lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

[TLS] rename ssl.verifyclient.ca-*file options 

rename to reflect use for verifying client certificate
(old names are still accepted, but are discouraged)

ssl.ca-file     -> ssl.verifyclient.ca-file
ssl.ca-dn-file  -> ssl.verifyclient.ca-dn-file
ssl.ca-crl-file -> ssl.verifyclient.ca-crl-file
master
Glenn Strauss 8 months ago
parent
325d89b99f
commit
454ecaa5f9
5 changed files with 172 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 31
      src/mod_gnutls.c
  2. 36
      src/mod_mbedtls.c
  3. 33
      src/mod_nss.c
  4. 44
      src/mod_openssl.c
  5. 42
      src/mod_wolfssl.c

31
src/mod_gnutls.c
View File

@ -694,6 +694,12 @@ mod_gnutls_merge_config_cpv (plugin_config * const pconf, const config_plugin_va
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_gnutls_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -749,7 +755,7 @@ mod_gnutls_verify_set_tlist (handler_ctx *hctx, int req)
: hctx->conf.ssl_ca_file;
if (NULL == d) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"GnuTLS: can't verify client without ssl.ca-file "
"GnuTLS: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr); /*(might not be set yet if no SNI)*/
return GNUTLS_E_INTERNAL_ERROR;
@ -2131,6 +2137,15 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_SHORT,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -2156,6 +2171,12 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 15:/* ssl.verifyclient.ca-file */
if (cpv->k_id == 15) cpv->k_id = 2;
__attribute_fallthrough__
case 16:/* ssl.verifyclient.ca-dn-file */
if (cpv->k_id == 16) cpv->k_id = 3;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
case 3: /* ssl.ca-dn-file */
if (!buffer_string_is_empty(cpv->v.b)) {
@ -2172,6 +2193,9 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
}
}
break;
case 17:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (!buffer_string_is_empty(cpv->v.b)) {
gnutls_datum_t *d =
@ -2208,6 +2232,11 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
ssl_stapling_file = cpv->v.b;
break;
case 14:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;

36
src/mod_mbedtls.c
View File

@ -477,7 +477,7 @@ mod_mbedtls_free_config (server *srv, plugin_data * const p)
free(cacert);
}
break;
case 4: /* ssl.ca-dn-file */
case 4: /* ssl.ca-crl-file */
if (cpv->vtype == T_CONFIG_LOCAL) {
mbedtls_x509_crl *crl = cpv->v.v;
mbedtls_x509_crl_free(crl);
@ -550,6 +550,12 @@ mod_mbedtls_merge_config_cpv (plugin_config * const pconf, const config_plugin_v
case 13:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_mbedtls_set_defaults())*/
case 14:/* ssl.verifyclient.ca-file */
case 15:/* ssl.verifyclient.ca-dn-file */
case 16:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -766,7 +772,7 @@ mod_mbedtls_conf_verify (handler_ctx *hctx, mbedtls_ssl_config *ssl_ctx)
{
if (NULL == hctx->conf.ssl_ca_file) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"MTLS: can't verify client without ssl.ca-file "
"MTLS: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr);
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@ -1607,6 +1613,9 @@ mod_mbedtls_set_defaults_sockets(server *srv, plugin_data *p)
case 12:/* ssl.acme-tls-1 */
conf.ssl_acme_tls_1 = cpv->v.b;
break;
#if 0 /*(cpk->k_id remapped in mod_mbedtls_set_defaults())*/
case 14:/* ssl.verifyclient.ca-file */
#endif
default:
break;
}
@ -1721,6 +1730,15 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_SHORT,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -1745,6 +1763,12 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 14:/* ssl.verifyclient.ca-file */
if (cpv->k_id == 14) cpv->k_id = 2;
__attribute_fallthrough__
case 15:/* ssl.verifyclient.ca-dn-file */
if (cpv->k_id == 15) cpv->k_id = 3;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
case 3: /* ssl.ca-dn-file */
#if 0 /* defer; not necessary for pemfile parsing */
@ -1769,6 +1793,9 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
}
}
break;
case 16:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (!buffer_string_is_empty(cpv->v.b)) {
mbedtls_x509_crl *crl = malloc(sizeof(*crl));
@ -1805,6 +1832,11 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
case 11:/* ssl.verifyclient.exportcert */
case 12:/* ssl.acme-tls-1 */
case 13:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 14:/* ssl.verifyclient.ca-file */
case 15:/* ssl.verifyclient.ca-dn-file */
case 16:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;

33
src/mod_nss.c
View File

@ -919,6 +919,12 @@ mod_nss_merge_config_cpv (plugin_config * const pconf, const config_plugin_value
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_nss_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -1423,7 +1429,7 @@ mod_nss_SNI (PRFileDesc *ssl, const SECItem *srvNameArr, PRUint32 srvNameArrSize
: hctx->conf.ssl_ca_file;
if (NULL == certList)
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"NSS: can't verify client without ssl.ca-file "
"NSS: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr); /*(might not be set yet if no SNI)*/
if (certList && SSL_SetTrustAnchors(ssl, certList) < 0) {
@ -1942,6 +1948,15 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_SHORT,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -1967,6 +1982,9 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 15:/* ssl.verifyclient.ca-file */
cpv->k_id = 2;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
if (!buffer_string_is_empty(cpv->v.b)) {
CERTCertList *d =
@ -1982,6 +2000,9 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
}
}
break;
case 16:/* ssl.verifyclient.ca-dn-file */
cpv->k_id = 3;
__attribute_fallthrough__
case 3: /* ssl.ca-dn-file */
if (!buffer_string_is_empty(cpv->v.b)) {
CERTCertList *d =
@ -1997,6 +2018,9 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
}
}
break;
case 17:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (!buffer_string_is_empty(cpv->v.b)) {
CERTCertificateList *d =
@ -2033,6 +2057,11 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
ssl_stapling_file = cpv->v.b;
break;
case 14:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;
@ -2319,7 +2348,7 @@ CONNECTION_FUNC(mod_nss_handle_con_accept)
: hctx->conf.ssl_ca_file;
if (NULL == certList) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"NSS: can't verify client without ssl.ca-file "
"NSS: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr); /*(might not be set yet if no SNI)*/
return hctx->conf.ssl_verifyclient_enforce

44
src/mod_openssl.c
View File

@ -755,7 +755,7 @@ mod_openssl_load_cacerts (const buffer *ssl_ca_file, log_error_st *errh)
if (NULL == chain_store) {
log_error(errh, __FILE__, __LINE__,
"SSL: ssl.ca-file is empty %s", file);
"SSL: ssl.verifyclient.ca-file is empty %s", file);
return NULL;
}
@ -884,6 +884,12 @@ mod_openssl_merge_config_cpv (plugin_config * const pconf, const config_plugin_v
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (0 != cpv->v.u);
break;
#if 0 /*(cpk->k_id remapped in mod_openssl_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -1136,7 +1142,7 @@ mod_openssl_cert_cb (SSL *ssl, void *arg)
if (hctx->conf.ssl_verifyclient) {
if (NULL == hctx->conf.ssl_ca_file) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"SSL: can't verify client without ssl.ca-file "
"SSL: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s", hctx->r->uri.authority.ptr);
return 0;
}
@ -2302,7 +2308,7 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
if (NULL == s->ssl_ca_file) {
log_error(srv->errh, __FILE__, __LINE__,
"SSL: You specified ssl.verifyclient.activate "
"but no ssl.ca-file");
"but no ssl.verifyclient.ca-file");
return -1;
}
/* WTH openssl? SSL_CTX_set_client_CA_list() calls set0_CA_list(),
@ -2602,6 +2608,11 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
case 9: /* ssl.verifyclient.depth */
conf.ssl_verifyclient_depth = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_openssl_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
default:
break;
}
@ -2708,6 +2719,15 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -2740,6 +2760,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 15:/* ssl.verifyclient.ca-file */
cpv->k_id = 2;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
if (buffer_string_is_empty(cpv->v.b)) break;
if (!mod_openssl_init_once_openssl(srv)) return HANDLER_ERROR;
@ -2756,6 +2779,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
return HANDLER_ERROR;
}
break;
case 16:/* ssl.verifyclient.ca-dn-file */
cpv->k_id = 3;
__attribute_fallthrough__
case 3: /* ssl.ca-dn-file */
if (buffer_string_is_empty(cpv->v.b)) break;
if (!mod_openssl_init_once_openssl(srv)) return HANDLER_ERROR;
@ -2771,6 +2797,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
return HANDLER_ERROR;
}
break;
case 17:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (buffer_string_is_empty(cpv->v.b)) break;
ssl_ca_crl_file = cpv->v.b;
@ -2797,6 +2826,11 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
ssl_stapling_file = cpv->v.b;
break;
case 14:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;
@ -2817,8 +2851,8 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
#else
if (NULL == ca_store && ssl_ca_crl_file && i != 0) {
log_error(srv->errh, __FILE__, __LINE__,
"ssl.ca-crl-file (%s) ignored unless issued with ssl.ca-file",
ssl_ca_crl_file->ptr);
"ssl.verifyclient.ca-crl-file (%s) ignored unless issued with "
"ssl.verifyclient.ca-file", ssl_ca_crl_file->ptr);
}
else if (ca_store && (ssl_ca_crl_file || default_ssl_ca_crl_file)) {
/* prior behavior in lighttpd allowed ssl.ca-crl-file only in global

42
src/mod_wolfssl.c
View File

@ -1026,6 +1026,12 @@ mod_openssl_merge_config_cpv (plugin_config * const pconf, const config_plugin_v
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (0 != cpv->v.u);
break;
#if 0 /*(cpk->k_id remapped in mod_openssl_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -1220,7 +1226,7 @@ mod_openssl_cert_cb (SSL *ssl, void *arg)
if (hctx->conf.ssl_verifyclient) {
if (NULL == hctx->conf.ssl_ca_file) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"SSL: can't verify client without ssl.ca-file "
"SSL: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s", hctx->r->uri.authority.ptr);
return 0;
}
@ -2068,7 +2074,7 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
if (NULL == s->ssl_ca_file) {
log_error(srv->errh, __FILE__, __LINE__,
"SSL: You specified ssl.verifyclient.activate "
"but no ssl.ca-file");
"but no ssl.verifyclient.ca-file");
return -1;
}
#ifndef OPENSSL_ALL
@ -2390,6 +2396,11 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
case 9: /* ssl.verifyclient.depth */
conf.ssl_verifyclient_depth = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_openssl_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
default:
break;
}
@ -2496,6 +2507,15 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -2528,6 +2548,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 15:/* ssl.verifyclient.ca-file */
cpv->k_id = 2;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
if (buffer_string_is_empty(cpv->v.b)) break;
if (!mod_openssl_init_once_openssl(srv)) return HANDLER_ERROR;
@ -2544,6 +2567,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
return HANDLER_ERROR;
}
break;
case 16:/* ssl.verifyclient.ca-dn-file */
cpv->k_id = 3;
__attribute_fallthrough__
case 3: /* ssl.ca-dn-file */
if (buffer_string_is_empty(cpv->v.b)) break;
if (!mod_openssl_init_once_openssl(srv)) return HANDLER_ERROR;
@ -2551,8 +2577,8 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
#ifndef OPENSSL_ALL
{
log_error(srv->errh, __FILE__, __LINE__,
"SSL: You specified ssl.ca-dn-file "
"but wolfssl library built without necessary support");
"SSL: You specified %s but wolfssl library built without "
"necessary support", cpk[cpv->k_id].k);
return HANDLER_ERROR;
}
#endif
@ -2568,6 +2594,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
return HANDLER_ERROR;
}
break;
case 17:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (buffer_string_is_empty(cpv->v.b)) break;
ssl_ca_crl_file = cpv->v.b;
@ -2594,6 +2623,11 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
ssl_stapling_file = cpv->v.b;
break;
case 14:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;

Write Preview
Loading…
Cancel
Save