appropriate ClientCertificateType,
unless there is some external arrangement to the contrary.

Example:

source s_network {
  network(
    port(12345)
    transport(tls)
    tls(
      ca-dir("/etc/ssl/certs/")
      ca-file("/home/alltilla/repos/syslog-ng/build/install/ssl/ca.crt")
      key-file("/home/alltilla/repos/syslog-ng/build/install/ssl/server.key")
      cert-file("/home/alltilla/repos/syslog-ng/build/install/ssl/server.crt")
      peer-verify(required-trusted)
      ssl-options(no_tlsv13)
    )
  );
};

Screenshot from 2023-04-03 18-01-43

Signed-off-by: Attila Szakacs attila.szakacs@axoflow.com

alltilla added a commit to alltilla/syslog-ng that referenced this pull request Apr 3, 2023
@alltilla
news: add entry for syslog-ng#4412
63f59b0 
Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
@alltilla alltilla force-pushed the tls-set-client-CA-list branch from a18b450 to 63f59b0 Compare April 3, 2023 16:08
@alltilla
Copy link
Collaborator Author

alltilla commented Apr 3, 2023

I know that this is yet another case, where sometimes the function is a NOOP, but it would be strange to see the preprocessor macros about the SSL functions being further away from the place they are actually called.

MrAnno
MrAnno reviewed Apr 3, 2023
View reviewed changes
alltilla added a commit to alltilla/syslog-ng that referenced this pull request Apr 4, 2023
@alltilla
news: add entry for syslog-ng#4412
50a41ee 
Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
@alltilla alltilla force-pushed the tls-set-client-CA-list branch from 63f59b0 to 50a41ee Compare April 4, 2023 07:15
alltilla added a commit to alltilla/syslog-ng that referenced this pull request Apr 4, 2023
@alltilla
news: add entry for syslog-ng#4412
27e3b60 
Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
@alltilla alltilla force-pushed the tls-set-client-CA-list branch from 50a41ee to 27e3b60 Compare April 4, 2023 07:42
@alltilla
Copy link
Collaborator Author

alltilla commented Apr 4, 2023

I have observed, that in case of failure the X509_NAMEs were leaking. Added a fix for it.

alltilla added 2 commits April 4, 2023 09:48
@alltilla
tls: set client CA list based on the ca-dir() and ca-file() options
fe1add4 
Filling the certificate_authorities field of the certificate request,
to help clients choose certs to use.

From https://www.ietf.org/rfc/rfc5246.txt 7.4.4:
>   certificate_authorities
>      A list of the distinguished names [X501] of acceptable
>      certificate_authorities, represented in DER-encoded format.  These
>      distinguished names may specify a desired distinguished name for a
>      root CA or for a subordinate CA; thus, this message can be used to
>      describe known roots as well as a desired authorization space.  If
>      the certificate_authorities list is empty, then the client MAY
>      send any certificate of the appropriate ClientCertificateType,
>      unless there is some external arrangement to the contrary.

Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
@alltilla
news: add entry for syslog-ng#4412
6dda2a8 
Signed-off-by: Attila Szakacs <attila.szakacs@axoflow.com>
@alltilla alltilla force-pushed the tls-set-client-CA-list branch from 27e3b60 to 6dda2a8 Compare April 4, 2023 07:48
@MrAnno MrAnno merged commit afca6b0 into syslog-ng:master Apr 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@MrAnno MrAnno MrAnno approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alltilla @MrAnno