#68 从目录中加载额外的证书和crl。
This commit is contained in:
zhengchao
@@ -132,7 +132,9 @@ struct ssl_mgr
|
||||
char * crl_url;
|
||||
|
||||
uint8_t ssl_mode_release_buffers;
|
||||
char trust_CA_file[TFE_PATH_MAX];
|
||||
char trusted_cert_file[TFE_PATH_MAX];
|
||||
char trusted_cert_dir[TFE_PATH_MAX];
|
||||
|
||||
char crl_file[TFE_PATH_MAX];
|
||||
|
||||
struct ssl_trusted_cert_storage * trust_CA_store;
|
||||
@@ -565,20 +567,17 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
MESA_load_profile_string_def(ini_profile, section, "trust_CA_file", mgr->trust_CA_file, sizeof(mgr->trust_CA_file),
|
||||
MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file),
|
||||
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
|
||||
|
||||
mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trust_CA_file);
|
||||
MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir),
|
||||
"./conf/trusted_storage");
|
||||
mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir);
|
||||
if (mgr->trust_CA_store == NULL)
|
||||
{
|
||||
TFE_LOG_ERROR(logger, "Failed at creating X509_STORE");
|
||||
goto error_out;
|
||||
}
|
||||
MESA_load_profile_string_def(ini_profile, section, "crl_file", mgr->crl_file, sizeof(mgr->crl_file), "");
|
||||
if(strlen(mgr->crl_file)>0)
|
||||
{
|
||||
ssl_trusted_cert_storage_add(mgr->trust_CA_store, SSL_X509_OBJ_CRL, mgr->crl_file);
|
||||
}
|
||||
|
||||
memcpy(mgr->ssl_session_context, "mesa-tfe", sizeof(mgr->ssl_session_context));
|
||||
|
||||
@@ -941,23 +940,27 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
||||
struct ssl_stream * s_stream = ctx->s_stream;
|
||||
struct ssl_mgr* mgr=s_stream->mgr;
|
||||
SSL_SESSION * ssl_sess = NULL;
|
||||
char error_string[TFE_STRING_MAX];
|
||||
char error_str[TFE_STRING_MAX];
|
||||
const char* sni=s_stream->client_hello->sni?s_stream->client_hello->sni:"null";
|
||||
|
||||
if (events & BEV_EVENT_ERROR)
|
||||
{
|
||||
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
|
||||
ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr->logger);
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "connect to original server failed.");
|
||||
snprintf(error_str, sizeof(error_str), "connect to original server failed : sni=%s", sni);
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
|
||||
}
|
||||
else if(events & BEV_EVENT_EOF)
|
||||
{
|
||||
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "original server closed.");
|
||||
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
|
||||
snprintf(error_str, sizeof(error_str), "original server closed : sni=%s", sni);
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
|
||||
}
|
||||
else if(events & BEV_EVENT_TIMEOUT)
|
||||
{
|
||||
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
|
||||
promise_failed(p, FUTURE_ERROR_TIMEOUT, NULL);
|
||||
ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
|
||||
snprintf(error_str, sizeof(error_str), "timeout : sni=%s", sni);
|
||||
promise_failed(p, FUTURE_ERROR_TIMEOUT, error_str);
|
||||
}
|
||||
else if(events & BEV_EVENT_CONNECTED)
|
||||
{
|
||||
@@ -967,7 +970,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
||||
if(!SSL_session_reused(s_stream->ssl))
|
||||
{
|
||||
s_stream->is_peer_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store,
|
||||
s_stream->ssl, error_string, sizeof(error_string));
|
||||
s_stream->ssl, error_str, sizeof(error_str));
|
||||
if(s_stream->is_peer_cert_verify_passed)
|
||||
{
|
||||
//ONLY verified session is cacheable.
|
||||
@@ -980,7 +983,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
||||
{
|
||||
ATOMIC_INC(&(mgr->stat_val[SSL_FAKE_CRT]));
|
||||
char* addr_str=tfe_string_addr_create_by_fd(ctx->fd_upstream, CONN_DIR_UPSTREAM);
|
||||
TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_string);
|
||||
TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_str);
|
||||
free(addr_str);
|
||||
}
|
||||
}
|
||||
@@ -1430,22 +1433,26 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
|
||||
struct ssl_stream * s_stream = ctx->downstream;
|
||||
struct ssl_mgr* mgr=s_stream->mgr;
|
||||
SSL_SESSION * ssl_sess = NULL;
|
||||
|
||||
const char* sni=ctx->origin_ssl->client_hello->sni?ctx->origin_ssl->client_hello->sni:"null";
|
||||
char error_str[TFE_STRING_MAX]={0};
|
||||
if (events & BEV_EVENT_ERROR)
|
||||
{
|
||||
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
|
||||
ssl_stream_log_error(bev, CONN_DIR_DOWNSTREAM, mgr->logger);
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "connect to client failed.");
|
||||
snprintf(error_str, sizeof(error_str), "connect to client failed : sni=%s", sni);
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
|
||||
}
|
||||
else if(events & BEV_EVENT_EOF)
|
||||
{
|
||||
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "client side closed.");
|
||||
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
|
||||
snprintf(error_str, sizeof(error_str), "client side closed : sni=%s", sni);
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
|
||||
}
|
||||
else if(events & BEV_EVENT_TIMEOUT)
|
||||
{
|
||||
ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
|
||||
promise_failed(p, FUTURE_ERROR_TIMEOUT, NULL);
|
||||
snprintf(error_str, sizeof(error_str), "timeout : sni=%s", sni);
|
||||
promise_failed(p, FUTURE_ERROR_TIMEOUT, error_str);
|
||||
}
|
||||
else if(events & BEV_EVENT_CONNECTED)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user