Changeset 0de1839 in mod_gnutls for src/gnutls_config.c


Ignore:
Timestamp:
Mar 19, 2015, 8:27:45 AM (5 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
91ccb87
Parents:
10b3370
Message:

Support X.509 auth for TLS proxy connections

This commit adds support for X.509 certificate based authentication for
TLS proxy back end connections, including both server certificate
checking and (optionally) TLS client authentication. Some functions used
for this require GnuTLS 3.1.4 or later, so requirements change
accordingly.

Three new configuration parameters are added:

GnuTLSProxyCAFile FILEPATH

The given file must contain trusted CA certificates for server
verification. Required.

GnuTLSProxyKeyFile FILEPATH
GnuTLSProxyCertificateFile FILEPATH

Key and certificate for TLS client auth towards TLS back end servers. If
not set, TLS client auth is disabled.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_config.c

    r10b3370 r0de1839  
    101101}
    102102
    103 const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) {
    104 
     103const char *mgs_set_cert_file(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg)
     104{
    105105    int ret;
    106106    gnutls_datum_t data;
     
    631631        return NULL;
    632632    }
     633
     634    sc->proxy_x509_key_file = NULL;
     635    sc->proxy_x509_cert_file = NULL;
     636    sc->proxy_x509_ca_file = NULL;
     637    ret = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
     638    if (ret < 0)
     639    {
     640        *err = apr_psprintf(p, "GnuTLS: Failed to initialize"
     641                            ": (%d) %s", ret,
     642                            gnutls_strerror(ret));
     643        return NULL;
     644    }
     645
    633646#ifdef ENABLE_SRP
    634647    ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
     
    698711    gnutls_srvconf_merge(dh_params, NULL);
    699712
     713    gnutls_srvconf_merge(proxy_x509_key_file, NULL);
     714    gnutls_srvconf_merge(proxy_x509_cert_file, NULL);
     715    gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
     716
    700717    /* FIXME: the following items are pre-allocated, and should be
    701718     * properly disposed of before assigning in order to avoid leaks;
     
    748765}
    749766
     767/*
     768 * Store paths to proxy credentials
     769 *
     770 * This function copies the paths provided in the configuration file
     771 * into the server configuration. The post configuration hook takes
     772 * care of actually loading the credentials, which means than invalid
     773 * paths or the like will be detected there.
     774 */
     775const char *mgs_store_cred_path(cmd_parms * parms,
     776                                void *dummy __attribute__((unused)),
     777                                const char *arg)
     778{
     779    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     780        ap_get_module_config(parms->server->module_config, &gnutls_module);
     781
     782    /* parms->directive->directive contains the directive string */
     783    if (!strcasecmp(parms->directive->directive, "GnuTLSProxyKeyFile"))
     784        sc->proxy_x509_key_file = apr_pstrdup(parms->pool, arg);
     785    else if (!strcasecmp(parms->directive->directive,
     786                         "GnuTLSProxyCertificateFile"))
     787        sc->proxy_x509_cert_file = apr_pstrdup(parms->pool, arg);
     788    else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile"))
     789        sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg);
     790    /* TODO: Add CRL parameter */
     791    return NULL;
     792}
Note: See TracChangeset for help on using the changeset viewer.