[luci] server certificate verification with luci/httpclient
Bart Van Der Meerssche
bart.vandermeerssche at flukso.net
Wed Jun 2 12:51:45 CEST 2010
Hi list,
I managed to get server certificate validation working against cyassl
with this patch:
Index: libs/nixio/src/tls-context.c
===================================================================
--- libs/nixio/src/tls-context.c (revision 6186)
+++ libs/nixio/src/tls-context.c (working copy)
@@ -65,10 +65,6 @@
return luaL_error(L, "unable to create TLS context");
}
-#ifdef WITH_CYASSL
- SSL_CTX_set_verify(*ctx, SSL_VERIFY_NONE, NULL);
-#endif
-
return 1;
}
@@ -131,6 +127,14 @@
SSL_CTX_use_certificate_file(ctx, cert, ktype));
}
+static int nixio_tls_ctx_set_verify_locations(lua_State *L) {
+ SSL_CTX *ctx = nixio__checktlsctx(L);
+ const char *CAfile = luaL_optstring(L, 2, NULL);
+ const char *CApath = luaL_optstring(L, 3, NULL);
+
+ return nixio__tls_pstatus(L, SSL_CTX_load_verify_locations(ctx,
CAfile, CApath));
+}
+
static int nixio_tls_ctx_set_key(lua_State *L) {
SSL_CTX *ctx = nixio__checktlsctx(L);
const char *cert = luaL_checkstring(L, 2);
@@ -203,6 +207,7 @@
/* ctx function table */
static const luaL_reg CTX_M[] = {
{"set_cert", nixio_tls_ctx_set_cert},
+ {"set_verify_locations", nixio_tls_ctx_set_verify_locations},
{"set_key", nixio_tls_ctx_set_key},
{"set_ciphers", nixio_tls_ctx_set_ciphers},
{"set_verify", nixio_tls_ctx_set_verify},
Notes:
1/ I can't seem pinpoint the reason why the '#ifdef WITH_CYASSL' check
should be omitted for the validation to work properly. Setting the
validation to 'peer' in Lua code does not work when this #ifdef is
included in the library.
2/ There is an error defining SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1 in
ssh.h for cyassl:
./include/openssl/ssl.h:432: SSL_FILETYPE_PEM = 11,
./include/openssl/ssl.h:431: SSL_FILETYPE_ASN1 = 10,
While openssl (and nixio.tls) expect:
./include/openssl/ssl.h:340:#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
./include/openssl/ssl.h:341:#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
./include/openssl/x509.h:122:#define X509_FILETYPE_PEM 1
./include/openssl/x509.h:123:#define X509_FILETYPE_ASN1 2
This means that nixio's tls:set_cert and tls:set_key are not likely to
work with cyassl.
3/ Cyassl's SSL_CTX_load_verify_locations will only work with a CAfile
being specified. CApath is ignored. Furthermore, cyassl will only load
the first certificate in the bundle. Specifying a certificate chain by
putting all certificates in a cacert-type bundle and pointing to this
file with SSL_CTX_load_verify_locations will not work. With openssl, it
does.
Cheers,
Bart.
Bart Van Der Meerssche wrote:
> Hi Jow,
>
> I've recompiled Backfire with openssl as LuCI TLS provider and
> openssl-utils enabled. The server certificate validation succeeds with
> the openssl utility command.
> root at OpenWrt:~# openssl s_client -connect api.flukso.net:443 -certform
> PEM -CAfile /etc/ssl/cacert.pem -msg -state -tls1
>
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: [...]
> Session-ID-ctx:
> Master-Key: [...]
> Key-Arg : None
> TLS session ticket: [...]
> Compression: 1 (zlib compression)
> Start Time: 1275158096
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> ---
>
> Since the -CAfile switch uses SSL_CTX_load_verify_locations to load the
> sequence of CA certificates contained in cacert.pem, I've added the
> method to the tls-context.c bindings. I'm including the patch against
> LuCI trunk inline:
>
> Index: tls-context.c
> ===================================================================
> --- tls-context.c (revision 6186)
> +++ tls-context.c (working copy)
> @@ -131,6 +131,14 @@
> SSL_CTX_use_certificate_file(ctx, cert, ktype));
> }
>
> +static int nixio_tls_ctx_set_verify_locations(lua_State *L) {
> + SSL_CTX *ctx = nixio__checktlsctx(L);
> + const char *CAfile = luaL_optstring(L, 2, NULL);
> + const char *CApath = luaL_optstring(L, 3, NULL);
> +
> + return nixio__tls_pstatus(L, SSL_CTX_load_verify_locations(ctx,
> CAfile, CApath));
> +}
> +
> static int nixio_tls_ctx_set_key(lua_State *L) {
> SSL_CTX *ctx = nixio__checktlsctx(L);
> const char *cert = luaL_checkstring(L, 2);
> @@ -203,6 +211,7 @@
> /* ctx function table */
> static const luaL_reg CTX_M[] = {
> {"set_cert", nixio_tls_ctx_set_cert},
> + {"set_verify_locations", nixio_tls_ctx_set_verify_locations},
> {"set_key", nixio_tls_ctx_set_key},
> {"set_ciphers", nixio_tls_ctx_set_ciphers},
> {"set_verify", nixio_tls_ctx_set_verify},
>
>
> Modifying httpclient.lua to use set_verify_locations allows server
> certificate validation from within httpclient.lua. So please consider
> the above patch for inclusion in trunk:
>
> if pr == "https" then
> local tls = options.tls_context or nixio.tls()
> --> tls:set_verify("peer")
> --> tls:set_verify_locations("/etc/ssl/cacert.pem")
> sock = tls:create(sock)
> local stat, code, error = sock:connect()
> if not stat then
> return stat, code, error
> end
> end
>
> So we're now able to perform certificate validation with openssl as TLS
> provider. Recompiling Backfire with cyassl as TLS provider still shows
> the original bug: Setting tls:set_verify("peer") and commenting out
> tls:set_verify_locations("/etc/ssl/demoCA/cacert.pem") does not cause
> the server certificate validation to fail (as it does correctly with
> openssl). The call just proceeds and returns the HTTPS reply body.
>
> Cheers,
> Bart.
>
>
> Jo-Philipp Wich wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi.
>>
>>> Could somebody help me out?
>>> Am I using the TLSContext methods correctly?
>> Your code looks correct, can you try it with nixio linked against
>> OpenSSL? I suspect that a bit too much was disabled in CyaSSL build config.
>>
>> ~ Jow
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkv3QAcACgkQdputYINPTPPMpQCcCKhHLJ+qNJr/qzFt3vjh2tn3
>> H/wAn0Osl6Wf1jKroZ/3fkmJDzU84+Yc
>> =Uxei
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> luci mailing list
>> luci at lists.subsignal.org
>> https://lists.subsignal.org/mailman/listinfo/luci
>>
> _______________________________________________
> luci mailing list
> luci at lists.subsignal.org
> https://lists.subsignal.org/mailman/listinfo/luci
>
More information about the luci
mailing list