Article delegate-en/4065 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4064@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How to verify a server's certificate?
12 Aug 2008 06:08:20 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4064@delegate-en.ML_> on 08/12/08(04:36:26)
you Monika Schilling <p3ehqbdyi-ecr676v4so5r.ml@ml.delegate.org> wrote:
 |On Monday August 11 2008 10:36, Yutaka Sato wrote:
 |> ...
 |> But note that the SSL (TLS) configuration of DeleGate is moving from
 |> sslway options like -CApath to files under the CERTDIR (like ca-sv.pem)
 |> after DeleGate/9.8.0 and the recommended way to disable the default
 |> certificates will be making a special file under CERTDIR.
 |> <URL:http://www.delegate.org/delegate/Manual.htm?CERTDIR>
 |
 |Thank you for the pointer. I checked DeleGate 9.8.3 with the new way of 
 |configuration via files under CERTDIR. Everything works as expected. There is 
 |no need for using the trick with the OpenSSL environment variable 
 |SSL_CERT_DIR as with version 9.7.7.

Is it true?  I can't understand it because the simple code of sslway.c
does load the default certificates anyway if the loading of given
certificate is succeeded, regardless whether or not it is given by
"-CAxxxx cacert.pem" option or by the default name as "CERTDIR/ca-sv".

 >  	if( !SSL_CTX_load_verify_locations(ctx,file,dir)
 >  	 || !SSL_CTX_set_default_verify_paths(ctx) ){

I enclosed a patch to be included in the next release (9.8.4-pre5) which
introduces the way to suppress the loading of default certificates.
It is achieved by creating (just touching) a file of ".nodefault" extension
to the original name of certificate file or directory.
For example, when you use the default "ca-sv.pem", creating a file of name
"ca-sv.nodefault" is used to suppress default certificates.

   CERTDIR/ca-sv.pem  --> CERTDIR/ca-sv.nodefault

Like this for other cases:

   CERTDIR/ca-sv/     --> CERTDIR/ca-sv.nodefault or CERTDIR/ca-sv/nodefault
   -CAfile cacert.pem --> cecert.nodefault
   -CApath cacert     --> cecert.nodefault or cacert/nodefault

With this extension, you will see the log like follows.

  08/12 14:37:28.29 [5902] 1+1: ## SSLway CAs = OK [/CERTDIR/ca-sv.pem][(NONE)]
  08/12 14:37:28.29 [5902] 1+1: ## SSLway CAs = no DEFAULT


 |OT: Strange effect of the mailing list
 |I got my initial posting and all of your replies sent to me by e-mail.
 |However 
 |none of my replies were sent back to me. Do you have an explanation?

Indeed it is not a real "mailing-list" forwarded to subscribers.
It is just my mail-reader's setting to set "Reply-To: feedback@delegate.org"
when the recipient of original mail is feedback@delegate.org.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


*** dist/src/delegate9.8.3/filters/sslway.c	Sun Apr 27 13:07:28 2008
--- filters/sslway.c	Tue Aug 12 14:36:48 2008
***************
*** 883,902 ****
--- 883,938 ----
  		saveSessions(ctx,accSSL,XACC);
  		TRACE("accepted");
  		return accSSL;
  	}
  }
+ static int nodefaultCA(PCStr(file)){
+ 	IStr(xpath,1024);
+ 	refQStr(dp,xpath);
+ 	if( file ){
+ 		strcpy(xpath,file);
+ 		if( dp = strtailstr(xpath,".pem") ){
+ 			strcpy(dp,".nodefault");
+ 			if( File_is(xpath) ) return 1;
+ 		}
+ 		strcat(xpath,"/nodefault");
+ 		if( File_is(xpath) ) return 2;
+ 	}
+ 	return 0;
+ }
  static void ssl_setCAs(SSL_CTX *ctx,PCStr(file),PCStr(dir))
  {	CStr(xfile,1024);
  	CStr(xdir,1024);
  
  	if( LIBFILE_IS(file,AVStr(xfile)) ) file = xfile;
  	if( findcert(dir,AVStr(xdir),ISDIR) ) dir = xdir;
  	/*
  	if( LIBFILE_IS(dir, AVStr(xdir))  ) dir = xdir;
  	*/
  
+ 	if( file || dir ){
+ 		if( SSL_CTX_load_verify_locations(ctx,file,dir) ){
+ 			TRACE("CAs = OK [%s][%s]",
+ 				file?file:"(NULL)",dir?dir:"(NULL)");
+ 		}else{
+ 			ERROR("CAs not found or wrong: [%s][%s]",
+ 				file?file:"(NULL)",dir?dir:"(NULL)");
+ 			ERR_print_errors_fp(stderr);
+ 		}
+ 	}
+ 	if( nodefaultCA(file) || nodefaultCA(dir) ){
+ 		TRACE("CAs = no DEFAULT");
+ 	}else{
+ 		if( SSL_CTX_set_default_verify_paths(ctx) ){
+ 			TRACE("CAs = OK, set the DEFAULT");
+ 		}else{
+ 			ERROR("CAs wrong DEFAULT");
+ 			ERR_print_errors_fp(stderr);
+ 		}
+ 	}
+ 	return;
+ 
  	if( !SSL_CTX_load_verify_locations(ctx,file,dir)
  	 || !SSL_CTX_set_default_verify_paths(ctx) ){
  		if( SSL_fatalCB ){
  			(*SSL_fatalCB)("ssl_setCAs() failed\n");
  		}

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V