Ticket #1 (closed defect: fixed)

Opened 20 months ago

Last modified 6 months ago

c2s - proper certificate per vHost

Reported by: smoku Owned by: Simon
Priority: major Component: c2s
Version: 2.1 Keywords:
Cc: Tracforge_linkmap:
Blocking: Blocked By:

Description

c2s does not assign proper certificates on vHost basis

Attachments

jabber.patch (19.8 KB) - added by Simon 7 months ago.
Updated version that runs atoi on s2s default verify-mode
patch_1_fix_s2s.patch (4.6 KB) - added by Simon 6 months ago.
Avoid using or requiring local_pemfile for s2s
patch_1_fix_s2s.2.patch (2.5 KB) - added by Simon 6 months ago.
Avoid using or requiring local_pemfile for s2s

Change History

  Changed 7 months ago by Simon

  • owner changed from smoku to Simon
  • status changed from new to assigned

  Changed 7 months ago by Simon

I've got a patch that adds this, I'm currently fixing the equivalent bug at the same time in s2s too.

follow-up: ↓ 4   Changed 7 months ago by Simon

The patch added above implements a hash of SSL contexts, with the default context having key "*". The SSL init method has an additional name parameter to specify the domain it should be used. An additional method allows more certificates to be added. The 'to' value is kept across sx_reset when starting TLS, and s2s passes the 'from' value to sx_client_init().

  • c2s now supports cachain and verify-mode per host
  • s2s now supports pemfile, cachain and verify-mode per host
  • s2s didn't support cachain or verify-mode before this change because these were never read from the configuration

Changed 7 months ago by Simon

Updated version that runs atoi on s2s default verify-mode

in reply to: ↑ 3   Changed 7 months ago by Simon

Replying to Simon:

The patch added above

Now below. Apparently I can't edit a ticket description, but I can obliterate attachment history...

Original description "Allow c2s/s2s to use a different TLS SSL context (i.e. certificate) depending on which domain we are connecting from or being connected to".

  Changed 7 months ago by smoku

  • status changed from assigned to infoneeded

Could you please add examples to etc/s2s.xml.dist.in and etc/c2s.xml.dist.in ? I'm not sure if I get how to use "*" correctly.

  Changed 7 months ago by Simon

  • status changed from infoneeded to assigned

The "*" is really just an internal name - the <pemfile/> in both c2s and s2s is used as the default if they exist (however if one is not specified then the router connection's <pemfile/> is used... which is what it did previously).

For c2s there's not really any change - the existing local.id.pemfile will start working, and local.pemfile will be used for SSL/any IDs with no pemfile set.

For s2s it's possible to specify a local.id.pemfile for any IDs which override the local.pemfile setting. 

Examples assuming the example.org certificate is *.example.org, and that c2s SSL should use the example.org certificate:

c2s:
<local>
  <id pemfile='example-com.pem'>jabber.example.com</id>
  <id pemfile='example-net.pem'>jabber.example.net</id>
  <id>jabber1.example.org</id>
  <id>jabber2.example.org</id>
  <id>jabber3.example.org</id>
  <pemfile>example-org.pem</pemfile>
</local>

s2s:
<local>
  <id pemfile='example-com.pem'>jabber.example.com</id>
  <id pemfile='example-net.pem'>jabber.example.net</id>
  <pemfile>example-org.pem</pemfile>
</local>

  Changed 7 months ago by smoku

  • status changed from assigned to closed
  • resolution set to fixed

In [564]: Proper certificate per vHost handling by Simon Arlott. Fixes #1

Changed 6 months ago by Simon

Avoid using or requiring local_pemfile for s2s

  Changed 6 months ago by Simon

I've added a fix for some uses of local_pemfile in the s2s code that need to be changed.

Changed 6 months ago by Simon

Avoid using or requiring local_pemfile for s2s

Note: See TracTickets for help on using tickets.