开启证书CRL检查,忽略找不到CRL的证书校验错误。
This commit is contained in:
zhengchao
@@ -132,6 +132,8 @@ struct ssl_mgr
|
||||
|
||||
uint8_t ssl_mode_release_buffers;
|
||||
char trust_CA_file[TFE_PATH_MAX];
|
||||
char crl_file[TFE_PATH_MAX];
|
||||
|
||||
struct ssl_trusted_cert_storage * trust_CA_store;
|
||||
struct key_keeper * key_keeper;
|
||||
struct event_base * ev_base_gc;
|
||||
@@ -569,7 +571,11 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
TFE_LOG_ERROR(logger, "Failed at creating X509_STORE");
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
MESA_load_profile_string_def(ini_profile, section, "crl_file", mgr->crl_file, sizeof(mgr->crl_file), "");
|
||||
if(strlen(mgr->crl_file)>0)
|
||||
{
|
||||
ssl_trusted_cert_storage_add(mgr->trust_CA_store, SSL_X509_OBJ_CRL, mgr->crl_file);
|
||||
}
|
||||
|
||||
memcpy(mgr->ssl_session_context, "mesa-tfe", sizeof(mgr->ssl_session_context));
|
||||
|
||||
|
||||
@@ -50,6 +50,11 @@ static X509_STORE* _X509_store_create(const char* pem_bundle)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
X509_VERIFY_PARAM *param=NULL;
|
||||
param = X509_VERIFY_PARAM_new();
|
||||
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
|
||||
X509_STORE_set1_param(store, param);
|
||||
X509_VERIFY_PARAM_free(param);
|
||||
return store;
|
||||
}
|
||||
static MESA_htable_handle _create_mesa_htable(void)
|
||||
@@ -101,6 +106,7 @@ static int _X509_add_cert_or_crl_add(X509_STORE* store, enum ssl_X509_obj_type
|
||||
BIO *bio=NULL;
|
||||
X509* x=NULL;
|
||||
X509_CRL* x_crl=NULL;
|
||||
int error;
|
||||
|
||||
bio=BIO_new_file(filename, "r");
|
||||
if(bio==NULL)
|
||||
@@ -110,25 +116,25 @@ static int _X509_add_cert_or_crl_add(X509_STORE* store, enum ssl_X509_obj_type
|
||||
ret=0;
|
||||
if(type==SSL_X509_OBJ_CERT)
|
||||
{
|
||||
x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
|
||||
if(x!=NULL)
|
||||
while(NULL!=(x=PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL)))
|
||||
{
|
||||
ret=X509_STORE_add_cert(store, x);
|
||||
if(ret==0)
|
||||
{
|
||||
X509_free(x);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
else if(type==SSL_X509_OBJ_CRL)
|
||||
{
|
||||
x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL);
|
||||
if(x_crl!=NULL)
|
||||
while(NULL!=(x_crl=PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)))
|
||||
{
|
||||
ret=X509_STORE_add_crl(store, x_crl);
|
||||
if(ret==0)
|
||||
{
|
||||
X509_CRL_free(x_crl);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -227,17 +233,19 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
|
||||
// The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned.
|
||||
return 1;
|
||||
}
|
||||
pthread_rwlock_rdlock(&(storage->rwlock));
|
||||
X509_STORE_CTX * ctx = X509_STORE_CTX_new();
|
||||
X509 * cert = sk_X509_value(cert_chain, 0);
|
||||
|
||||
pthread_rwlock_rdlock(&(storage->rwlock));
|
||||
|
||||
ret = X509_STORE_CTX_init(ctx, storage->effective_store, cert, cert_chain);
|
||||
assert(ret == 1);
|
||||
|
||||
//If a complete chain can be built and validated this function returns 1, otherwise it return zero or negtive code.
|
||||
ret = X509_verify_cert(ctx);
|
||||
if(ret!=1)
|
||||
{
|
||||
err_code=X509_STORE_CTX_get_error(ctx);
|
||||
if(ret!=1 && err_code!=X509_V_ERR_UNABLE_TO_GET_CRL && err_code!=X509_V_ERR_DIFFERENT_CRL_SCOPE)
|
||||
{
|
||||
subj=ssl_x509_subject(cert);
|
||||
issuer=ssl_x509_issuer(cert);
|
||||
snprintf(reason, n_reason, "%s : subject - %s issuer - %s"
|
||||
@@ -246,9 +254,14 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
|
||||
, issuer);
|
||||
free(subj);
|
||||
free(issuer);
|
||||
ret=0;
|
||||
}
|
||||
else
|
||||
{
|
||||
ret=1;
|
||||
}
|
||||
X509_STORE_CTX_free(ctx);
|
||||
pthread_rwlock_unlock(&(storage->rwlock));
|
||||
return (ret == 1);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
@@ -1056,12 +1056,11 @@ void cache_pending(const struct tfe_http_session * session, unsigned int thread_
|
||||
{
|
||||
enum cache_pending_result ret;
|
||||
ctx->f_cache_pending=future_create("cache_pend", cache_pending_on_succ, cache_pending_on_fail, ctx);
|
||||
ctx->ref_session=tfe_http_session_allow_write(session);
|
||||
ctx->pending_result=web_cache_async_pending(g_pangu_rt->cache, thread_id, session->req, ctx->f_cache_pending);
|
||||
switch(ctx->pending_result)
|
||||
{
|
||||
case PENDING_RESULT_REVALIDATE:
|
||||
ctx->ref_session=tfe_http_session_allow_write(session);
|
||||
assert(ctx->ref_session != NULL);
|
||||
tfe_http_session_suspend(ctx->ref_session);
|
||||
break;
|
||||
case PENDING_RESULT_ALLOWED:
|
||||
|
||||
Reference in New Issue
Block a user