[luci] server certificate verification with luci/httpclient
Bart Van Der Meerssche
bart.vandermeerssche at flukso.net
Sun May 30 11:16:46 CEST 2010
Hi Jow,
I've recompiled Backfire with openssl as LuCI TLS provider and
openssl-utils enabled. The server certificate validation succeeds with
the openssl utility command.
root at OpenWrt:~# openssl s_client -connect api.flukso.net:443 -certform
PEM -CAfile /etc/ssl/cacert.pem -msg -state -tls1
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: [...]
Session-ID-ctx:
Master-Key: [...]
Key-Arg : None
TLS session ticket: [...]
Compression: 1 (zlib compression)
Start Time: 1275158096
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Since the -CAfile switch uses SSL_CTX_load_verify_locations to load the
sequence of CA certificates contained in cacert.pem, I've added the
method to the tls-context.c bindings. I'm including the patch against
LuCI trunk inline:
Index: tls-context.c
===================================================================
--- tls-context.c (revision 6186)
+++ tls-context.c (working copy)
@@ -131,6 +131,14 @@
SSL_CTX_use_certificate_file(ctx, cert, ktype));
}
+static int nixio_tls_ctx_set_verify_locations(lua_State *L) {
+ SSL_CTX *ctx = nixio__checktlsctx(L);
+ const char *CAfile = luaL_optstring(L, 2, NULL);
+ const char *CApath = luaL_optstring(L, 3, NULL);
+
+ return nixio__tls_pstatus(L, SSL_CTX_load_verify_locations(ctx,
CAfile, CApath));
+}
+
static int nixio_tls_ctx_set_key(lua_State *L) {
SSL_CTX *ctx = nixio__checktlsctx(L);
const char *cert = luaL_checkstring(L, 2);
@@ -203,6 +211,7 @@
/* ctx function table */
static const luaL_reg CTX_M[] = {
{"set_cert", nixio_tls_ctx_set_cert},
+ {"set_verify_locations", nixio_tls_ctx_set_verify_locations},
{"set_key", nixio_tls_ctx_set_key},
{"set_ciphers", nixio_tls_ctx_set_ciphers},
{"set_verify", nixio_tls_ctx_set_verify},
Modifying httpclient.lua to use set_verify_locations allows server
certificate validation from within httpclient.lua. So please consider
the above patch for inclusion in trunk:
if pr == "https" then
local tls = options.tls_context or nixio.tls()
--> tls:set_verify("peer")
--> tls:set_verify_locations("/etc/ssl/cacert.pem")
sock = tls:create(sock)
local stat, code, error = sock:connect()
if not stat then
return stat, code, error
end
end
So we're now able to perform certificate validation with openssl as TLS
provider. Recompiling Backfire with cyassl as TLS provider still shows
the original bug: Setting tls:set_verify("peer") and commenting out
tls:set_verify_locations("/etc/ssl/demoCA/cacert.pem") does not cause
the server certificate validation to fail (as it does correctly with
openssl). The call just proceeds and returns the HTTPS reply body.
Cheers,
Bart.
Jo-Philipp Wich wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi.
>
>> Could somebody help me out?
>> Am I using the TLSContext methods correctly?
>
> Your code looks correct, can you try it with nixio linked against
> OpenSSL? I suspect that a bit too much was disabled in CyaSSL build config.
>
> ~ Jow
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkv3QAcACgkQdputYINPTPPMpQCcCKhHLJ+qNJr/qzFt3vjh2tn3
> H/wAn0Osl6Wf1jKroZ/3fkmJDzU84+Yc
> =Uxei
> -----END PGP SIGNATURE-----
> _______________________________________________
> luci mailing list
> luci at lists.subsignal.org
> https://lists.subsignal.org/mailman/listinfo/luci
>
More information about the luci
mailing list