Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Pass PEER_CERT_SHA1 to handlers. #73

Merged
merged 3 commits into from

5 participants

ahbritto Zed A. Shaw Guillermo O. Freschi Jason Miller mcqueenorama
ahbritto

No description provided.

Zed A. Shaw
Owner

Hey, this is looking decent, but I got some questions:

  1. Why are you doing a manual hex convert in that for-loop on line 198 of the diff? Can you use something from bstring instead.
  2. Is it still necessary to modify polarssl? It's small so I'll include it but I'll try to push it upstream too.
  3. Does it still work with the current develop branch state?
  4. Can you create a setting for the config file to make this optional or configurable? Does it need that?

Thanks. I'll merge this in and maybe tweak it a little once you confirm the above.

ahbritto
Guillermo O. Freschi
Collaborator

I didn't see any such functionality in bstring.

Formatting as uppercase hex? sprintf and the pattern "%X". Also in bstring as bformat.

hex = bfromcstr("");
for (int i = sizeof(sha1sum) - 1; i > 0; ++i) {
    bformata(hex, "%02X", sha1sum[i]);
}

Although unrolling that loop is probably a good idea.

ahbritto

The suggested loop should be ascending.

Guillermo O. Freschi
Collaborator

No; I'm appending the numbers, so I start by the most significant.

Zed A. Shaw zedshaw merged commit ce4dcc5 into from
Zed A. Shaw
Owner

Ok I pulled this in and then cleaned it up a bit. I also made the SSL_VERIFY_OPTIONAL setting optional, so set:

ssl.verify_optional=1

In mongrel2.conf to test it out. Try it out for me please and then submit a new pull request if you find it has to be fixed up.

The option is setup in src/connection.c but used in src/io.c

mcqueenorama mcqueenorama commented on the diff
src/connection.c
@@ -176,12 +176,49 @@ int connection_msg_to_handler(Connection *conn)
return CLOSE;
}
+void Connection_fingerprint_from_cert(Connection *conn) {
+ x509_cert* _x509P = conn->iob->ssl.peer_cert;

Does this depend on a different version of polarssl? The peer_cert is in the ssl_session, not in the ssl_context for the polarssl that is in my pull.

Jason Miller Collaborator
jasom added a note
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 45 additions and 3 deletions.
  1. +37 −0 src/connection.c
  2. +3 −3 src/io.c
  3. +5 −0 src/polarssl/ssl_tls.c
37 src/connection.c
View
@@ -176,12 +176,49 @@ int connection_msg_to_handler(Connection *conn)
return CLOSE;
}
+void Connection_fingerprint_from_cert(Connection *conn) {
+ x509_cert* _x509P = conn->iob->ssl.peer_cert;

Does this depend on a different version of polarssl? The peer_cert is in the ssl_session, not in the ssl_context for the polarssl that is in my pull.

Jason Miller Collaborator
jasom added a note
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+
+ debug("Connection_send_to_handler: peer_cert: %016lX: tag=%d length=%ld",
+ (unsigned long) _x509P,
+ _x509P ? _x509P->raw.tag : -1,
+ _x509P ? _x509P->raw.len : -1);
+
+ if (_x509P && _x509P->raw.len) {
+ sha1_context ctx;
+ unsigned char sha1sum[20];
+ char hex[2*sizeof(sha1sum)+1];
+
+ sha1_starts(&ctx);
+ sha1_update(&ctx, _x509P->raw.p, _x509P->raw.len);
+ sha1_finish(&ctx, sha1sum);
+
+ int i;
+
+ for (i=0; i != sizeof(sha1sum); i++) {
+ int v,d;
+
+ v = sha1sum[i];
+ d = v >> 4;
+ hex[i*2] = d < 10 ? '0'+d : 'A'+d-10;
+ d = v & 0x0F;
+ hex[i*2+1] = d < 10 ? '0'+d : 'A'+d-10;
+ }
+
+ hex[sizeof(hex)-1] = 0;
+
+ Request_set(conn->req, bfromcstr("PEER_CERT_SHA1"), bfromcstr(hex), 1);
+ }
+}
int Connection_send_to_handler(Connection *conn, Handler *handler, char *body, int content_len)
{
int rc = 0;
bstring payload = NULL;
+ if(conn->iob->use_ssl)
+ Connection_fingerprint_from_cert(conn);
+
error_unless(handler->running, conn, 404,
"Handler shutdown while trying to deliver: %s", bdata(Request_path(conn->req)));
6 src/io.c
View
@@ -150,7 +150,7 @@ static ssize_t ssl_send(IOBuf *iob, char *buffer, int len)
if(!iob->handshake_performed) {
int rcode = ssl_do_handshake(iob);
- check(rcode == 0, "SSL handshake failed.");
+ check(rcode == 0, "SSL handshake failed: %d", rcode);
}
for(sent = 0; len > 0; buffer += sent, len -= sent, total += sent) {
@@ -176,7 +176,7 @@ static ssize_t ssl_recv(IOBuf *iob, char *buffer, int len)
if(!iob->handshake_performed) {
int rcode = ssl_do_handshake(iob);
- check(rcode == 0, "SSL handshake failed.");
+ check(rcode == 0, "SSL handshake failed: %d", rcode);
}
return ssl_read(&iob->ssl, (unsigned char*) buffer, len);
@@ -338,7 +338,7 @@ static inline int iobuf_ssl_setup(IOBuf *buf)
check(rc == 0, "Failed to initialize SSL structure.");
ssl_set_endpoint(&buf->ssl, SSL_IS_SERVER);
- ssl_set_authmode(&buf->ssl, SSL_VERIFY_NONE);
+ ssl_set_authmode(&buf->ssl, SSL_VERIFY_OPTIONAL);
havege_init(&buf->hs);
ssl_set_rng(&buf->ssl, havege_rand, &buf->hs);
5 src/polarssl/ssl_tls.c
View
@@ -1417,6 +1417,11 @@ int ssl_parse_certificate( ssl_context *ssl )
if( ssl->ca_chain == NULL )
{
SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
+
+ /* Make certificate optional to allow self-signed certificate. */
+ if( ssl->authmode != SSL_VERIFY_REQUIRED )
+ return 0;
+
return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
}
Something went wrong with that request. Please try again.