commit e475bd0c92059abef48c2bfa4643e93163986800
parent 9e12b2c6ddff30f3559e1fe613cacb7930416740
Author: Joris Vink <joris@coders.se>
Date: Sat, 9 Jun 2018 12:50:50 +0200
Add configurable x509 chain validation depth.
You can now per domain configure the depth for x509 chain validation:
client_verify_depth 1
By default this is 1.
While here change around some log messages and properly set
the callback for x509 verification rather then via hoops and loops.
Diffstat:
3 files changed, 29 insertions(+), 9 deletions(-)
diff --git a/include/kore/kore.h b/include/kore/kore.h
@@ -351,6 +351,7 @@ struct kore_domain {
char *certfile;
char *certkey;
SSL_CTX *ssl_ctx;
+ int x509_verify_depth;
#endif
TAILQ_HEAD(, kore_module_handle) handlers;
TAILQ_ENTRY(kore_domain) list;
diff --git a/src/config.c b/src/config.c
@@ -70,6 +70,7 @@ static int configure_certkey(char *);
static int configure_tls_version(char *);
static int configure_tls_cipher(char *);
static int configure_tls_dhparam(char *);
+static int configure_client_verify_depth(char *);
static int configure_client_certificates(char *);
#endif
@@ -143,6 +144,7 @@ static struct {
{ "certfile", configure_certfile },
{ "certkey", configure_certkey },
{ "client_certificates", configure_client_certificates },
+ { "client_verify_depth", configure_client_verify_depth },
#endif
#if !defined(KORE_NO_HTTP)
{ "static", configure_static_handler },
@@ -435,6 +437,27 @@ configure_tls_dhparam(char *path)
}
static int
+configure_client_verify_depth(char *value)
+{
+ int err, depth;
+
+ if (current_domain == NULL) {
+ printf("client_verify_depth not specified in domain context\n");
+ return (KORE_RESULT_ERROR);
+ }
+
+ depth = kore_strtonum(value, 10, 0, INT_MAX, &err);
+ if (err != KORE_RESULT_OK) {
+ printf("bad client_verify_depth value: %s\n", value);
+ return (KORE_RESULT_ERROR);
+ }
+
+ current_domain->x509_verify_depth = depth;
+
+ return (KORE_RESULT_OK);
+}
+
+static int
configure_client_certificates(char *options)
{
char *argv[3];
diff --git a/src/domain.c b/src/domain.c
@@ -184,6 +184,7 @@ kore_domain_new(char *domain)
dom->ssl_ctx = NULL;
dom->certfile = NULL;
dom->crlfile = NULL;
+ dom->x509_verify_depth = 1;
#endif
dom->domain = kore_strdup(domain);
TAILQ_INIT(&(dom->handlers));
@@ -245,7 +246,6 @@ kore_domain_tlsinit(struct kore_domain *dom)
EVP_PKEY *pkey;
STACK_OF(X509_NAME) *certs;
EC_KEY *eckey;
- X509_STORE *store;
const SSL_METHOD *method;
#if !defined(OPENSSL_NO_EC)
EC_KEY *ecdh;
@@ -370,15 +370,10 @@ kore_domain_tlsinit(struct kore_domain *dom)
}
SSL_CTX_load_verify_locations(dom->ssl_ctx, dom->cafile, NULL);
- SSL_CTX_set_verify_depth(dom->ssl_ctx, 1);
+ SSL_CTX_set_verify_depth(dom->ssl_ctx, dom->x509_verify_depth);
SSL_CTX_set_client_CA_list(dom->ssl_ctx, certs);
SSL_CTX_set_verify(dom->ssl_ctx, SSL_VERIFY_PEER |
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
-
- if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL)
- fatal("SSL_CTX_get_cert_store(): %s", ssl_errno_s);
-
- X509_STORE_set_verify_cb(store, domain_x509_verify);
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, domain_x509_verify);
}
SSL_CTX_set_session_id_context(dom->ssl_ctx,
@@ -469,7 +464,8 @@ domain_load_crl(struct kore_domain *dom)
return;
if (dom->crlfile == NULL) {
- kore_log(LOG_WARNING, "WARNING: Running without CRL");
+ kore_log(LOG_WARNING, "WARNING: no CRL configured for '%s'",
+ dom->domain);
return;
}
