Browse Source

Add SSL Client Certificate verification (#1288)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2654 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.24
Stefan Bühler 12 years ago
parent
commit
b987643307
  1. 1
      NEWS
  2. 4
      src/base.h
  3. 29
      src/configfile.c
  4. 24
      src/network.c
  5. 1
      src/server.c

1
NEWS

@ -55,6 +55,7 @@ NEWS
* Fix close_timeout_ts trigger (should finally fix lingering close)
* mod_rewrite: add url.rewrite-[repeat-]if-not-file to rewrite if file doesn't exist or is not a regular file (fixes #985, thx lucas aerbeydt)
* Add TLS servername indication (SNI) support (fixes #386, thx Peter Colberg <peter@colberg.org>)
* Add SSL Client Certificate verification (#1288)
- 1.4.23 - 2009-06-19
* Added some extra warning options in cmake and fix the resulting warnings (unused/static functions)

4
src/base.h

@ -276,6 +276,10 @@ typedef struct {
buffer *ssl_ca_file;
buffer *ssl_cipher_list;
unsigned short ssl_use_sslv2;
unsigned short ssl_verifyclient;
unsigned short ssl_verifyclient_enforce;
unsigned short ssl_verifyclient_depth;
buffer *ssl_verifyclient_username;
unsigned short use_ipv6;
unsigned short defer_accept;

29
src/configfile.c

@ -95,6 +95,10 @@ static int config_insert(server *srv) {
{ "debug.log-timeouts", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 53 */
{ "server.defer-accept", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 54 */
{ "server.breakagelog", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 55 */
{ "ssl.verifyclient.activate", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 56 */
{ "ssl.verifyclient.enforce", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 57 */
{ "ssl.verifyclient.depth", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_SERVER }, /* 58 */
{ "ssl.verifyclient.username", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 59 */
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
{ "server.virtual-root", "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@ -179,6 +183,10 @@ static int config_insert(server *srv) {
s->global_kbytes_per_second = 0;
s->global_bytes_per_second_cnt = 0;
s->global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
s->ssl_verifyclient = 0;
s->ssl_verifyclient_enforce = 1;
s->ssl_verifyclient_username = buffer_init();
s->ssl_verifyclient_depth = 9;
cv[2].destination = s->errorfile_prefix;
@ -225,6 +233,12 @@ static int config_insert(server *srv) {
cv[50].destination = &(s->etag_use_mtime);
cv[51].destination = &(s->etag_use_size);
/* ssl.verify */
cv[56].destination = &(s->ssl_verifyclient);
cv[57].destination = &(s->ssl_verifyclient_enforce);
cv[58].destination = &(s->ssl_verifyclient_depth);
cv[59].destination = s->ssl_verifyclient_username;
srv->config_storage[i] = s;
if (0 != (ret = config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv))) {
@ -304,7 +318,12 @@ int config_setup_connection(server *srv, connection *con) {
PATCH(etag_use_inode);
PATCH(etag_use_mtime);
PATCH(etag_use_size);
PATCH(ssl_verifyclient);
PATCH(ssl_verifyclient_enforce);
PATCH(ssl_verifyclient_depth);
PATCH(ssl_verifyclient_username);
return 0;
}
@ -394,6 +413,14 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
PATCH(global_kbytes_per_second);
PATCH(global_bytes_per_second_cnt);
con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
PATCH(ssl_verifyclient);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
PATCH(ssl_verifyclient_enforce);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
PATCH(ssl_verifyclient_depth);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
PATCH(ssl_verifyclient_username);
}
}
}

24
src/network.c

@ -543,6 +543,30 @@ int network_init(server *srv) {
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
return -1;
}
if (s->ssl_verifyclient) {
STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
if (!certs) {
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
}
if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
ERR_error_string(ERR_get_error(), NULL));
return -1;
}
SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
SSL_CTX_set_verify(
s->ssl_ctx,
SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
NULL
);
SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
}
} else if (s->ssl_verifyclient) {
log_error_write(
srv, __FILE__, __LINE__, "s",
"SSL: You specified ssl.verifyclient.activate but no ca_file"
);
}
if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {

1
src/server.c

@ -307,6 +307,7 @@ static void server_free(server *srv) {
buffer_free(s->error_handler);
buffer_free(s->errorfile_prefix);
array_free(s->mimetypes);
buffer_free(s->ssl_verifyclient_username);
#ifdef USE_OPENSSL
SSL_CTX_free(s->ssl_ctx);
#endif

Loading…
Cancel
Save