Changeset beb14d9 in mod_gnutls for src


Ignore:
Timestamp:
Jan 27, 2015, 7:20:27 AM (5 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
4fefa39
Parents:
c1ef069
Message:

Proof of concept: Support for proxy back end connections using TLS

This commit enables TLS on proxy back end connections if requested from
mod_proxy. Since mod_gnutls acts as client instead of server on proxy
back end connections, TLS session setup is quite different.

Note that this implementation is not finished, in particular the proxy
back end connection is hard coded to use the same X.509 credentials as
the server side, which severely restricts usable certificate
combinations.

Some typos in comments and an error message related to TLS handshake are
fixed as well.

Location:
src
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_config.c

    rc1ef069 rbeb14d9  
    620620        return NULL;
    621621    }
     622
     623    /* FIXME: not ideal, should be called only if SSLProxyEngine is
     624     * enabled */
     625    ret = gnutls_anon_allocate_client_credentials(&sc->anon_client_creds);
     626    if (ret < 0)
     627    {
     628        *err = apr_psprintf(p, "GnuTLS: Failed to initialize"
     629                            ": (%d) %s", ret,
     630                            gnutls_strerror(ret));
     631        return NULL;
     632    }
    622633#ifdef ENABLE_SRP
    623634    ret = gnutls_srp_allocate_server_credentials(&sc->srp_creds);
     
    696707    gnutls_srvconf_assign(certs);
    697708    gnutls_srvconf_assign(anon_creds);
     709    gnutls_srvconf_assign(anon_client_creds);
    698710    gnutls_srvconf_assign(srp_creds);
    699711    gnutls_srvconf_assign(certs_x509_chain);
  • src/gnutls_hooks.c

    rc1ef069 rbeb14d9  
    147147    gnutls_certificate_server_set_request(session, ctxt->sc->client_verify_mode);
    148148
     149    /* Set x509 credentials */
     150    gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
    149151    /* Set Anon credentials */
    150     gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, ctxt->sc->certs);
    151         /* Set x509 credentials */
    152152    gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
    153153
     
    714714
    715715    /* Initialize GnuTLS Library */
    716     int err = gnutls_init(&ctxt->session, GNUTLS_SERVER);
    717     if (err != GNUTLS_E_SUCCESS)
    718         ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_init failed!");
    719     /* Initialize Session Tickets */
    720     if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) {
    721         err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
     716    int err = 0;
     717    if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE)
     718    {
     719        /* this is an outgoing proxy connection, client mode */
     720        err = gnutls_init(&ctxt->session, GNUTLS_CLIENT);
    722721        if (err != GNUTLS_E_SUCCESS)
    723             ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, "gnutls_session_ticket_enable_server failed!");
     722            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
     723                          "gnutls_init for proxy connection failed: %s (%d)",
     724                          gnutls_strerror(err), err);
     725        err = gnutls_session_ticket_enable_client(ctxt->session);
     726        if (err != GNUTLS_E_SUCCESS)
     727            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
     728                          "gnutls_session_ticket_enable_client failed: %s (%d)",
     729                          gnutls_strerror(err), err);
     730    }
     731    else
     732    {
     733        /* incoming connection, server mode */
     734        err = gnutls_init(&ctxt->session, GNUTLS_SERVER);
     735        if (err != GNUTLS_E_SUCCESS)
     736            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
     737                          "gnutls_init for server side failed: %s (%d)",
     738                          gnutls_strerror(err), err);
     739        /* Initialize Session Tickets */
     740        if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
     741        {
     742            err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
     743            if (err != GNUTLS_E_SUCCESS)
     744                ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
     745                              "gnutls_session_ticket_enable_server failed: %s (%d)",
     746                              gnutls_strerror(err), err);
     747        }
    724748    }
    725749
     
    731755    gnutls_handshake_set_post_client_hello_function(ctxt->session,
    732756            mgs_select_virtual_server_cb);
     757
     758    /* If mod_gnutls is the TLS server, mgs_select_virtual_server_cb
     759     * will load appropriate credentials during handshake. However,
     760     * when handling a proxy backend connection, mod_gnutls acts as
     761     * TLS client and credentials must be loaded here. */
     762    if (ctxt->is_proxy == GNUTLS_ENABLED_TRUE)
     763    {
     764        /* Set anonymous client credentials for proxy connections */
     765        gnutls_credentials_set(ctxt->session, GNUTLS_CRD_ANON,
     766                               ctxt->sc->anon_client_creds);
     767        /* Set x509 credentials */
     768        gnutls_credentials_set(ctxt->session, GNUTLS_CRD_CERTIFICATE,
     769                               ctxt->sc->certs);
     770        /* Load priorities from the server configuration */
     771        err = gnutls_priority_set(ctxt->session, ctxt->sc->priorities);
     772        if (err != GNUTLS_E_SUCCESS)
     773            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
     774                          "%s: setting priorities for proxy connection failed: %s (%d)",
     775                          __func__, gnutls_strerror(err), err);
     776    }
     777
    733778    /* Initialize Session Cache */
    734779    mgs_cache_session_init(ctxt);
  • src/gnutls_io.c

    rc1ef069 rbeb14d9  
    405405            ap_log_error(APLOG_MARK, APLOG_INFO, 0,
    406406                    ctxt->c->base_server,
    407                     "GnuTLS: Hanshake Alert (%d) '%s'.",
     407                    "GnuTLS: Handshake Alert (%d) '%s'.",
    408408                    errcode,
    409409                    gnutls_alert_get_name(errcode));
Note: See TracChangeset for help on using the changeset viewer.