Changeset f030883 in mod_gnutls


Ignore:
Timestamp:
Apr 9, 2015, 1:02:39 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
73f6f12
Parents:
8b472af
Message:

Set GnuTLS priorities for proxy connections separately

Until now, proxy connections were configured with the same priorities as
the server side. This commit introduces the new configuration option
"GnuTLSProxyPriorities" to set the priorities for proxy connections
separately. Note that GnuTLSProxyPriorities MUST be set when
SSLProxyEngine is enabled.

Since the parameters to GnuTLSPriorities and GnuTLSProxyPriorities need
the same processing, mgs_set_priorities has been rewritten to select the
priority cache to write to based on the option name, rather than adding
a new function to handle GnuTLSProxyPriorities.

Files:
6 added
10 edited

Legend:

Unmodified
Added
Removed
  • docs/mod_gnutls_manual.mdwn

    r8b472af rf030883  
    480480running as root, and does not need to be readable by the nobody or
    481481apache user.
     482
     483`GnuTLSProxyPriorities`
     484------------------
     485
     486Set the allowed ciphers, key exchange algorithms, MACs and compression
     487methods for proxy connections
     488
     489    GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N
     490
     491Default: *none*\
     492Context: server config, virtual host
     493
     494This option is used to set the allowed ciphers, key exchange
     495algorithms, MACs and compression methods for proxy connections. It
     496takes the same parameters as `GnuTLSPriorities`. Required if
     497`SSLProxyEngine` is `On`.
    482498
    483499* * * * *
  • include/mod_gnutls.h.in

    r8b472af rf030883  
    114114    const char* proxy_x509_ca_file;
    115115    const char* proxy_x509_crl_file;
     116    /* GnuTLS priorities for proxy connections */
     117    gnutls_priority_t proxy_priorities;
    116118    /* SRP Certificate Structure*/
    117119    gnutls_srp_server_credentials_t srp_creds;
  • src/gnutls_config.c

    r8b472af rf030883  
    578578}
    579579
    580 const char *mgs_set_priorities(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) {
    581 
    582         int ret;
     580
     581
     582/*
     583 * Initialize a GnuTLS priorities cache from a configuration
     584 * string. Used for GnuTLSPriorities and GnuTLSProxyPriorities.
     585 */
     586const char *mgs_set_priorities(cmd_parms * parms,
     587                               void *dummy __attribute__((unused)),
     588                               const char *arg)
     589{
     590    int ret;
    583591    const char *err;
    584592
    585593    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    586                                                   ap_get_module_config(parms->server->module_config, &gnutls_module);
    587 
    588     ret = gnutls_priority_init(&sc->priorities, arg, &err);
    589 
    590     if (ret < 0) {
    591         if (ret == GNUTLS_E_INVALID_REQUEST) {
     594        ap_get_module_config(parms->server->module_config, &gnutls_module);
     595
     596    /* Setting a priority cache works the same no matter for which
     597     * option. Just point the pointer at the right one. */
     598    gnutls_priority_t *prio = NULL;
     599    if (!strcasecmp(parms->directive->directive, "GnuTLSPriorities"))
     600        prio = &sc->priorities;
     601    else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyPriorities"))
     602        prio = &sc->proxy_priorities;
     603    else
     604        /* Can't happen unless there's a serious bug in mod_gnutls or Apache */
     605        return apr_psprintf(parms->pool,
     606                            "mod_gnutls: %s called for invalid option '%s'",
     607                            __func__, parms->directive->directive);
     608
     609    ret = gnutls_priority_init(prio, arg, &err);
     610    if (ret < 0)
     611    {
     612        if (ret == GNUTLS_E_INVALID_REQUEST)
    592613            return apr_psprintf(parms->pool,
    593                                                                 "GnuTLS: Syntax error parsing priorities string at: %s", err);
    594                 }
    595         return "Error setting priorities";
     614                                "mod_gnutls: Syntax error parsing priorities "
     615                                "string for %s at: %s",
     616                                parms->directive->directive, err);
     617        return  apr_psprintf(parms->pool,
     618                             "Error setting priorities: %s (%d)",
     619                             gnutls_strerror(ret), ret);
    596620    }
    597621
     
    636660    sc->proxy_x509_ca_file = NULL;
    637661    sc->proxy_x509_crl_file = NULL;
     662    sc->proxy_priorities = NULL;
    638663    ret = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds);
    639664    if (ret < 0)
     
    716741    gnutls_srvconf_merge(proxy_x509_ca_file, NULL);
    717742    gnutls_srvconf_merge(proxy_x509_crl_file, NULL);
     743    gnutls_srvconf_merge(proxy_priorities, NULL);
    718744
    719745    /* FIXME: the following items are pre-allocated, and should be
  • src/gnutls_hooks.c

    r8b472af rf030883  
    463463            && sc->proxy_enabled == GNUTLS_ENABLED_TRUE)
    464464        {
     465            /* Check if the proxy priorities have been set */
     466            if (sc->proxy_priorities == NULL)
     467            {
     468                ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s,
     469                             "Host '%s:%d' is missing the "
     470                             "GnuTLSProxyPriorities directive!",
     471                             s->server_hostname, s->port);
     472                exit(-1);
     473            }
     474            /* Set up proxy credentials */
    465475            load_proxy_x509_credentials(s);
    466476        }
     
    826836                               ctxt->sc->proxy_x509_creds);
    827837        /* Load priorities from the server configuration */
    828         err = gnutls_priority_set(ctxt->session, ctxt->sc->priorities);
     838        err = gnutls_priority_set(ctxt->session, ctxt->sc->proxy_priorities);
    829839        if (err != GNUTLS_E_SUCCESS)
    830840            ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
    831                           "%s: setting priorities for proxy connection failed: %s (%d)",
     841                          "%s: setting priorities for proxy connection "
     842                          "failed: %s (%d)",
    832843                          __func__, gnutls_strerror(err), err);
    833844    }
  • src/mod_gnutls.c

    r8b472af rf030883  
    240240    RSRC_CONF,
    241241    "X509 CRL file for proxy connections"),
     242    AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities,
     243    NULL,
     244    RSRC_CONF,
     245    "The priorities to enable for proxy connections (ciphers, key exchange, "
     246    "MACs, compression)."),
    242247    { NULL },
    243248};
  • test/Makefile.am

    r8b472af rf030883  
    2323        test-20_TLS_reverse_proxy_client_auth.bash \
    2424        test-21_TLS_reverse_proxy_wrong_cert.bash \
    25         test-22_TLS_reverse_proxy_crl_revoke.bash
     25        test-22_TLS_reverse_proxy_crl_revoke.bash \
     26        test-23_TLS_reverse_proxy_mismatched_priorities.bash
    2627
    2728clean-local:
  • test/tests/19_TLS_reverse_proxy/apache.conf

    r8b472af rf030883  
    1515 SSLProxyEngine On
    1616 GnuTLSProxyCAFile      authority/x509.pem
     17 GnuTLSProxyPriorities          NORMAL
    1718 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    1819 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
  • test/tests/20_TLS_reverse_proxy_client_auth/apache.conf

    r8b472af rf030883  
    1717 GnuTLSProxyCertificateFile     client/x509.pem
    1818 GnuTLSProxyCAFile              authority/x509.pem
     19 GnuTLSProxyPriorities          NORMAL
    1920 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    2021 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
  • test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf

    r8b472af rf030883  
    1515 SSLProxyEngine On
    1616 GnuTLSProxyCAFile      authority/x509.pem
     17 GnuTLSProxyPriorities  NORMAL
    1718 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    1819 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
  • test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf

    r8b472af rf030883  
    1616 GnuTLSProxyCAFile      authority/x509.pem
    1717 GnuTLSProxyCRLFile     ${PWD}/crl.pem
     18 GnuTLSProxyPriorities  NORMAL
    1819 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
    1920 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
Note: See TracChangeset for help on using the changeset viewer.