Browse Source

[TLS] rename ssl.verifyclient.ca-*file options

rename to reflect use for verifying client certificate
(old names are still accepted, but are discouraged)

ssl.ca-file     -> ssl.verifyclient.ca-file
ssl.ca-dn-file  -> ssl.verifyclient.ca-dn-file
ssl.ca-crl-file -> ssl.verifyclient.ca-crl-file
master
Glenn Strauss 8 months ago
parent
commit
454ecaa5f9
  1. 31
      src/mod_gnutls.c
  2. 36
      src/mod_mbedtls.c
  3. 33
      src/mod_nss.c
  4. 44
      src/mod_openssl.c
  5. 42
      src/mod_wolfssl.c

31
src/mod_gnutls.c

@ -694,6 +694,12 @@ mod_gnutls_merge_config_cpv (plugin_config * const pconf, const config_plugin_va
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_gnutls_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -749,7 +755,7 @@ mod_gnutls_verify_set_tlist (handler_ctx *hctx, int req)
: hctx->conf.ssl_ca_file;
if (NULL == d) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"GnuTLS: can't verify client without ssl.ca-file "
"GnuTLS: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr); /*(might not be set yet if no SNI)*/
return GNUTLS_E_INTERNAL_ERROR;
@ -2131,6 +2137,15 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_SHORT,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -2156,6 +2171,12 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 15:/* ssl.verifyclient.ca-file */
if (cpv->k_id == 15) cpv->k_id = 2;
__attribute_fallthrough__
case 16:/* ssl.verifyclient.ca-dn-file */
if (cpv->k_id == 16) cpv->k_id = 3;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
case 3: /* ssl.ca-dn-file */
if (!buffer_string_is_empty(cpv->v.b)) {
@ -2172,6 +2193,9 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
}
}
break;
case 17:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (!buffer_string_is_empty(cpv->v.b)) {
gnutls_datum_t *d =
@ -2208,6 +2232,11 @@ SETDEFAULTS_FUNC(mod_gnutls_set_defaults)
ssl_stapling_file = cpv->v.b;
break;
case 14:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;

36
src/mod_mbedtls.c

@ -477,7 +477,7 @@ mod_mbedtls_free_config (server *srv, plugin_data * const p)
free(cacert);
}
break;
case 4: /* ssl.ca-dn-file */
case 4: /* ssl.ca-crl-file */
if (cpv->vtype == T_CONFIG_LOCAL) {
mbedtls_x509_crl *crl = cpv->v.v;
mbedtls_x509_crl_free(crl);
@ -550,6 +550,12 @@ mod_mbedtls_merge_config_cpv (plugin_config * const pconf, const config_plugin_v
case 13:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_mbedtls_set_defaults())*/
case 14:/* ssl.verifyclient.ca-file */
case 15:/* ssl.verifyclient.ca-dn-file */
case 16:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -766,7 +772,7 @@ mod_mbedtls_conf_verify (handler_ctx *hctx, mbedtls_ssl_config *ssl_ctx)
{
if (NULL == hctx->conf.ssl_ca_file) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"MTLS: can't verify client without ssl.ca-file "
"MTLS: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr);
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@ -1607,6 +1613,9 @@ mod_mbedtls_set_defaults_sockets(server *srv, plugin_data *p)
case 12:/* ssl.acme-tls-1 */
conf.ssl_acme_tls_1 = cpv->v.b;
break;
#if 0 /*(cpk->k_id remapped in mod_mbedtls_set_defaults())*/
case 14:/* ssl.verifyclient.ca-file */
#endif
default:
break;
}
@ -1721,6 +1730,15 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_SHORT,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -1745,6 +1763,12 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 14:/* ssl.verifyclient.ca-file */
if (cpv->k_id == 14) cpv->k_id = 2;
__attribute_fallthrough__
case 15:/* ssl.verifyclient.ca-dn-file */
if (cpv->k_id == 15) cpv->k_id = 3;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
case 3: /* ssl.ca-dn-file */
#if 0 /* defer; not necessary for pemfile parsing */
@ -1769,6 +1793,9 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
}
}
break;
case 16:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (!buffer_string_is_empty(cpv->v.b)) {
mbedtls_x509_crl *crl = malloc(sizeof(*crl));
@ -1805,6 +1832,11 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_defaults)
case 11:/* ssl.verifyclient.exportcert */
case 12:/* ssl.acme-tls-1 */
case 13:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 14:/* ssl.verifyclient.ca-file */
case 15:/* ssl.verifyclient.ca-dn-file */
case 16:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;

33
src/mod_nss.c

@ -919,6 +919,12 @@ mod_nss_merge_config_cpv (plugin_config * const pconf, const config_plugin_value
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_nss_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -1423,7 +1429,7 @@ mod_nss_SNI (PRFileDesc *ssl, const SECItem *srvNameArr, PRUint32 srvNameArrSize
: hctx->conf.ssl_ca_file;
if (NULL == certList)
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"NSS: can't verify client without ssl.ca-file "
"NSS: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr); /*(might not be set yet if no SNI)*/
if (certList && SSL_SetTrustAnchors(ssl, certList) < 0) {
@ -1942,6 +1948,15 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_SHORT,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -1967,6 +1982,9 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 15:/* ssl.verifyclient.ca-file */
cpv->k_id = 2;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
if (!buffer_string_is_empty(cpv->v.b)) {
CERTCertList *d =
@ -1982,6 +2000,9 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
}
}
break;
case 16:/* ssl.verifyclient.ca-dn-file */
cpv->k_id = 3;
__attribute_fallthrough__
case 3: /* ssl.ca-dn-file */
if (!buffer_string_is_empty(cpv->v.b)) {
CERTCertList *d =
@ -1997,6 +2018,9 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
}
}
break;
case 17:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (!buffer_string_is_empty(cpv->v.b)) {
CERTCertificateList *d =
@ -2033,6 +2057,11 @@ SETDEFAULTS_FUNC(mod_nss_set_defaults)
ssl_stapling_file = cpv->v.b;
break;
case 14:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;
@ -2319,7 +2348,7 @@ CONNECTION_FUNC(mod_nss_handle_con_accept)
: hctx->conf.ssl_ca_file;
if (NULL == certList) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"NSS: can't verify client without ssl.ca-file "
"NSS: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s",
hctx->r->uri.authority.ptr); /*(might not be set yet if no SNI)*/
return hctx->conf.ssl_verifyclient_enforce

44
src/mod_openssl.c

@ -755,7 +755,7 @@ mod_openssl_load_cacerts (const buffer *ssl_ca_file, log_error_st *errh)
if (NULL == chain_store) {
log_error(errh, __FILE__, __LINE__,
"SSL: ssl.ca-file is empty %s", file);
"SSL: ssl.verifyclient.ca-file is empty %s", file);
return NULL;
}
@ -884,6 +884,12 @@ mod_openssl_merge_config_cpv (plugin_config * const pconf, const config_plugin_v
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (0 != cpv->v.u);
break;
#if 0 /*(cpk->k_id remapped in mod_openssl_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -1136,7 +1142,7 @@ mod_openssl_cert_cb (SSL *ssl, void *arg)
if (hctx->conf.ssl_verifyclient) {
if (NULL == hctx->conf.ssl_ca_file) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"SSL: can't verify client without ssl.ca-file "
"SSL: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s", hctx->r->uri.authority.ptr);
return 0;
}
@ -2302,7 +2308,7 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
if (NULL == s->ssl_ca_file) {
log_error(srv->errh, __FILE__, __LINE__,
"SSL: You specified ssl.verifyclient.activate "
"but no ssl.ca-file");
"but no ssl.verifyclient.ca-file");
return -1;
}
/* WTH openssl? SSL_CTX_set_client_CA_list() calls set0_CA_list(),
@ -2602,6 +2608,11 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
case 9: /* ssl.verifyclient.depth */
conf.ssl_verifyclient_depth = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_openssl_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
default:
break;
}
@ -2708,6 +2719,15 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -2740,6 +2760,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 15:/* ssl.verifyclient.ca-file */
cpv->k_id = 2;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
if (buffer_string_is_empty(cpv->v.b)) break;
if (!mod_openssl_init_once_openssl(srv)) return HANDLER_ERROR;
@ -2756,6 +2779,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
return HANDLER_ERROR;
}
break;
case 16:/* ssl.verifyclient.ca-dn-file */
cpv->k_id = 3;
__attribute_fallthrough__
case 3: /* ssl.ca-dn-file */
if (buffer_string_is_empty(cpv->v.b)) break;
if (!mod_openssl_init_once_openssl(srv)) return HANDLER_ERROR;
@ -2771,6 +2797,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
return HANDLER_ERROR;
}
break;
case 17:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (buffer_string_is_empty(cpv->v.b)) break;
ssl_ca_crl_file = cpv->v.b;
@ -2797,6 +2826,11 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
ssl_stapling_file = cpv->v.b;
break;
case 14:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;
@ -2817,8 +2851,8 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
#else
if (NULL == ca_store && ssl_ca_crl_file && i != 0) {
log_error(srv->errh, __FILE__, __LINE__,
"ssl.ca-crl-file (%s) ignored unless issued with ssl.ca-file",
ssl_ca_crl_file->ptr);
"ssl.verifyclient.ca-crl-file (%s) ignored unless issued with "
"ssl.verifyclient.ca-file", ssl_ca_crl_file->ptr);
}
else if (ca_store && (ssl_ca_crl_file || default_ssl_ca_crl_file)) {
/* prior behavior in lighttpd allowed ssl.ca-crl-file only in global

42
src/mod_wolfssl.c

@ -1026,6 +1026,12 @@ mod_openssl_merge_config_cpv (plugin_config * const pconf, const config_plugin_v
case 14:/* debug.log-ssl-noise */
pconf->ssl_log_noise = (0 != cpv->v.u);
break;
#if 0 /*(cpk->k_id remapped in mod_openssl_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
break;
#endif
default:/* should not happen */
return;
}
@ -1220,7 +1226,7 @@ mod_openssl_cert_cb (SSL *ssl, void *arg)
if (hctx->conf.ssl_verifyclient) {
if (NULL == hctx->conf.ssl_ca_file) {
log_error(hctx->r->conf.errh, __FILE__, __LINE__,
"SSL: can't verify client without ssl.ca-file "
"SSL: can't verify client without ssl.verifyclient.ca-file "
"for TLS server name %s", hctx->r->uri.authority.ptr);
return 0;
}
@ -2068,7 +2074,7 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
if (NULL == s->ssl_ca_file) {
log_error(srv->errh, __FILE__, __LINE__,
"SSL: You specified ssl.verifyclient.activate "
"but no ssl.ca-file");
"but no ssl.verifyclient.ca-file");
return -1;
}
#ifndef OPENSSL_ALL
@ -2390,6 +2396,11 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
case 9: /* ssl.verifyclient.depth */
conf.ssl_verifyclient_depth = (unsigned char)cpv->v.shrt;
break;
#if 0 /*(cpk->k_id remapped in mod_openssl_set_defaults())*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
default:
break;
}
@ -2496,6 +2507,15 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
,{ CONST_STR_LEN("debug.log-ssl-noise"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-dn-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.verifyclient.ca-crl-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }
@ -2528,6 +2548,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
case 1: /* ssl.privkey */
if (!buffer_string_is_empty(cpv->v.b)) privkey = cpv;
break;
case 15:/* ssl.verifyclient.ca-file */
cpv->k_id = 2;
__attribute_fallthrough__
case 2: /* ssl.ca-file */
if (buffer_string_is_empty(cpv->v.b)) break;
if (!mod_openssl_init_once_openssl(srv)) return HANDLER_ERROR;
@ -2544,6 +2567,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
return HANDLER_ERROR;
}
break;
case 16:/* ssl.verifyclient.ca-dn-file */
cpv->k_id = 3;
__attribute_fallthrough__
case 3: /* ssl.ca-dn-file */
if (buffer_string_is_empty(cpv->v.b)) break;
if (!mod_openssl_init_once_openssl(srv)) return HANDLER_ERROR;
@ -2551,8 +2577,8 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
#ifndef OPENSSL_ALL
{
log_error(srv->errh, __FILE__, __LINE__,
"SSL: You specified ssl.ca-dn-file "
"but wolfssl library built without necessary support");
"SSL: You specified %s but wolfssl library built without "
"necessary support", cpk[cpv->k_id].k);
return HANDLER_ERROR;
}
#endif
@ -2568,6 +2594,9 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
return HANDLER_ERROR;
}
break;
case 17:/* ssl.verifyclient.ca-crl-file */
cpv->k_id = 4;
__attribute_fallthrough__
case 4: /* ssl.ca-crl-file */
if (buffer_string_is_empty(cpv->v.b)) break;
ssl_ca_crl_file = cpv->v.b;
@ -2594,6 +2623,11 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
ssl_stapling_file = cpv->v.b;
break;
case 14:/* debug.log-ssl-noise */
#if 0 /*(handled further above)*/
case 15:/* ssl.verifyclient.ca-file */
case 16:/* ssl.verifyclient.ca-dn-file */
case 17:/* ssl.verifyclient.ca-crl-file */
#endif
break;
default:/* should not happen */
break;

Loading…
Cancel
Save