From: Ben Pfaff Date: Wed, 24 Mar 2010 00:19:36 +0000 (-0700) Subject: stream-ssl: Make it possible to avoid checking peer SSL certificate. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba104a1e39de45a2f33da0a132a17646da1ef931;p=openvswitch stream-ssl: Make it possible to avoid checking peer SSL certificate. In Citrix XenServer, the hosts have SSL private keys and certificates, but those certificates are not signed by any certificate authority. So we must provide a way to avoid checking certificates against a CA if we want other OVS tools to be able to talk to XenServer hosts over SSL. This commit makes that possible. --- diff --git a/lib/ssl.man b/lib/ssl.man index 63f56d5f..5f0215c0 100644 --- a/lib/ssl.man +++ b/lib/ssl.man @@ -22,3 +22,9 @@ should use to verify certificates presented to it by SSL peers. (This may be the same certificate that SSL peers use to verify the certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may be a different one, depending on the PKI design in use.) +. +.IP "\fB\-C none\fR" +.IQ "\fB\-\-ca\-cert=none\fR" +Disables verification of certificates presented by SSL peers. This +introduces a security risk, because it means that certificates cannot +be verified to be those of known trusted hosts. diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 830b482f..153357cd 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -141,6 +141,11 @@ static struct ssl_config_file private_key; static struct ssl_config_file certificate; static struct ssl_config_file ca_cert; +/* Ordinarily, the SSL client and server verify each other's certificates using + * a CA certificate. Setting this to false disables this behavior. (This is a + * security risk.) */ +static bool verify_peer_cert = true; + /* Ordinarily, we require a CA certificate for the peer to be locally * available. We can, however, bootstrap the CA certificate from the peer at * the beginning of our first connection then use that certificate on all @@ -204,7 +209,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, VLOG_ERR("Certificate must be configured to use SSL"); retval = ENOPROTOOPT; } - if (!ca_cert.read && !bootstrap_ca_cert) { + if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { VLOG_ERR("CA certificate must be configured to use SSL"); retval = ENOPROTOOPT; } @@ -243,7 +248,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, retval = ENOPROTOOPT; goto error; } - if (bootstrap_ca_cert && type == CLIENT) { + if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } @@ -425,9 +430,10 @@ ssl_connect(struct stream *stream) } } else if (bootstrap_ca_cert) { return do_ca_cert_bootstrap(stream); - } else if ((SSL_get_verify_mode(sslv->ssl) - & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) - != SSL_VERIFY_PEER) { + } else if (verify_peer_cert + && ((SSL_get_verify_mode(sslv->ssl) + & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) + != SSL_VERIFY_PEER)) { /* Two or more SSL connections completed at the same time while we * were in bootstrap mode. Only one of these can finish the * bootstrap successfully. The other one(s) must be rejected @@ -1106,7 +1112,11 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) size_t n_certs; struct stat s; - if (bootstrap && stat(file_name, &s) && errno == ENOENT) { + if (!strcmp(file_name, "none")) { + verify_peer_cert = false; + VLOG_WARN("Peer certificate validation disabled " + "(this is a security risk)"); + } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { bootstrap_ca_cert = true; } else if (!read_cert_file(file_name, &certs, &n_certs)) { size_t i;