Changeset f030883 in mod_gnutls
- Timestamp:
- Apr 9, 2015, 1:02:39 PM (4 years ago)
- Branches:
- debian/master, debian/stretch-backports, jessie-backports, master, upstream
- Children:
- 73f6f12
- Parents:
- 8b472af
- Files:
-
- 6 added
- 10 edited
-
docs/mod_gnutls_manual.mdwn (modified) (1 diff)
-
include/mod_gnutls.h.in (modified) (1 diff)
-
src/gnutls_config.c (modified) (3 diffs)
-
src/gnutls_hooks.c (modified) (2 diffs)
-
src/mod_gnutls.c (modified) (1 diff)
-
test/Makefile.am (modified) (1 diff)
-
test/test-23_TLS_reverse_proxy_mismatched_priorities.bash (added)
-
test/tests/19_TLS_reverse_proxy/apache.conf (modified) (1 diff)
-
test/tests/20_TLS_reverse_proxy_client_auth/apache.conf (modified) (1 diff)
-
test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf (modified) (1 diff)
-
test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf (modified) (1 diff)
-
test/tests/23_TLS_reverse_proxy_mismatched_priorities/apache.conf (added)
-
test/tests/23_TLS_reverse_proxy_mismatched_priorities/backend.conf (added)
-
test/tests/23_TLS_reverse_proxy_mismatched_priorities/gnutls-cli.args (added)
-
test/tests/23_TLS_reverse_proxy_mismatched_priorities/input (added)
-
test/tests/23_TLS_reverse_proxy_mismatched_priorities/output (added)
Legend:
- Unmodified
- Added
- Removed
-
docs/mod_gnutls_manual.mdwn
r8b472af rf030883 480 480 running as root, and does not need to be readable by the nobody or 481 481 apache user. 482 483 `GnuTLSProxyPriorities` 484 ------------------ 485 486 Set the allowed ciphers, key exchange algorithms, MACs and compression 487 methods for proxy connections 488 489 GnuTLSProxyPriorities NORMAL:+CIPHER_0:+CIPHER_1:...:+CIPHER_N 490 491 Default: *none*\ 492 Context: server config, virtual host 493 494 This option is used to set the allowed ciphers, key exchange 495 algorithms, MACs and compression methods for proxy connections. It 496 takes the same parameters as `GnuTLSPriorities`. Required if 497 `SSLProxyEngine` is `On`. 482 498 483 499 * * * * * -
include/mod_gnutls.h.in
r8b472af rf030883 114 114 const char* proxy_x509_ca_file; 115 115 const char* proxy_x509_crl_file; 116 /* GnuTLS priorities for proxy connections */ 117 gnutls_priority_t proxy_priorities; 116 118 /* SRP Certificate Structure*/ 117 119 gnutls_srp_server_credentials_t srp_creds; -
src/gnutls_config.c
r8b472af rf030883 578 578 } 579 579 580 const char *mgs_set_priorities(cmd_parms * parms, void *dummy __attribute__((unused)), const char *arg) { 581 582 int ret; 580 581 582 /* 583 * Initialize a GnuTLS priorities cache from a configuration 584 * string. Used for GnuTLSPriorities and GnuTLSProxyPriorities. 585 */ 586 const char *mgs_set_priorities(cmd_parms * parms, 587 void *dummy __attribute__((unused)), 588 const char *arg) 589 { 590 int ret; 583 591 const char *err; 584 592 585 593 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 586 ap_get_module_config(parms->server->module_config, &gnutls_module); 587 588 ret = gnutls_priority_init(&sc->priorities, arg, &err); 589 590 if (ret < 0) { 591 if (ret == GNUTLS_E_INVALID_REQUEST) { 594 ap_get_module_config(parms->server->module_config, &gnutls_module); 595 596 /* Setting a priority cache works the same no matter for which 597 * option. Just point the pointer at the right one. */ 598 gnutls_priority_t *prio = NULL; 599 if (!strcasecmp(parms->directive->directive, "GnuTLSPriorities")) 600 prio = &sc->priorities; 601 else if (!strcasecmp(parms->directive->directive, "GnuTLSProxyPriorities")) 602 prio = &sc->proxy_priorities; 603 else 604 /* Can't happen unless there's a serious bug in mod_gnutls or Apache */ 605 return apr_psprintf(parms->pool, 606 "mod_gnutls: %s called for invalid option '%s'", 607 __func__, parms->directive->directive); 608 609 ret = gnutls_priority_init(prio, arg, &err); 610 if (ret < 0) 611 { 612 if (ret == GNUTLS_E_INVALID_REQUEST) 592 613 return apr_psprintf(parms->pool, 593 "GnuTLS: Syntax error parsing priorities string at: %s", err); 594 } 595 return "Error setting priorities"; 614 "mod_gnutls: Syntax error parsing priorities " 615 "string for %s at: %s", 616 parms->directive->directive, err); 617 return apr_psprintf(parms->pool, 618 "Error setting priorities: %s (%d)", 619 gnutls_strerror(ret), ret); 596 620 } 597 621 … … 636 660 sc->proxy_x509_ca_file = NULL; 637 661 sc->proxy_x509_crl_file = NULL; 662 sc->proxy_priorities = NULL; 638 663 ret = gnutls_certificate_allocate_credentials(&sc->proxy_x509_creds); 639 664 if (ret < 0) … … 716 741 gnutls_srvconf_merge(proxy_x509_ca_file, NULL); 717 742 gnutls_srvconf_merge(proxy_x509_crl_file, NULL); 743 gnutls_srvconf_merge(proxy_priorities, NULL); 718 744 719 745 /* FIXME: the following items are pre-allocated, and should be -
src/gnutls_hooks.c
r8b472af rf030883 463 463 && sc->proxy_enabled == GNUTLS_ENABLED_TRUE) 464 464 { 465 /* Check if the proxy priorities have been set */ 466 if (sc->proxy_priorities == NULL) 467 { 468 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, 469 "Host '%s:%d' is missing the " 470 "GnuTLSProxyPriorities directive!", 471 s->server_hostname, s->port); 472 exit(-1); 473 } 474 /* Set up proxy credentials */ 465 475 load_proxy_x509_credentials(s); 466 476 } … … 826 836 ctxt->sc->proxy_x509_creds); 827 837 /* Load priorities from the server configuration */ 828 err = gnutls_priority_set(ctxt->session, ctxt->sc->pr iorities);838 err = gnutls_priority_set(ctxt->session, ctxt->sc->proxy_priorities); 829 839 if (err != GNUTLS_E_SUCCESS) 830 840 ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c, 831 "%s: setting priorities for proxy connection failed: %s (%d)", 841 "%s: setting priorities for proxy connection " 842 "failed: %s (%d)", 832 843 __func__, gnutls_strerror(err), err); 833 844 } -
src/mod_gnutls.c
r8b472af rf030883 240 240 RSRC_CONF, 241 241 "X509 CRL file for proxy connections"), 242 AP_INIT_RAW_ARGS("GnuTLSProxyPriorities", mgs_set_priorities, 243 NULL, 244 RSRC_CONF, 245 "The priorities to enable for proxy connections (ciphers, key exchange, " 246 "MACs, compression)."), 242 247 { NULL }, 243 248 }; -
test/Makefile.am
r8b472af rf030883 23 23 test-20_TLS_reverse_proxy_client_auth.bash \ 24 24 test-21_TLS_reverse_proxy_wrong_cert.bash \ 25 test-22_TLS_reverse_proxy_crl_revoke.bash 25 test-22_TLS_reverse_proxy_crl_revoke.bash \ 26 test-23_TLS_reverse_proxy_mismatched_priorities.bash 26 27 27 28 clean-local: -
test/tests/19_TLS_reverse_proxy/apache.conf
r8b472af rf030883 15 15 SSLProxyEngine On 16 16 GnuTLSProxyCAFile authority/x509.pem 17 GnuTLSProxyPriorities NORMAL 17 18 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ 18 19 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ -
test/tests/20_TLS_reverse_proxy_client_auth/apache.conf
r8b472af rf030883 17 17 GnuTLSProxyCertificateFile client/x509.pem 18 18 GnuTLSProxyCAFile authority/x509.pem 19 GnuTLSProxyPriorities NORMAL 19 20 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ 20 21 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ -
test/tests/21_TLS_reverse_proxy_wrong_cert/apache.conf
r8b472af rf030883 15 15 SSLProxyEngine On 16 16 GnuTLSProxyCAFile authority/x509.pem 17 GnuTLSProxyPriorities NORMAL 17 18 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ 18 19 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ -
test/tests/22_TLS_reverse_proxy_crl_revoke/apache.conf
r8b472af rf030883 16 16 GnuTLSProxyCAFile authority/x509.pem 17 17 GnuTLSProxyCRLFile ${PWD}/crl.pem 18 GnuTLSProxyPriorities NORMAL 18 19 ProxyPass /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/ 19 20 ProxyPassReverse /proxy/ https://${BACKEND_HOST}:${BACKEND_PORT}/
Note: See TracChangeset
for help on using the changeset viewer.
