This series tries to make the configuration options symmetric and
predictable between incoming and outgoing connections, as mentioned in
Message-Id: 52F4719C.1020501(a)fifthhorseman.net.
It may change the semantics for existing configurations, though!
Show replies by date
# HG changeset patch
# User dkg(a)fifthhorseman.net
# Date 1391752178 18000
# Fri Feb 07 00:49:38 2014 -0500
# Node ID 947493f0845096d5e79041e07624a2c8de9fe091
# Parent 7bc6e471a8e211d0b400b67263970c7ef8ea22f7
document correct use of ssl_no_client_cert_verify
diff -r 7bc6e471a8e2 -r 947493f08450 perdition/perdition.8
--- a/perdition/perdition.8 Fri Feb 07 00:44:04 2014 -0500
+++ b/perdition/perdition.8 Fri Feb 07 00:49:38 2014 -0500
@@ -615,7 +615,7 @@
.TP
.B \-\-ssl_no_client_cert_verify:
Don't cryptographically verify the end-user's certificate.
-Used for SSL or TLS outgoing connections.
+Used for SSL or TLS incoming connections.
.TP
.B \-\-ssl_no_cn_verify:
Don't verify the real-server's common name with the name used.
# HG changeset patch
# User dkg(a)fifthhorseman.net
# Date 1391752642 18000
# Fri Feb 07 00:57:22 2014 -0500
# Node ID 3452ac3cefa062be1f3f9191e4ea13c9c6b38ef3
# Parent 947493f0845096d5e79041e07624a2c8de9fe091
avoid loading CAs for non-verifying incoming connections
Since incoming (PERDITION_SSL_SERVER) connections don't verify
certificates when ssl_no_client_cert_verify is set, we can skip the CA
loading.
diff -r 947493f08450 -r 3452ac3cefa0 perdition/ssl.c
--- a/perdition/ssl.c Fri Feb 07 00:49:38 2014 -0500
+++ b/perdition/ssl.c Fri Feb 07 00:57:22 2014 -0500
@@ -582,7 +582,8 @@
goto err;
}
- if (flag & PERDITION_SSL_CLIENT && opt.ssl_no_cert_verify)
+ if ((flag & PERDITION_SSL_CLIENT && opt.ssl_no_cert_verify) ||
+ (flag & PERDITION_SSL_SERVER && opt.ssl_no_client_cert_verify))
goto out;
/*
# HG changeset patch
# User dkg(a)fifthhorseman.net
# Date 1391753406 18000
# Fri Feb 07 01:10:06 2014 -0500
# Node ID 179fcc9a4fb8a4c6b207304db6e2c153388ce2b9
# Parent 3452ac3cefa062be1f3f9191e4ea13c9c6b38ef3
avoid loading CAs for any SSL_CTX that has no plans to verify them
Prior to this change, a set of trusted CAs (a "root store") was loaded
for incoming connections that had no plans to verify the client certs,
though the same root store was not loaded for outbound connections
that had no intent to verify certs.
With this change, the checks are treated symmetrically.
Note also that this change actually changes the meaning of
ssl_no_cert_verify for incoming (PERDITION_SSL_SERVER) connections:
Before this change, ssl_no_cert_verify would affect incoming
connections, despite being documented as a setting for outbound
connections.
With this change, ssl_no_cert_verify should not have any affect on
incoming connections.
diff -r 3452ac3cefa0 -r 179fcc9a4fb8 perdition/ssl.c
--- a/perdition/ssl.c Fri Feb 07 00:57:22 2014 -0500
+++ b/perdition/ssl.c Fri Feb 07 01:10:06 2014 -0500
@@ -583,8 +583,10 @@
}
if ((flag & PERDITION_SSL_CLIENT && opt.ssl_no_cert_verify) ||
- (flag & PERDITION_SSL_SERVER && opt.ssl_no_client_cert_verify))
+ (flag & PERDITION_SSL_SERVER && opt.ssl_no_client_cert_verify)) {
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, NULL);
goto out;
+ }
/*
* Load the Certificate Authorities
@@ -607,11 +609,7 @@
}
SSL_CTX_set_verify_depth(ssl_ctx, opt.ssl_cert_verify_depth + 1);
- if (flag & PERDITION_SSL_SERVER &&
- (opt.ssl_no_cert_verify || opt.ssl_no_client_cert_verify))
- mode = SSL_VERIFY_NONE;
- else
- mode = SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
+ mode = SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify(ssl_ctx, mode, __perdition_verify_callback);
/* NB: We do not need to call SSL_CTX_check_private_key()