[mod_openssl] ssl.ca-crl-file for CRL (fixes #2319)
(original patch by binbrain, and updated by flynn) github: closes #82 x-ref: "Support CRLs for client certificate verification" https://redmine.lighttpd.net/issues/2319 https://github.com/lighttpd/lighttpd1.4/pull/82
This commit is contained in:
Gaël PORTAY
parent
6f75cdddda
commit
e422ac128a
|
|
@ -478,6 +478,12 @@ server.upload-dirs = ( "/var/tmp" )
|
|||
##
|
||||
#ssl.ca-file = ""
|
||||
|
||||
##
|
||||
## and the CRL revocation list here.
|
||||
##
|
||||
##
|
||||
#ssl.ca-crl-file = ""
|
||||
|
||||
##
|
||||
#######################################################################
|
||||
|
||||
|
|
|
|||
|
|
@ -57,6 +57,7 @@ typedef struct {
|
|||
unsigned short ssl_use_sslv3;
|
||||
buffer *ssl_pemfile;
|
||||
buffer *ssl_ca_file;
|
||||
buffer *ssl_ca_crl_file;
|
||||
buffer *ssl_cipher_list;
|
||||
buffer *ssl_dh_file;
|
||||
buffer *ssl_ec_curve;
|
||||
|
|
@ -120,6 +121,7 @@ FREE_FUNC(mod_openssl_free)
|
|||
copy = s->ssl_enabled && buffer_string_is_empty(s->ssl_pemfile);
|
||||
buffer_free(s->ssl_pemfile);
|
||||
buffer_free(s->ssl_ca_file);
|
||||
buffer_free(s->ssl_ca_crl_file);
|
||||
buffer_free(s->ssl_cipher_list);
|
||||
buffer_free(s->ssl_dh_file);
|
||||
buffer_free(s->ssl_ec_curve);
|
||||
|
|
@ -693,6 +695,15 @@ network_init_ssl (server *srv, void *p_d)
|
|||
}
|
||||
SSL_CTX_set_verify(s->ssl_ctx, mode, NULL);
|
||||
SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
|
||||
if (!buffer_string_is_empty(s->ssl_ca_crl_file)) {
|
||||
X509_STORE *store = SSL_CTX_get_cert_store(s->ssl_ctx);
|
||||
if (1 != X509_STORE_load_locations(store, s->ssl_ca_crl_file->ptr, NULL)) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
|
||||
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_crl_file);
|
||||
return -1;
|
||||
}
|
||||
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
|
||||
}
|
||||
}
|
||||
|
||||
if (1 != SSL_CTX_use_certificate(s->ssl_ctx, s->ssl_pemfile_x509)) {
|
||||
|
|
@ -762,6 +773,7 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
|
|||
{ "ssl.verifyclient.exportcert", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 15 */
|
||||
{ "ssl.use-sslv2", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 16 */
|
||||
{ "ssl.use-sslv3", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 17 */
|
||||
{ "ssl.ca-crl-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 18 */
|
||||
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
||||
};
|
||||
|
||||
|
|
@ -776,6 +788,7 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
|
|||
s->ssl_enabled = 0;
|
||||
s->ssl_pemfile = buffer_init();
|
||||
s->ssl_ca_file = buffer_init();
|
||||
s->ssl_ca_crl_file = buffer_init();
|
||||
s->ssl_cipher_list = buffer_init();
|
||||
s->ssl_dh_file = buffer_init();
|
||||
s->ssl_ec_curve = buffer_init();
|
||||
|
|
@ -790,6 +803,7 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
|
|||
s->ssl_verifyclient_export_cert = 0;
|
||||
s->ssl_disable_client_renegotiation = 1;
|
||||
s->ssl_read_ahead = (0 == i ? 1 : p->config_storage[0]->ssl_read_ahead);
|
||||
if (0 != i) buffer_copy_buffer(s->ssl_ca_crl_file, p->config_storage[0]->ssl_ca_crl_file);
|
||||
|
||||
cv[0].destination = &(s->ssl_log_noise);
|
||||
cv[1].destination = &(s->ssl_enabled);
|
||||
|
|
@ -809,6 +823,7 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
|
|||
cv[15].destination = &(s->ssl_verifyclient_export_cert);
|
||||
cv[16].destination = &(s->ssl_use_sslv2);
|
||||
cv[17].destination = &(s->ssl_use_sslv3);
|
||||
cv[18].destination = s->ssl_ca_crl_file;
|
||||
|
||||
p->config_storage[i] = s;
|
||||
|
||||
|
|
@ -852,6 +867,7 @@ mod_openssl_patch_connection (server *srv, connection *con, handler_ctx *hctx)
|
|||
PATCH(ssl_pemfile_x509);
|
||||
PATCH(ssl_pemfile_pkey);
|
||||
/*PATCH(ssl_ca_file);*//*(not patched)*/
|
||||
/*PATCH(ssl_ca_crl_file);*//*(not patched)*/
|
||||
PATCH(ssl_ca_file_cert_names);
|
||||
/*PATCH(ssl_cipher_list);*//*(not patched)*/
|
||||
/*PATCH(ssl_dh_file);*//*(not patched)*/
|
||||
|
|
@ -907,6 +923,8 @@ mod_openssl_patch_connection (server *srv, connection *con, handler_ctx *hctx)
|
|||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("debug.log-ssl-noise"))) {
|
||||
PATCH(ssl_log_noise);
|
||||
#if 0 /*(not patched)*/
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-crl-file"))) {
|
||||
PATCH(ssl_ca_crl_file);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
|
||||
PATCH(ssl_honor_cipher_order);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue