[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

SSL, certs, and conserver (fix included)

Bryan Stansell bryan@conserver.com
Wed, 1 Jun 2005 23:29:18 -0700 (PDT) 

it all started with an innocent enough question:

On Thu, May 26, 2005 at 11:00:35PM +0100, Michael Doyle wrote:
> Can anyone give me an example of using conserver with generated ssl cert's
> (i.e. -c file) for both the server and client. I've compiled conserver with
> openssl support and a tcpdump confirms that traffic is encrypted between
> server and client but when I start the daemon with a ' -c' pointing to a
> self signed certificate  file I created, the  client happily connects to
> consoles even though I've not specified the equivalent on the client side.
> My understanding is that if I use a cert then the server and client need to
> be using the same. Any pointers appreciated.

and in looking into it, i notice certs weren't working right.  the good
news is, being on a plane gave me time enough to really dig into this
and i found the problem (pretty simple, actually).  i've included the
patch below, for those who'd actually like to use certs before the next
release.

here's a description of how things are coded to work (once you apply the
patch)....

  - neither side uses -c

    the ssl bits are allowed to use an unauthenticated cipher to set up
    the encryption.  that just works.

now, if you use the -c option on either side, that side disables the
unauthenticated ciphers and requires a valid cert handshake.  so if...

  - server side uses -c

    since the anonymous ciphers are not allowed, the client *must*
    validate/accept the server's certificate for the handshake to
    complete.  the servers does *not* require a certificate from the
    client.  if the client provides a certificate, however, the server
    *must* validate it as well.

  - client side uses -c

    again, since the anonymous ciphers are not allowed (on the client,
    this time), a valid handshake has to happen.  apparently this can
    only happen (at least with the code the way it is) if the server
    provides a certficate.  therefore, you *must* give the server a cert
    if you use -c on the client, in which case you're in the boat above.

crazy stuff, no?  i think for the most common cases, this behavior is
correct.  you want the client to validate a server cert.  and if you
give the client a cert, you want the server to validate it.

if anyone is still having issues after applying the patch below, let me
know.  it was working well for me and the certs generated with the
contrib/maketestcerts script.

Bryan

===================================

diff -c -r conserver-8.1.11-orig/conserver/main.c conserver-8.1.11/conserver/main.c
*** conserver-8.1.11-orig/conserver/main.c	Tue Jul 13 22:28:42 2004
--- conserver-8.1.11/conserver/main.c	Wed Jun  1 22:50:35 2005
***************
*** 323,328 ****
--- 323,329 ----
  #endif
  {
      if (ctx == (SSL_CTX *)0) {
+ 	char *ciphers;
  	SSL_load_error_strings();
  	if (!SSL_library_init()) {
  	    Error("SetupSSL(): SSL_library_init() failed");
***************
*** 352,357 ****
--- 353,361 ----
  		     config->sslcredentials);
  		Bye(EX_SOFTWARE);
  	    }
+ 	    ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
+ 	} else {
+ 	    ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
  	}
  	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
  	SSL_CTX_set_options(ctx,
***************
*** 362,368 ****
  			 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
  			 SSL_MODE_AUTO_RETRY);
  	SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback);
! 	if (SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:@STRENGTH") !=
  	    1) {
  	    Error("SetupSSL(): setting SSL cipher list failed");
  	    Bye(EX_SOFTWARE);
--- 366,372 ----
  			 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
  			 SSL_MODE_AUTO_RETRY);
  	SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback);
! 	if (SSL_CTX_set_cipher_list(ctx, ciphers) !=
  	    1) {
  	    Error("SetupSSL(): setting SSL cipher list failed");
  	    Bye(EX_SOFTWARE);
diff -c -r conserver-8.1.11-orig/console/console.c conserver-8.1.11/console/console.c
*** conserver-8.1.11-orig/console/console.c	Mon Oct 25 00:18:20 2004
--- conserver-8.1.11/console/console.c	Wed Jun  1 22:50:13 2005
***************
*** 69,74 ****
--- 69,75 ----
  #endif
  {
      if (ctx == (SSL_CTX *)0) {
+ 	char *ciphers;
  	SSL_load_error_strings();
  	if (!SSL_library_init()) {
  	    Error("SSL library initialization failed");
***************
*** 95,100 ****
--- 96,104 ----
  		      config->sslcredentials);
  		Bye(EX_UNAVAILABLE);
  	    }
+ 	    ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
+ 	} else {
+ 	    ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
  	}
  	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
  	SSL_CTX_set_options(ctx,
***************
*** 104,110 ****
  			 SSL_MODE_ENABLE_PARTIAL_WRITE |
  			 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
  			 SSL_MODE_AUTO_RETRY);
! 	if (SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:@STRENGTH") !=
  	    1) {
  	    Error("Setting SSL cipher list failed");
  	    Bye(EX_UNAVAILABLE);
--- 108,114 ----
  			 SSL_MODE_ENABLE_PARTIAL_WRITE |
  			 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
  			 SSL_MODE_AUTO_RETRY);
! 	if (SSL_CTX_set_cipher_list(ctx, ciphers) !=
  	    1) {
  	    Error("Setting SSL cipher list failed");
  	    Bye(EX_UNAVAILABLE);