Hi all,
here are now the real new features for the release step 2.3.X -> 2.4.X -
sorry for the delay, but because most of them are related to the GUI
security the testing has taken longer than expected by me.
short description of the new functions:
- certificates can be used for GUI authentication
- SSL-listeners can be completely customized by callback configurations
- all destination hosts can be connected via native SSL
fixed in assp 2.4.2 build 14068:
- the DMARC logging is now reduced to a normal state
- direct http requests to download or edit any certificate or key file are
now blocked for all users except 'root'
changed:
The following text has been added to the following configuration
descriptions:
'smtpDestination','smtpDestinationSSL','smtpAuthServer','relayHost','EmailReportDestination':
If you need to connect to the SMTP destination host using native SSL,
write 'SSL:' in front of the IP/host definition.
In this case the Perl module IO::Socket::SSL must be installed and enabled
( useIOSocketSSL ).
An new ASSP-MIB file is released for this version.
added:
'syncUsesSSL','SSL is used for the Sync SMTP Transport'
'If selected, SSL will be used for the transport of the sychronisation
requests. In this case the target
ip:port of all peers must be its listenPortSSL ! The Perl modules
Net::SMTP::SSL and IO::Socket::SSL must be
installed and enabled if this option is selected, otherwise all
synchronisation requests will fail!'
'webSSLRequireCientCert','Client requires valid SSL Certificate for GUI
Requests'
'If enabled and enableWebAdminSSL is set to ON, each browser session is
forced to provide a valid SSL client
certificate. If no certificate is provided by the client, the connection
will fail! To extend the verification
of the certificate, use SSLWEBCertVerifyCB . Per default are used
'SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_CLIENT_ONCE'
To create a PKCS12 from the PEM formated cert- and key file you can use
openssl, like :
openssl pkcs12 -export -clcerts -in client.pem -inkey client.key -out
client.p12
The file client.p12 could now be imported in to your browser.
!!! Install a valid certificate in to your browser BEFORE you enable
this option - otherwise the GUI
will get inaccessable !!!</b>
NOTICE: This option will not work if you use any self signed
certificate!
'SSLWEBCertVerifyCB','CallBack to Verify Client Certificates for GUI
Connections'
'If used, assp will call the defined subroutine as
SSL->SSL_verify_callback in an eval closure submitting
the original ARRAY of parameters (see the IO::Socket::SSL
documentation).
The subroutine has to return 1 on certificate verification success -
otherwise 0.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your
code. For example
sub checkWebSSLCert {
my ($OpenSSLSays,$CertStackPtr,$DN,$OpenSSLError, $Cert)=@_;
my $subject =
Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($Cert));
my $chain = Net::SSLeay::PEM_get_string_X509($Cert);
;...any code...;
my $success = eval{verify($Cert);};
return $OpenSSLSays if $@;
my $user = eval{get_owner($Cert);};
return $OpenSSLSays if $@;
my $pass = get_pass($user);};
@main::ExtWebAuth = ($user,$pass);
return $success;
}
Now, if you set this parameter to 'CorrectASSPcfg::checkWebSSLCert' -
assp will call
CorrectASSPcfg::checkWebSSLCert->(@_);
The variable '@main::ExtWebAuth' could be used to authenticate the user
to the GUI related to the used certificate.
The username must be provided as first element of the array. The
password could be provided as second element
of the array - this is not recommended and it is not required! If the
used certificate is valid and a known
adminusername (root is provided) is stored as first element in
'@main::ExtWebAuth', the user will be automaticaly
logged on to the GUI.
NOTICE: This option will not work if you use any self signed
certificate!
'SSLWEBConfigure','Call to Configure SSL-Listener-Parameters for GUI
Connections'
'If used, assp will call the defined subroutine in an eval closure
submitting a reference to the assp predefined
SSL-Socket-Configuration-HASH.
The HASH could be modified in place to your needs - please read the
documentation of IO::Socket::SSL,
Net::SSLeay and OpenSSL. Return values are ignored.
You can use/modify the module lib/CorrectASSPcfg.pm to implement your
code. For example
sub configWebSSL {
my $parms = shift;
$parms->{timeout} = 10;
$parms->{SSL_check_crl} = 1;
$parms->{SSL_crl_file} = '/assp/certs/crl/crllist.pem';
return;
}
Now, if you set this parameter to 'CorrectASSPcfg::configWebSSL' - assp
will call
CorrectASSPcfg::configWebSSL->(\%sslparms);
NOTICE: This option will not work if you use any self signed
certificate!
'statSSLRequireClientCert','Client requires valid SSL Certificate for STAT
Requests'
'If enabled and enableWebStatSSL is set to ON, each session is forced to
provide a valid SSL client certificate.
If no certificate is provided by the client, the connection will fail!
To extend the verification of
the certificate, use SSLSTATCertVerifyCB . Per default are used
'SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_CLIENT_ONCE'
NOTICE: This option will not work if you use any self signed
certificate!
'SSLSTATCertVerifyCB','CallBack to Verify Client Certificates for STAT
Connections'
'Please read the description of SSLWEBCertVerifyCB .
NOTICE: This option will not work if you use any self signed
certificate!
'SSLSTATConfigure','Call to Configure SSL-Listener-Parameters for STAT
Connections'
'If used, assp will call the defined subroutine in an eval closure
submitting a reference to the assp predefined
SSL-Socket-Configuration-HASH.
Please follow the description for SSLWEBConfigure .
NOTICE: This option will not work if you use any self signed
certificate!
'smtpSSLRequireClientCert','Client requires valid SSL Certificate for SMTP
SSL Connections'
'If enabled, each client or server requesting a connection at the
listenPortSSL requires a valid SSL client
certificate. If no certificate is provided by the client, the connection
will fail! To extend the verification of
the certificate, use SSLSMTPCertVerifyCB . Per default are used
'SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_CLIENT_ONCE'
NOTICE: This option will not work if you use any self signed
certificate!
'SSLSMTPCertVerifyCB','CallBack to Verify Client Certificates for SMTP
Connections'
'Please read the description of SSLWEBCertVerifyCB .
NOTICE: This option will not work if you use any self signed
certificate!
'SSLSMTPConfigure','Call to Configure SSL-Listener-Parameters for SMTP
Connections'
'If used, assp will call the defined subroutine in an eval closure
submitting a reference to the assp predefined
SSL-Socket-Configuration-HASH.
Please follow the description for SSLWEBConfigure .
NOTICE: This option will not work if you use any self signed
certificate!
Thomas
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
