Changeset 809c422 in mod_gnutls


Ignore:
Timestamp:
Apr 2, 2015, 8:48:19 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
bfcff28
Parents:
bd24203
Message:

TLS proxy: Add support for CRLs to back end server verification

When configured as a TLS proxy, mod_gnutls can now use CRLs to check if
the certificate provided by a back end server is still valid. The CRL
file must be provided externally, the new configuration option
"GnuTLSProxyCRLFile" is used to load it.

Files:
5 edited

Legend:

Unmodified
Added
Removed
  • docs/mod_gnutls_manual.mdwn

    rbd24203 r809c422  
    413413--------------------
    414414
    415 Set to the PEM Encoded Certificate Authority Certificate
     415Set to the PEM encoded Certificate Authority Certificate
    416416
    417417    GnuTLSProxyCAFile FILEPATH
     
    420420Context: server config, virtual host
    421421
    422 Takes an absolute or relative path to a PEM Encoded Certificate to use
     422Takes an absolute or relative path to a PEM encoded certificate to use
    423423as a Certificate Authority when verifying certificates provided by
    424424proxy back end servers. This file may contain a list of trusted
     
    426426always fail due to lack of a trusted CA.
    427427
     428`GnuTLSProxyCRLFile`
     429--------------------
     430
     431Set to the PEM encoded Certificate Revocation List
     432
     433    GnuTLSProxyCRLFile FILEPATH
     434
     435Default: *none*\
     436Context: server config, virtual host
     437
     438Takes an absolute or relative path to a PEM encoded Certificate
     439Revocation List to use when verifying certificates provided by proxy
     440back end servers. The file may contain a list of CRLs.
     441
    428442`GnuTLSProxyCertificateFile`
    429443-----------------------
    430444
    431 Set to the PEM Encoded Client Certificate
     445Set to the PEM encoded Client Certificate
    432446
    433447    GnuTLSProxyCertificateFile FILEPATH
     
    436450Context: server config, virtual host
    437451
    438 Takes an absolute or relative path to a PEM-encoded X.509 certificate
     452Takes an absolute or relative path to a PEM encoded X.509 certificate
    439453to use as this Server's End Entity (EE) client certificate for TLS
    440454client authentication in proxy TLS connections. If you need to supply
     
    451465---------------
    452466
    453 Set to the PEM Encoded Private Key
     467Set to the PEM encoded Private Key
    454468
    455469    GnuTLSProxyKeyFile FILEPATH
  • include/mod_gnutls.h.in

    rbd24203 r809c422  
    113113    const char* proxy_x509_cert_file;
    114114    const char* proxy_x509_ca_file;
     115    const char* proxy_x509_crl_file;
    115116    /* SRP Certificate Structure*/
    116117    gnutls_srp_server_credentials_t srp_creds;
  • src/gnutls_config.c

    rbd24203 r809c422  
    635635    sc->proxy_x509_cert_file = NULL;
    636636    sc->proxy_x509_ca_file = NULL;
     637    sc->proxy_x509_crl_file = NULL;
    637638    ret = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
    638639    if (ret < 0)
     
    714715    gnutls_srvconf_merge(proxy_x509_cert_file, NULL);
    715716    gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
     717    gnutls_srvconf_merge(proxy_x509_crl_file, NULL);
    716718
    717719    /* FIXME: the following items are pre-allocated, and should be
     
    788790    else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCAFile"))
    789791        sc->proxy_x509_ca_file = apr_pstrdup(parms->pool, arg);
    790     /* TODO: Add CRL parameter */
    791     return NULL;
    792 }
     792    else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyCRLFile"))
     793        sc->proxy_x509_crl_file = apr_pstrdup(parms->pool, arg);
     794    return NULL;
     795}
  • src/gnutls_hooks.c

    rbd24203 r809c422  
    18021802        err = gnutls_x509_trust_list_add_trust_file(sc->proxy_x509_tl,
    18031803                                                    sc->proxy_x509_ca_file,
    1804                                                     NULL /* crl_file */,
     1804                                                    sc->proxy_x509_crl_file,
    18051805                                                    GNUTLS_X509_FMT_PEM,
    18061806                                                    0 /* tl_flags */,
  • src/mod_gnutls.c

    rbd24203 r809c422  
    236236    RSRC_CONF,
    237237    "X509 trusted CA file for proxy connections"),
     238    AP_INIT_TAKE1("GnuTLSProxyCRLFile", mgs_store_cred_path,
     239    NULL,
     240    RSRC_CONF,
     241    "X509 CRL file for proxy connections"),
    238242    { NULL },
    239243};
Note: See TracChangeset for help on using the changeset viewer.