[trafficserver] branch master updated: Permissive mode for server verification

Thu, 01 Jun 2017 13:47:29 -0700 

This is an automated email from the ASF dual-hosted git repository.

paziz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
       new  a62437a   Permissive mode for server verification
a62437a is described below

commit a62437a092bb4de6b94f504fad28d9c562774f30
Author: Persia Aziz <[email protected]>
AuthorDate: Thu May 25 14:17:11 2017 -0500

    Permissive mode for server verification
---
 iocore/net/SSLClientUtils.cc | 32 ++++++++++++++++++++++----------
 mgmt/RecordsConfig.cc        |  2 +-
 proxy/http/HttpSM.cc         |  5 -----
 3 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
index f7af713..58df52f 100644
--- a/iocore/net/SSLClientUtils.cc
+++ b/iocore/net/SSLClientUtils.cc
@@ -42,30 +42,37 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
   int depth;
   int err;
   SSL *ssl;
-  SSLNetVConnection *netvc;
 
   SSLDebug("Entered verify cb");
   depth = X509_STORE_CTX_get_error_depth(ctx);
   cert  = X509_STORE_CTX_get_current_cert(ctx);
   err   = X509_STORE_CTX_get_error(ctx);
 
+  /*
+   * Retrieve the pointer to the SSL of the connection currently treated
+   * and the application specific data stored into the SSL object.
+   */
+  ssl                      = static_cast<SSL 
*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+  SSLNetVConnection *netvc = SSLNetVCAccess(ssl);
   if (!preverify_ok) {
     // Don't bother to check the hostname if we failed openssl's verification
     SSLDebug("verify error:num=%d:%s:depth=%d", err, 
X509_verify_cert_error_string(err), depth);
+    if (netvc && netvc->options.clientVerificationFlag == 2) {
+      if (netvc->options.sni_servername)
+        Warning("Hostname verification failed for (%s) but still continuing 
with the connection establishment",
+                netvc->options.sni_servername.get());
+      else
+        Warning("Server certificate verification failed but still continuing 
with the connection establishment");
+      return 1;
+    }
     return preverify_ok;
   }
-
   if (depth != 0) {
     // Not server cert....
     return preverify_ok;
   }
 
-  // Retrieve the pointer to the SSL of the connection currently treated
-  // and the application specific data stored into the SSL object.
-  ssl   = static_cast<SSL *>(X509_STORE_CTX_get_ex_data(ctx, 
SSL_get_ex_data_X509_STORE_CTX_idx()));
-  netvc = SSLNetVCAccess(ssl);
-
-  if (netvc != nullptr) {
+  if (netvc) {
     // Match SNI if present
     if (netvc->options.sni_servername) {
       char *matched_name = nullptr;
@@ -74,7 +81,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
         ats_free(matched_name);
         return preverify_ok;
       }
-      SSLDebug("Hostname verification failed for (%s)", 
netvc->options.sni_servername.get());
+      Warning("Hostname verification failed for (%s)", 
netvc->options.sni_servername.get());
     }
     // Otherwise match by IP
     else {
@@ -84,7 +91,12 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
         SSLDebug("IP %s verified OK", buff);
         return preverify_ok;
       }
-      SSLDebug("IP verification failed for (%s)", buff);
+      Warning("IP verification failed for (%s)", buff);
+    }
+    if (netvc->options.clientVerificationFlag == 2) {
+      Warning("Server certificate verification failed but continuing with the 
connection establishment:%s",
+              netvc->options.sni_servername.get());
+      return preverify_ok;
     }
     return 0;
   }
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 8ecd3ee..762029a 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1158,7 +1158,7 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.ssl.CA.cert.path", RECD_STRING, 
TS_BUILD_SYSCONFDIR, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.client.verify.server", RECD_INT, "0", 
RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  {RECT_CONFIG, "proxy.config.ssl.client.verify.server", RECD_INT, "0", 
RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-2]", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.client.cert.filename", RECD_STRING, nullptr, 
RECU_RESTART_TS, RR_NULL, RECC_STR, "^[^[:space:]]*$", RECA_NULL}
   ,
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 4c6d3f4..c3b57ad 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5279,11 +5279,6 @@ HttpSM::handle_http_server_open()
   //          server session's first transaction.
   if (nullptr != server_session) {
     NetVConnection *vc = server_session->get_netvc();
-
-    //    SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection *>(vc);
-    //    if (ssl_vc) {
-    //      
ssl_vc->setClientVerifyEnable(t_state.txn_conf->ssl_client_verify_server);
-    //    }
     if (vc != NULL && (vc->options.sockopt_flags != 
t_state.txn_conf->sock_option_flag_out ||
                        vc->options.packet_mark != 
t_state.txn_conf->sock_packet_mark_out ||
                        vc->options.packet_tos != 
t_state.txn_conf->sock_packet_tos_out ||

-- 
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].

Reply via email to