Changeset 60868d2 in mod_gnutls


Ignore:
Timestamp:
Sep 30, 2018, 6:04:48 AM (15 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
0d7660d
Parents:
bd1d8d3
git-author:
Fiona Klute <fiona.klute@…> (09/30/18 05:43:44)
git-committer:
Fiona Klute <fiona.klute@…> (09/30/18 06:04:48)
Message:

Default to NORMAL for the GnuTLS priority settings

This simplifies configuration and should be resonable for most users.

Files:
6 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    rbd1d8d3 r60868d2  
    213213    GnuTLSPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
    214214
    215 Default: *none*\
    216 Context: server config, virtual host
    217 
    218 Takes a colon separated list of protocol version, ciphers, key
    219 exchange methods message authentication codes, and compression methods
    220 to enable. The allowed keywords are specified in the
    221 `gnutls_priority_init()` function of GnuTLS.
    222 
    223 Please refer to [the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings)
    224 for details. A few commonly used sets are listed below, note that
    225 their exact meaning may change with GnuTLS versions.
    226 
    227 `PERFORMANCE`
    228 :   A list with all the secure cipher combinations sorted in terms of
    229     performance.
    230 
    231 `NORMAL`
    232 :   A list with all the secure cipher combinations sorted
    233     with respect to security margin (subjective term).
    234 
    235 `SECURE128`
    236 :   A list with all the secure cipher suites that offer a security level
    237     of 128-bit or more.
    238 
    239 `PFS`
    240 :   Only cipher suites offering perfect forward secrecy (ECDHE and DHE),
    241     sorted by security margin.
    242 
    243 You can add or remove algorithms using the `+` and `!` prefixes
    244 respectively. For example, in order to use the `NORMAL` set but
    245 disable TLS 1.0 and 1.1 you can use the string
    246 `NORMAL:!VERS-TLS1.0:!VERS-TLS1.1`.
    247 
    248 You can find a list of all supported Ciphers, Versions, MACs, etc.  by
    249 running `gnutls-cli --list`.
     215Default: `NORMAL`\
     216Context: server config, virtual host
     217
     218Sets the allowed protocol version(s), ciphers, key exchange methods,
     219message authentication codes, and other TLS parameters for the server.
     220The parameter is a GnuTLS priority string as described in the
     221[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
     222
     223For example, to disable TLS 1.0 use `NORMAL:-VERS-TLS1.0`.
    250224
    251225### GnuTLSP11Module
     
    490464    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
    491465
    492 Default: *none*\
    493 Context: server config, virtual host
    494 
    495 This option is used to set the allowed ciphers, key exchange
    496 algorithms, MACs and compression methods for proxy connections. It
    497 takes the same parameters as `GnuTLSPriorities`. Required if
    498 `GnuTLSProxyEngine` is `On`.
     466Default: `NORMAL`\
     467Context: server config, virtual host
     468
     469Sets the allowed protocol version(s), ciphers, key exchange methods,
     470message authentication codes, and other TLS parameters for TLS proxy
     471connections. Like for `GnuTLSPriorities` the parameter is a GnuTLS
     472priority string as described in the
     473[the GnuTLS documentation](https://gnutls.org/manual/html_node/Priority-Strings.html).
    499474
    500475OCSP Stapling Configuration
     
    754729         GnuTLSEnable on
    755730         GnuTLSSessionTickets on
    756          GnuTLSPriorities NORMAL
    757731         DocumentRoot /www/site1.example.com/html
    758732         ServerName site1.example.com:443
     
    763737     <VirtualHost _default_:443>
    764738         GnuTLSEnable on
    765          GnuTLSPriorities NORMAL
    766739         DocumentRoot /www/site2.example.com/html
    767740         ServerName site2.example.com:443
     
    772745     <VirtualHost _default_:443>
    773746         GnuTLSEnable on
    774          GnuTLSPriorities NORMAL
    775747         DocumentRoot /www/site3.example.com/html
    776748         ServerName site3.example.com:443
     
    781753     <VirtualHost _default_:443>
    782754         GnuTLSEnable on
    783          GnuTLSPriorities NORMAL
    784755         DocumentRoot /www/site4.example.com/html
    785756         ServerName site4.example.com:443
     
    804775     <VirtualHost _default_:443>
    805776         GnuTLSEnable          On
    806          GnuTLSPriorities      NORMAL
    807777         DocumentRoot          /www/site1.example.com/html
    808778         ServerName            site1.example.com:443
    809779         GnuTLSCertificateFile conf/tls/site1.crt
    810780         GnuTLSKeyFile         conf/tls/site1.key
    811          GnuTLSPriorities      NORMAL
    812781         GnuTLSOCSPStapling    On
    813782     </VirtualHost>
  • src/gnutls_config.c

    rbd1d8d3 r60868d2  
    143143    }
    144144
    145     if (sc->priorities)
     145    /* Deinit server priorities only if set from
     146     * sc->priorities_str. Otherwise the server is using the default
     147     * global priority cache, which must not be deinitialized here. */
     148    if (sc->priorities_str && sc->priorities)
    146149    {
    147150        gnutls_priority_deinit(sc->priorities);
  • src/gnutls_hooks.c

    rbd1d8d3 r60868d2  
    5353static gnutls_datum_t session_ticket_key = {NULL, 0};
    5454
     55
     56/** Default GnuTLS priority string for mod_gnutls */
     57#define MGS_DEFAULT_PRIORITY "NORMAL"
     58/** Compiled version of MGS_DEFAULT_PRIORITY (initialized in the
     59 * pre_config hook) */
     60static gnutls_priority_t default_prio;
     61
     62
    5563static int mgs_cert_verify(request_rec * r, mgs_handle_t * ctxt);
    5664/* use side==0 for server and side==1 for client */
     
    7381    session_ticket_key.data = NULL;
    7482    session_ticket_key.size = 0;
     83
     84    /* Deinit default priority setting */
     85    gnutls_priority_deinit(default_prio);
    7586    return APR_SUCCESS;
    7687}
     
    124135                ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog, "gnutls_session_ticket_key_generate: %s", gnutls_strerror(ret));
    125136                return DONE;
     137    }
     138
     139    /* Initialize default priority setting */
     140    ret = gnutls_priority_init(&default_prio, MGS_DEFAULT_PRIORITY, NULL);
     141    if (ret < 0)
     142    {
     143        ap_log_perror(APLOG_MARK, APLOG_EMERG, 0, plog,
     144                      "gnutls_priority_init failed for default '%s': %s (%d)",
     145                      MGS_DEFAULT_PRIORITY, gnutls_strerror(ret), ret);
     146        return DONE;
    126147    }
    127148
     
    648669        /* Check if the priorities have been set */
    649670        if (sc->priorities == NULL && sc->enabled == GNUTLS_ENABLED_TRUE) {
    650             ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    651                     "GnuTLS: Host '%s:%d' is missing the GnuTLSPriorities directive!",
    652                     s->server_hostname, s->port);
    653             return HTTP_NOT_ACCEPTABLE;
     671            ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
     672                         "No GnuTLSPriorities directive for host '%s:%d', "
     673                         "using default '%s'.",
     674                         s->server_hostname, s->addrs->host_port,
     675                         MGS_DEFAULT_PRIORITY);
     676            sc->priorities = default_prio;
    654677        }
    655678
     
    10811104
    10821105    /* Set Default Priority */
    1083         err = gnutls_priority_set_direct(ctxt->session, "NORMAL", NULL);
     1106        err = gnutls_priority_set(ctxt->session, default_prio);
    10841107    if (err != GNUTLS_E_SUCCESS)
    1085         ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_priority_set_direct failed!");
     1108        ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
     1109                      "gnutls_priority_set failed!");
    10861110    /* Set Handshake function */
    10871111    gnutls_handshake_set_post_client_hello_function(ctxt->session,
     
    19992023    }
    20002024
    2001     if (sc->proxy_priorities)
     2025    /* Deinit proxy priorities only if set from
     2026     * sc->proxy_priorities_str. Otherwise the server is using the
     2027     * default global priority cache, which must not be deinitialized
     2028     * here. */
     2029    if (sc->proxy_priorities_str && sc->proxy_priorities)
    20022030    {
    20032031        gnutls_priority_deinit(sc->proxy_priorities);
     
    20592087    if (sc->proxy_priorities_str == NULL)
    20602088    {
    2061         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
    2062                      "Host '%s:%d' is missing the GnuTLSProxyPriorities "
    2063                      "directive!",
    2064                      s->server_hostname, s->port);
    2065         return APR_EGENERAL;
    2066     }
    2067     /* parse proxy priorities */
    2068     const char *err_pos = NULL;
    2069     err = gnutls_priority_init(&sc->proxy_priorities,
    2070                                sc->proxy_priorities_str, &err_pos);
    2071     if (err != GNUTLS_E_SUCCESS)
    2072     {
    2073         if (ret == GNUTLS_E_INVALID_REQUEST)
    2074             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
    2075                          "%s: Syntax error parsing proxy priorities "
    2076                          "string at: %s",
    2077                          __func__, err_pos);
    2078         else
    2079             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
    2080                          "Error setting proxy priorities: %s (%d)",
    2081                          gnutls_strerror(err), err);
    2082         ret = APR_EGENERAL;
     2089        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
     2090                     "No GnuTLSProxyPriorities directive for host '%s:%d', "
     2091                     "using default '%s'.",
     2092                     s->server_hostname, s->addrs->host_port,
     2093                     MGS_DEFAULT_PRIORITY);
     2094        sc->proxy_priorities = default_prio;
     2095    }
     2096    else
     2097    {
     2098        /* parse proxy priorities */
     2099        const char *err_pos = NULL;
     2100        err = gnutls_priority_init(&sc->proxy_priorities,
     2101                                   sc->proxy_priorities_str, &err_pos);
     2102        if (err != GNUTLS_E_SUCCESS)
     2103        {
     2104            if (ret == GNUTLS_E_INVALID_REQUEST)
     2105                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
     2106                             "%s: Syntax error parsing proxy priorities "
     2107                             "string at: %s",
     2108                             __func__, err_pos);
     2109            else
     2110                ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
     2111                             "Error setting proxy priorities: %s (%d)",
     2112                             gnutls_strerror(err), err);
     2113            ret = APR_EGENERAL;
     2114        }
    20832115    }
    20842116
  • test/tests/00_basic/apache.conf

    rbd1d8d3 r60868d2  
    88 GnuTLSCertificateFile server/x509.pem
    99 GnuTLSKeyFile server/secret.key
    10  GnuTLSPriorities NORMAL
    1110</VirtualHost>
  • test/tests/19_TLS_reverse_proxy/apache.conf

    rbd1d8d3 r60868d2  
    99 GnuTLSCertificateFile server/x509.pem
    1010 GnuTLSKeyFile server/secret.key
    11  GnuTLSPriorities NORMAL
    1211
    1312 GnuTLSProxyEngine      On
    1413 GnuTLSProxyCAFile      authority/x509.pem
    15  GnuTLSProxyPriorities  NORMAL
    1614 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    1715 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
  • test/tests/19_TLS_reverse_proxy/backend.conf

    rbd1d8d3 r60868d2  
    88 GnuTLSCertificateFile server/x509.pem
    99 GnuTLSKeyFile server/secret.key
    10  GnuTLSPriorities NORMAL
    1110</VirtualHost>
Note: See TracChangeset for help on using the changeset viewer.