Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Periodically reload verify cert store (stable) #1186

Merged
merged 2 commits into from
Apr 30, 2020
Merged

Periodically reload verify cert store (stable) #1186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b75de76
Reload certificate store once an hour.
bbockelm Apr 22, 2020
4d50c02
Ifdef out newer OpenSSL functions.
bbockelm Apr 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
80 changes: 80 additions & 0 deletions src/XrdHttp/XrdHttpProtocol.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ char *XrdHttpProtocol::gridmap = 0;
XrdOucGMap *XrdHttpProtocol::servGMap = 0; // Grid mapping service

int XrdHttpProtocol::sslverifydepth = 9;
XrdSysRWLock XrdHttpProtocol::x509_store_lock;
X509_STORE *XrdHttpProtocol::verify_store = NULL;
SSL_CTX *XrdHttpProtocol::sslctx = 0;
BIO *XrdHttpProtocol::sslbio_err = 0;
XrdCryptoFactory *XrdHttpProtocol::myCryptoFactory = 0;
Expand Down Expand Up @@ -633,6 +635,19 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here
sbio = CreateBIO(Link);
BIO_set_nbio(sbio, 1);
ssl = SSL_new(sslctx);

// On newer versions of OpenSSL, we use the periodically
// updated store `verify_store` with the `x509_store_lock`
// held; older OpenSSL versions are missing `SSL_set1_*_cert_store`,
// so we simply rely on the global one in SSL_CTX. The latter
// doesn't refresh the verify store, which causes issues with some
// plugins.
#if OPENSSL_VERSION_NUMBER >= 0x010100000L
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not so fast, the test should be '>' not '>=' because OpenSSL 1.01 does not have the set1 functions. I know from your comment that you did compile it on SL6 but that only worked because someone must have upgraded their OpenSSL (which of course they should have). Unfortunately, lots of sites use RH6 out of the box and it comes with 1.0.1e-fips and it definitely won't compile! I think all of teh test should change and hen you'll be fine.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand this?

OPENSSL_VERSION_NUMBER >= 0x010100000L should test for 1.1.0 or later. That is, it only enables this code if you are at least on 1.1.0 -- that should exclude any variant of RHEL6.

(FWIW - the OpenSSL RPM I tested against was openssl-1.0.1e-58.el6_10.x86_64)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if it is intentional, but it will also exclude any variant of RHEL7, as e.g. both Centos7 and CC7 have openssl 1.0.2k. From what I see SSL_set1_verify_cert_store & SSL_set1_chain_cert_store are available in OpenSSL 1.0.2 (see e.g. https://github.com/openssl/openssl/blob/OpenSSL_1_0_2k/ssl/ssl.h). If we would like to include RHEL7 we should test for OPENSSL_VERSION_NUMBER >= 0x10002000L.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Argh - sorry, I haven't been able to sit down and get to this in the last two days (which have each had >6hrs of Zoom meetings...). You're right, this is too strict.

XrdSysRWLockHelper scopedLock(x509_store_lock, true);
SSL_set1_verify_cert_store(ssl, verify_store);
SSL_set1_chain_cert_store(ssl, verify_store);
#endif

}

if (!ssl) {
Expand Down Expand Up @@ -1686,6 +1701,57 @@ extern "C" int verify_callback(int ok, X509_STORE_CTX * store) {


/// Initialization of the ssl security
// Only scheduled on sufficiently new OpenSSL.

class XrdCertStoreJob : XrdJob
{
public:

void DoIt() {XrdHttpProtocol::PeriodicUpdate();
Sched->Schedule((XrdJob *)this, time(0)+iVal);
}

XrdCertStoreJob(XrdScheduler *schP, int iV)
: XrdJob("cert store updater"),
Sched(schP), iVal(iV)
{Sched->Schedule((XrdJob *)this, time(0)+iVal);}
~XrdCertStoreJob() {}
private:

XrdScheduler *Sched;
int iVal;
};

void XrdHttpProtocol::PeriodicUpdate() {

X509_STORE *new_store = PrepareStore();
TRACE(EMSG, "Updating new cert store");
if (new_store) {
XrdSysRWLockHelper scopedLock(x509_store_lock, false);
X509_STORE_free(verify_store);
verify_store = new_store;
}
}

X509_STORE *XrdHttpProtocol::PrepareStore() {
X509_STORE *store = X509_STORE_new();

if (!store) {
eDest.Say(" error: failed to allocate new certificate store");
return NULL;
}

X509_STORE_set_depth(store, sslverifydepth);
X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);

if (!X509_STORE_load_locations(store, sslcafile, sslcadir)) {
TRACE(EMSG, " Error setting the ca file or directory.");
ERR_print_errors(sslbio_err);
return NULL;
}

return store;
}

int XrdHttpProtocol::InitSecurity() {

Expand Down Expand Up @@ -1767,6 +1833,20 @@ int XrdHttpProtocol::InitSecurity() {
}
}

// Initialize a store for use on individual SSL objects and schedule
// a periodic update. These separate stores are only usable on versions
// of OpenSSL 1.1.0 or later.
#if OPENSSL_VERSION_NUMBER >= 0x010100000L
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

{
XrdSysRWLockHelper scopedLock(x509_store_lock, false);
verify_store = PrepareStore();
if (!verify_store) {
exit(1);
}
}
new XrdCertStoreJob(Sched, 3600);
#endif

// Use default cipherlist filter if none is provided
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
// For OpenSSL v1.0.2+ (EL7+), use recommended cipher list from Mozilla
Expand Down
10 changes: 10 additions & 0 deletions src/XrdHttp/XrdHttpProtocol.hh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@ public:
/// called via https
bool isHTTPS() { return ishttps; }

/// Handle periodic refresh of the CRLs
static void PeriodicUpdate();

private:


Expand All @@ -137,6 +140,9 @@ private:
/// Initialization of the ssl security things
static int InitSecurity();

/// Generate a new cert store.
static X509_STORE *PrepareStore();

/// Start a response back to the client
int StartSimpleResp(int code, const char *desc, const char *header_to_add, long long bodylen, bool keepalive);

Expand Down Expand Up @@ -255,6 +261,10 @@ private:
/// Global, static SSL context
static SSL_CTX *sslctx;

/// Current X509_STORE and associated locks.
static X509_STORE *verify_store;
static XrdSysRWLock x509_store_lock;

/// Private SSL context
SSL *ssl;

Expand Down