[luci] server certificate verification with luci/httpclient

Larry Stefonic larry at yassl.com
Tue Jun 8 22:57:04 CEST 2010 

Hi!
 
If this problem proves to be inside of the CyaSSL code, please let us know
at support at yassl.com, and we'll do what we can to help.  



LS
www.yassl.com  
 
 
Hi list,
 
I managed to get server certificate validation working against cyassl 
with this patch:
 
Index: libs/nixio/src/tls-context.c
===================================================================
--- libs/nixio/src/tls-context.c        (revision 6186)
+++ libs/nixio/src/tls-context.c        (working copy)
@@ -65,10 +65,6 @@
                 return luaL_error(L, "unable to create TLS context");
         }
 
-#ifdef WITH_CYASSL
-       SSL_CTX_set_verify(*ctx, SSL_VERIFY_NONE, NULL);
-#endif
-
         return 1;
  }
 
@@ -131,6 +127,14 @@
                         SSL_CTX_use_certificate_file(ctx, cert, ktype));
  }
 
+static int nixio_tls_ctx_set_verify_locations(lua_State *L) {
+       SSL_CTX *ctx = nixio__checktlsctx(L);
+       const char *CAfile = luaL_optstring(L, 2, NULL);
+       const char *CApath = luaL_optstring(L, 3, NULL);
+
+       return nixio__tls_pstatus(L, SSL_CTX_load_verify_locations(ctx, 
CAfile, CApath));
+}
+
  static int nixio_tls_ctx_set_key(lua_State *L) {
         SSL_CTX *ctx = nixio__checktlsctx(L);
         const char *cert = luaL_checkstring(L, 2);
@@ -203,6 +207,7 @@
  /* ctx function table */
  static const luaL_reg CTX_M[] = {
         {"set_cert",                    nixio_tls_ctx_set_cert},
+        {"set_verify_locations",       nixio_tls_ctx_set_verify_locations},
         {"set_key",                             nixio_tls_ctx_set_key},
         {"set_ciphers",                 nixio_tls_ctx_set_ciphers},
         {"set_verify",                  nixio_tls_ctx_set_verify},
 
Notes:
1/ I can't seem pinpoint the reason why the '#ifdef WITH_CYASSL' check 
should be omitted for the validation to work properly. Setting the 
validation to 'peer' in Lua code does not work when this #ifdef is 
included in the library.
 
2/ There is an error defining SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1 in 
ssh.h for cyassl:
./include/openssl/ssl.h:432:    SSL_FILETYPE_PEM     = 11,
./include/openssl/ssl.h:431:    SSL_FILETYPE_ASN1    = 10,
 
While openssl (and nixio.tls) expect:
./include/openssl/ssl.h:340:#define SSL_FILETYPE_ASN1   X509_FILETYPE_ASN1
./include/openssl/ssl.h:341:#define SSL_FILETYPE_PEM    X509_FILETYPE_PEM
./include/openssl/x509.h:122:#define X509_FILETYPE_PEM  1
./include/openssl/x509.h:123:#define X509_FILETYPE_ASN1 2
 
This means that nixio's tls:set_cert and tls:set_key are not likely to 
work with cyassl.
 
3/ Cyassl's SSL_CTX_load_verify_locations will only work with a CAfile 
being specified. CApath is ignored. Furthermore, cyassl will only load 
the first certificate in the bundle. Specifying a certificate chain by 
putting all certificates in a cacert-type bundle and pointing to this 
file with SSL_CTX_load_verify_locations will not work. With openssl, it 
does.
 
 
Cheers,
Bart.
 
Bart Van Der Meerssche wrote:
> Hi Jow,
> 
> I've recompiled Backfire with openssl as LuCI TLS provider and 
> openssl-utils enabled. The server certificate validation succeeds with 
> the openssl utility command.
> root at OpenWrt <https://lists.subsignal.org/mailman/listinfo/luci> :~#
openssl s_client -connect api.flukso.net:443 -certform 
> PEM -CAfile /etc/ssl/cacert.pem -msg -state -tls1
> 
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
>      Protocol  : TLSv1
>      Cipher    : DHE-RSA-AES256-SHA
>      Session-ID: [...]
>      Session-ID-ctx:
>      Master-Key: [...]
>      Key-Arg   : None
>      TLS session ticket: [...]
>      Compression: 1 (zlib compression)
>      Start Time: 1275158096
>      Timeout   : 7200 (sec)
>      Verify return code: 0 (ok)
> ---
> 
> Since the -CAfile switch uses SSL_CTX_load_verify_locations to load the 
> sequence of CA certificates contained in cacert.pem, I've added the 
> method to the tls-context.c bindings. I'm including the patch against 
> LuCI trunk inline:
> 
> Index: tls-context.c
> ===================================================================
> --- tls-context.c       (revision 6186)
> +++ tls-context.c       (working copy)
> @@ -131,6 +131,14 @@
>                          SSL_CTX_use_certificate_file(ctx, cert, ktype));
>   }
> 
> +static int nixio_tls_ctx_set_verify_locations(lua_State *L) {
> +       SSL_CTX *ctx = nixio__checktlsctx(L);
> +       const char *CAfile = luaL_optstring(L, 2, NULL);
> +       const char *CApath = luaL_optstring(L, 3, NULL);
> +
> +       return nixio__tls_pstatus(L, SSL_CTX_load_verify_locations(ctx, 
> CAfile, CApath));
> +}
> +
>   static int nixio_tls_ctx_set_key(lua_State *L) {
>          SSL_CTX *ctx = nixio__checktlsctx(L);
>          const char *cert = luaL_checkstring(L, 2);
> @@ -203,6 +211,7 @@
>   /* ctx function table */
>   static const luaL_reg CTX_M[] = {
>          {"set_cert",                    nixio_tls_ctx_set_cert},
> +        {"set_verify_locations",
nixio_tls_ctx_set_verify_locations},
>          {"set_key",                             nixio_tls_ctx_set_key},
>          {"set_ciphers",                 nixio_tls_ctx_set_ciphers},
>          {"set_verify",                  nixio_tls_ctx_set_verify},
> 
> 
> Modifying httpclient.lua to use set_verify_locations allows server 
> certificate validation from within httpclient.lua. So please consider 
> the above patch for inclusion in trunk:
> 
> if pr == "https" then
>       local tls = options.tls_context or nixio.tls()
> -->   tls:set_verify("peer")
> -->   tls:set_verify_locations("/etc/ssl/cacert.pem")
>       sock = tls:create(sock)
>       local stat, code, error = sock:connect()
>       if not stat then
>              return stat, code, error
>       end
> end
> 
> So we're now able to perform certificate validation with openssl as TLS 
> provider. Recompiling Backfire with cyassl as TLS provider still shows 
> the original bug: Setting tls:set_verify("peer") and commenting out 
> tls:set_verify_locations("/etc/ssl/demoCA/cacert.pem") does not cause 
> the server certificate validation to fail (as it does correctly with 
> openssl). The call just proceeds and returns the HTTPS reply body.
> 
> Cheers,
> Bart.
> 
> 
> Jo-Philipp Wich wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Hi.
>> 
>>> Could somebody help me out?
>>> Am I using the TLSContext methods correctly?
>> Your code looks correct, can you try it with nixio linked against
>> OpenSSL? I suspect that a bit too much was disabled in CyaSSL build
config.
>> 
>> ~ Jow
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> 
>> iEYEARECAAYFAkv3QAcACgkQdputYINPTPPMpQCcCKhHLJ+qNJr/qzFt3vjh2tn3
>> H/wAn0Osl6Wf1jKroZ/3fkmJDzU84+Yc
>> =Uxei
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> luci mailing list
>> luci at lists.subsignal.org
<https://lists.subsignal.org/mailman/listinfo/luci> 
>> https://lists.subsignal.org/mailman/listinfo/luci
>> 
> _______________________________________________
> luci mailing list
> luci at lists.subsignal.org
<https://lists.subsignal.org/mailman/listinfo/luci> 
> https://lists.subsignal.org/mailman/listinfo/luci
> 

 

 

Larry Stefonic

www.yassl.com

Skype: Stefonic

+1 206 369 4800

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.subsignal.org/pipermail/luci/attachments/20100608/1889ae6e/attachment-0001.htm

More information about the luci mailing list