Changeset 60868d2 in mod_gnutls
- Timestamp:
- Sep 30, 2018, 6:04:48 AM (2 years ago)
- Branches:
- debian/master, master, proxy-ticket
- Children:
- 0d7660d
- Parents:
- bd1d8d3
- git-author:
- Fiona Klute <fiona.klute@…> (09/30/18 05:43:44)
- git-committer:
- Fiona Klute <fiona.klute@…> (09/30/18 06:04:48)
- Files:
-
- 6 edited
-
doc/mod_gnutls_manual.mdwn (modified) (7 diffs)
-
src/gnutls_config.c (modified) (1 diff)
-
src/gnutls_hooks.c (modified) (7 diffs)
-
test/tests/00_basic/apache.conf (modified) (1 diff)
-
test/tests/19_TLS_reverse_proxy/apache.conf (modified) (1 diff)
-
test/tests/19_TLS_reverse_proxy/backend.conf (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
doc/mod_gnutls_manual.mdwn
rbd1d8d3 r60868d2 213 213 GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N 214 214 215 Default: *none*\ 216 Context: server config, virtual host 217 218 Takes a colon separated list of protocol version, ciphers, key 219 exchange methods message authentication codes, and compression methods 220 to enable. The allowed keywords are specified in the 221 `gnutls_priority_init()` function of GnuTLS. 222 223 Please refer to [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings) 224 for details. A few commonly used sets are listed below, note that 225 their exact meaning may change with GnuTLS versions. 226 227 `PERFORMANCE` 228 : A list with all the secure cipher combinations sorted in terms of 229 performance. 230 231 `NORMAL` 232 : A list with all the secure cipher combinations sorted 233 with respect to security margin (subjective term). 234 235 `SECURE128` 236 : A list with all the secure cipher suites that offer a security level 237 of 128-bit or more. 238 239 `PFS` 240 : Only cipher suites offering perfect forward secrecy (ECDHE and DHE), 241 sorted by security margin. 242 243 You can add or remove algorithms using the `+` and `!` prefixes 244 respectively. For example, in order to use the `NORMAL` set but 245 disable TLS 1.0 and 1.1 you can use the string 246 `NORMAL:!VERS-TLS1.0:!VERS-TLS1.1`. 247 248 You can find a list of all supported Ciphers, Versions, MACs, etc. by 249 running `gnutls-cli --list`. 215 Default: `NORMAL`\ 216 Context: server config, virtual host 217 218 Sets the allowed protocol version(s), ciphers, key exchange methods, 219 message authentication codes, and other TLS parameters for the server. 220 The parameter is a GnuTLS priority string as described in the 221 [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html). 222 223 For example, to disable TLS 1.0 use `NORMAL:-VERS-TLS1.0`. 250 224 251 225 ### GnuTLSP11Module … … 490 464 GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N 491 465 492 Default: *none*\ 493 Context: server config, virtual host 494 495 This option is used to set the allowed ciphers, key exchange 496 algorithms, MACs and compression methods for proxy connections. It 497 takes the same parameters as `GnuTLSPriorities`. Required if 498 `GnuTLSProxyEngine` is `On`. 466 Default: `NORMAL`\ 467 Context: server config, virtual host 468 469 Sets the allowed protocol version(s), ciphers, key exchange methods, 470 message authentication codes, and other TLS parameters for TLS proxy 471 connections. Like for `GnuTLSPriorities` the parameter is a GnuTLS 472 priority string as described in the 473 [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html). 499 474 500 475 OCSP Stapling Configuration … … 754 729 GnuTLSEnable on 755 730 GnuTLSSessionTickets on 756 GnuTLSPriorities NORMAL757 731 DocumentRoot /www/site1.example.com/html 758 732 ServerName site1.example.com:443 … … 763 737 <VirtualHost _default_:443> 764 738 GnuTLSEnable on 765 GnuTLSPriorities NORMAL766 739 DocumentRoot /www/site2.example.com/html 767 740 ServerName site2.example.com:443 … … 772 745 <VirtualHost _default_:443> 773 746 GnuTLSEnable on 774 GnuTLSPriorities NORMAL775 747 DocumentRoot /www/site3.example.com/html 776 748 ServerName site3.example.com:443 … … 781 753 <VirtualHost _default_:443> 782 754 GnuTLSEnable on 783 GnuTLSPriorities NORMAL784 755 DocumentRoot /www/site4.example.com/html 785 756 ServerName site4.example.com:443 … … 804 775 <VirtualHost _default_:443> 805 776 GnuTLSEnable On 806 GnuTLSPriorities NORMAL807 777 DocumentRoot /www/site1.example.com/html 808 778 ServerName site1.example.com:443 809 779 GnuTLSCertificateFile conf/tls/site1.crt 810 780 GnuTLSKeyFile conf/tls/site1.key 811 GnuTLSPriorities NORMAL812 781 GnuTLSOCSPStapling On 813 782 </VirtualHost> -
src/gnutls_config.c
rbd1d8d3 r60868d2 143 143 } 144 144 145 if (sc->priorities) 145 /* Deinit server priorities only if set from 146 * sc->priorities_str. Otherwise the server is using the default 147 * global priority cache, which must not be deinitialized here. */ 148 if (sc->priorities_str && sc->priorities) 146 149 { 147 150 gnutls_priority_deinit(sc->priorities); -
src/gnutls_hooks.c
rbd1d8d3 r60868d2 53 53 static gnutls_datum_t session_ticket_key = {NULL, 0}; 54 54 55 56 /** Default GnuTLS priority string for mod_gnutls */ 57 #define MGS_DEFAULT_PRIORITY "NORMAL" 58 /** Compiled version of MGS_DEFAULT_PRIORITY (initialized in the 59 * pre_config hook) */ 60 static gnutls_priority_t default_prio; 61 62 55 63 static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt); 56 64 /* use side==0 for server and side==1 for client */ … … 73 81 session_ticket_key.data = NULL; 74 82 session_ticket_key.size = 0; 83 84 /* Deinit default priority setting */ 85 gnutls_priority_deinit(default_prio); 75 86 return APR_SUCCESS; 76 87 } … … 124 135 ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_session_ticket_key_generate: %s", gnutls_strerror(ret)); 125 136 return DONE; 137 } 138 139 /* Initialize default priority setting */ 140 ret = gnutls_priority_init(&default_prio, MGS_DEFAULT_PRIORITY, NULL); 141 if (ret < 0) 142 { 143 ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, 144 "gnutls_priority_init failed for default '%s': %s (%d)", 145 MGS_DEFAULT_PRIORITY, gnutls_strerror(ret), ret); 146 return DONE; 126 147 } 127 148 … … 648 669 /* Check if the priorities have been set */ 649 670 if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) { 650 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 651 "GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!", 652 s->server_hostname, s->port); 653 return HTTP_NOT_ACCEPTABLE; 671 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, 672 "No GnuTLSPriorities directive for host '%s:%d', " 673 "using default '%s'.", 674 s->server_hostname, s->addrs->host_port, 675 MGS_DEFAULT_PRIORITY); 676 sc->priorities = default_prio; 654 677 } 655 678 … … 1081 1104 1082 1105 /* Set Default Priority */ 1083 err = gnutls_priority_set _direct(ctxt->session, "NORMAL", NULL);1106 err = gnutls_priority_set(ctxt->session, default_prio); 1084 1107 if (err != GNUTLS_E_SUCCESS) 1085 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_priority_set_direct failed!"); 1108 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, 1109 "gnutls_priority_set failed!"); 1086 1110 /* Set Handshake function */ 1087 1111 gnutls_handshake_set_post_client_hello_function(ctxt->session, … … 1999 2023 } 2000 2024 2001 if (sc->proxy_priorities) 2025 /* Deinit proxy priorities only if set from 2026 * sc->proxy_priorities_str. Otherwise the server is using the 2027 * default global priority cache, which must not be deinitialized 2028 * here. */ 2029 if (sc->proxy_priorities_str && sc->proxy_priorities) 2002 2030 { 2003 2031 gnutls_priority_deinit(sc->proxy_priorities); … … 2059 2087 if (sc->proxy_priorities_str == NULL) 2060 2088 { 2061 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 2062 "Host '%s:%d' is missing the GnuTLSProxyPriorities " 2063 "directive!", 2064 s->server_hostname, s->port); 2065 return APR_EGENERAL; 2066 } 2067 /* parse proxy priorities */ 2068 const char *err_pos = NULL; 2069 err = gnutls_priority_init(&sc->proxy_priorities, 2070 sc->proxy_priorities_str, &err_pos); 2071 if (err != GNUTLS_E_SUCCESS) 2072 { 2073 if (ret == GNUTLS_E_INVALID_REQUEST) 2074 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, 2075 "%s: Syntax error parsing proxy priorities " 2076 "string at: %s", 2077 __func__, err_pos); 2078 else 2079 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, 2080 "Error setting proxy priorities: %s (%d)", 2081 gnutls_strerror(err), err); 2082 ret = APR_EGENERAL; 2089 ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, 2090 "No GnuTLSProxyPriorities directive for host '%s:%d', " 2091 "using default '%s'.", 2092 s->server_hostname, s->addrs->host_port, 2093 MGS_DEFAULT_PRIORITY); 2094 sc->proxy_priorities = default_prio; 2095 } 2096 else 2097 { 2098 /* parse proxy priorities */ 2099 const char *err_pos = NULL; 2100 err = gnutls_priority_init(&sc->proxy_priorities, 2101 sc->proxy_priorities_str, &err_pos); 2102 if (err != GNUTLS_E_SUCCESS) 2103 { 2104 if (ret == GNUTLS_E_INVALID_REQUEST) 2105 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, 2106 "%s: Syntax error parsing proxy priorities " 2107 "string at: %s", 2108 __func__, err_pos); 2109 else 2110 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, 2111 "Error setting proxy priorities: %s (%d)", 2112 gnutls_strerror(err), err); 2113 ret = APR_EGENERAL; 2114 } 2083 2115 } 2084 2116 -
test/tests/00_basic/apache.conf
rbd1d8d3 r60868d2 8 8 GnuTLSCertificateFile server/x509.pem 9 9 GnuTLSKeyFile server/secret.key 10 GnuTLSPriorities NORMAL11 10 </VirtualHost> -
test/tests/19_TLS_reverse_proxy/apache.conf
rbd1d8d3 r60868d2 9 9 GnuTLSCertificateFile server/x509.pem 10 10 GnuTLSKeyFile server/secret.key 11 GnuTLSPriorities NORMAL12 11 13 12 GnuTLSProxyEngine On 14 13 GnuTLSProxyCAFile authority/x509.pem 15 GnuTLSProxyPriorities NORMAL16 14 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ 17 15 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ -
test/tests/19_TLS_reverse_proxy/backend.conf
rbd1d8d3 r60868d2 8 8 GnuTLSCertificateFile server/x509.pem 9 9 GnuTLSKeyFile server/secret.key 10 GnuTLSPriorities NORMAL11 10 </VirtualHost>
Note: See TracChangeset
for help on using the changeset viewer.
