stream-ssl: Make it possible to avoid checking peer SSL certificate.

In Citrix XenServer, the hosts have SSL private keys and certificates, but
those certificates are not signed by any certificate authority.  So we
must provide a way to avoid checking certificates against a CA if we want
other OVS tools to be able to talk to XenServer hosts over SSL.  This
commit makes that possible.

diff --git a/lib/ssl.man b/lib/ssl.man
index 63f56d5ff481dd29764ee14a8893a42d0cb91134..5f0215c01fbe866ead5e34cf744b29255287d361 100644 (file)
--- a/lib/ssl.man
+++ b/lib/ssl.man
@@ -22,3 +22,9 @@ should use to verify certificates presented to it by SSL peers.  (This
 may be the same certificate that SSL peers use to verify the
 certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may
 be a different one, depending on the PKI design in use.)
+.
+.IP "\fB\-C none\fR"
+.IQ "\fB\-\-ca\-cert=none\fR"
+Disables verification of certificates presented by SSL peers.  This
+introduces a security risk, because it means that certificates cannot
+be verified to be those of known trusted hosts.

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 830b482f42fc9a130a750f87edd9dd37c2547a1e..153357cd78ea7a27eaa3d0f011455e9cc302cfa8 100644 (file)
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -141,6 +141,11 @@ static struct ssl_config_file private_key;
 static struct ssl_config_file certificate;
 static struct ssl_config_file ca_cert;
 
+/* Ordinarily, the SSL client and server verify each other's certificates using
+ * a CA certificate.  Setting this to false disables this behavior.  (This is a
+ * security risk.) */
+static bool verify_peer_cert = true;
+
 /* Ordinarily, we require a CA certificate for the peer to be locally
  * available.  We can, however, bootstrap the CA certificate from the peer at
  * the beginning of our first connection then use that certificate on all
@@ -204,7 +209,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
         VLOG_ERR("Certificate must be configured to use SSL");
         retval = ENOPROTOOPT;
     }
-    if (!ca_cert.read && !bootstrap_ca_cert) {
+    if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) {
         VLOG_ERR("CA certificate must be configured to use SSL");
         retval = ENOPROTOOPT;
     }
@@ -243,7 +248,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
         retval = ENOPROTOOPT;
         goto error;
     }
-    if (bootstrap_ca_cert && type == CLIENT) {
+    if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
         SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
     }
 
@@ -425,9 +430,10 @@ ssl_connect(struct stream *stream)
             }
         } else if (bootstrap_ca_cert) {
             return do_ca_cert_bootstrap(stream);
-        } else if ((SSL_get_verify_mode(sslv->ssl)
-                    & (SSL_VERIFY_NONE | SSL_VERIFY_PEER))
-                   != SSL_VERIFY_PEER) {
+        } else if (verify_peer_cert
+                   && ((SSL_get_verify_mode(sslv->ssl)
+                       & (SSL_VERIFY_NONE | SSL_VERIFY_PEER))
+                       != SSL_VERIFY_PEER)) {
             /* Two or more SSL connections completed at the same time while we
              * were in bootstrap mode.  Only one of these can finish the
              * bootstrap successfully.  The other one(s) must be rejected
@@ -1106,7 +1112,11 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap)
     size_t n_certs;
     struct stat s;
 
-    if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
+    if (!strcmp(file_name, "none")) {
+        verify_peer_cert = false;
+        VLOG_WARN("Peer certificate validation disabled "
+                  "(this is a security risk)");
+    } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
         bootstrap_ca_cert = true;
     } else if (!read_cert_file(file_name, &certs, &n_certs)) {
         size_t i;