Changeset 8b472af in mod_gnutls


Ignore:
Timestamp:
Apr 7, 2015, 5:13:59 AM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
f030883
Parents:
49d25a9
git-author:
Thomas Klute <thomas2.klute@…> (04/07/15 03:52:09)
git-committer:
Thomas Klute <thomas2.klute@…> (04/07/15 05:13:59)
Message:

Use server root for file paths in TLS proxy config

This is what users should be able to expect. Changing the return type of
load_proxy_x509_credentials to apr_status_t is not really a change: It
used APR status values before, but now the type is declared as such.
Absence of client credentials for the proxy is not necessarily a problem
(the back end server(s) may not require any), so the log level should be
lower than "warning".

Files:
5 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r49d25a9 r8b472af  
    17431743
    17441744
    1745 static int load_proxy_x509_credentials(server_rec *s)
     1745static apr_status_t load_proxy_x509_credentials(server_rec *s)
    17461746{
    17471747    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     
    17511751        return APR_EGENERAL;
    17521752
    1753     int ret = APR_SUCCESS;
     1753    apr_status_t ret = APR_SUCCESS;
    17541754    int err = GNUTLS_E_SUCCESS;
     1755
     1756    /* Function pool, gets destroyed before exit. */
     1757    apr_pool_t *pool;
     1758    ret = apr_pool_create(&pool, s->process->pool);
     1759    if (ret != APR_SUCCESS)
     1760    {
     1761        ap_log_error(APLOG_MARK, APLOG_ERR, ret, s,
     1762                     "%s: failed to allocate function memory pool.", __func__);
     1763        return ret;
     1764    }
    17551765
    17561766    /* load certificate and key for client auth, if configured */
    17571767    if (sc->proxy_x509_key_file && sc->proxy_x509_cert_file)
    17581768    {
     1769        char* cert_file = ap_server_root_relative(pool,
     1770                                                  sc->proxy_x509_cert_file);
     1771        char* key_file = ap_server_root_relative(pool,
     1772                                                 sc->proxy_x509_key_file);
    17591773        err = gnutls_certificate_set_x509_key_file(sc->proxy_x509_creds,
    1760                                                    sc->proxy_x509_cert_file,
    1761                                                    sc->proxy_x509_key_file,
     1774                                                   cert_file,
     1775                                                   key_file,
    17621776                                                   GNUTLS_X509_FMT_PEM);
    17631777        if (err != GNUTLS_E_SUCCESS)
     
    17831797    else
    17841798        /* if both key and cert are NULL, client auth is not used */
    1785         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
     1799        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
    17861800                     "%s: no client credentials for proxy", __func__);
    17871801
     
    17991813        }
    18001814
     1815        char* ca_file = ap_server_root_relative(pool,
     1816                                                sc->proxy_x509_ca_file);
     1817        /* if no CRL is used, sc->proxy_x509_crl_file is NULL */
     1818        char* crl_file = NULL;
     1819        if (sc->proxy_x509_crl_file)
     1820            crl_file = ap_server_root_relative(pool,
     1821                                               sc->proxy_x509_crl_file);
     1822
    18011823        /* returns number of loaded elements */
    18021824        err = gnutls_x509_trust_list_add_trust_file(sc->proxy_x509_tl,
    1803                                                     sc->proxy_x509_ca_file,
    1804                                                     sc->proxy_x509_crl_file,
     1825                                                    ca_file,
     1826                                                    crl_file,
    18051827                                                    GNUTLS_X509_FMT_PEM,
    18061828                                                    0 /* tl_flags */,
     
    18151837                         __func__, err);
    18161838        else /* err < 0 */
     1839        {
    18171840            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
    18181841                         "%s: error loading proxy CA trust list: %s (%d)",
    18191842                         __func__, gnutls_strerror(err), err);
     1843            ret = APR_EGENERAL;
     1844        }
    18201845
    18211846        /* attach trust list to credentials */
     
    18301855    gnutls_certificate_set_verify_function(sc->proxy_x509_creds,
    18311856                                           gtls_check_server_cert);
     1857    apr_pool_destroy(pool);
    18321858    return ret;
    18331859}
  • test/tests/19_TLS_reverse_proxy/apache.conf

    r49d25a9 r8b472af  
    1414
    1515 SSLProxyEngine On
    16  GnuTLSProxyCAFile ${PWD}/../../authority/x509.pem
     16 GnuTLSProxyCAFile      authority/x509.pem
    1717 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    1818 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
  • test/tests/20_TLS_reverse_proxy_client_auth/apache.conf

    r49d25a9 r8b472af  
    1414
    1515 SSLProxyEngine On
    16  GnuTLSProxyKeyFile ${PWD}/../../client/secret.key
    17  GnuTLSProxyCertificateFile ${PWD}/../../client/x509.pem
    18  GnuTLSProxyCAFile ${PWD}/../../authority/x509.pem
     16 GnuTLSProxyKeyFile             client/secret.key
     17 GnuTLSProxyCertificateFile     client/x509.pem
     18 GnuTLSProxyCAFile              authority/x509.pem
    1919 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    2020 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
  • test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf

    r49d25a9 r8b472af  
    1414
    1515 SSLProxyEngine On
    16  GnuTLSProxyCAFile ${PWD}/../../authority/x509.pem
     16 GnuTLSProxyCAFile      authority/x509.pem
    1717 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    1818 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
  • test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf

    r49d25a9 r8b472af  
    1414
    1515 SSLProxyEngine On
    16  GnuTLSProxyCAFile ${PWD}/../../authority/x509.pem
    17  GnuTLSProxyCRLFile ${PWD}/crl.pem
     16 GnuTLSProxyCAFile      authority/x509.pem
     17 GnuTLSProxyCRLFile     ${PWD}/crl.pem
    1818 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    1919 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
Note: See TracChangeset for help on using the changeset viewer.