m_ssl_* Add option to sslprofile controlling whether to request client certificates

diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index dfd3b47dd9550fa35078ba09465217ccbbb88f70..bda4e6a4878410b7c0ce8ee3c0c8c43b2520c4c6 100644 (file)
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -583,16 +583,21 @@ namespace GnuTLS
                 */
                const unsigned int outrecsize;
 
+               /** True to request a client certificate as a server
+                */
+               const bool requestclientcert;
+
                Profile(const std::string& profilename, const std::string& certstr, const std::string& keystr,
                                std::auto_ptr<DHParams>& DH, unsigned int mindh, const std::string& hashstr,
                                const std::string& priostr, std::auto_ptr<X509CertList>& CA, std::auto_ptr<X509CRL>& CRL,
-                               unsigned int recsize)
+                               unsigned int recsize, bool Requestclientcert)
                        : name(profilename)
                        , x509cred(certstr, keystr)
                        , min_dh_bits(mindh)
                        , hash(hashstr)
                        , priority(priostr)
                        , outrecsize(recsize)
+                       , requestclientcert(Requestclientcert)
                {
                        x509cred.SetDH(DH);
                        x509cred.SetCA(CA, CRL);
@@ -663,7 +668,10 @@ namespace GnuTLS
 #else
                        unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
 #endif
-                       return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl, outrecsize);
+
+                       const bool requestclientcert = tag->getBool("requestclientcert", true);
+
+                       return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl, outrecsize, requestclientcert);
                }
 
                /** Set up the given session with the settings in this profile
@@ -674,8 +682,9 @@ namespace GnuTLS
                        x509cred.SetupSession(sess);
                        gnutls_dh_set_prime_bits(sess, min_dh_bits);
 
-                       // Request client certificate if we are a server, no-op if we're a client
-                       gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
+                       // Request client certificate if enabled and we are a server, no-op if we're a client
+                       if (requestclientcert)
+                               gnutls_certificate_server_set_request(sess, GNUTLS_CERT_REQUEST);
                }
 
                const std::string& GetName() const { return name; }

diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp
index 845d02aa3fb2ad266559cb7e27edc2544d14a8d3..a465d06eef1d9c449313ac5ca3ad051413353109 100644 (file)
--- a/src/modules/extra/m_ssl_mbedtls.cpp
+++ b/src/modules/extra/m_ssl_mbedtls.cpp
@@ -257,7 +257,6 @@ namespace mbedTLS
                        mbedtls_debug_set_threshold(INT_MAX);
                        mbedtls_ssl_conf_dbg(&conf, DebugLogFunc, NULL);
 #endif
-                       mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
                        // TODO: check ret of mbedtls_ssl_config_defaults
                        mbedtls_ssl_config_defaults(&conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
@@ -308,6 +307,11 @@ namespace mbedTLS
                        mbedtls_ssl_conf_ca_chain(&conf, certs.get(), crl.get());
                }
 
+               void SetOptionalVerifyCert()
+               {
+                       mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+               }
+
                const mbedtls_ssl_config* GetConf() const { return &conf; }
        };
 
@@ -376,7 +380,8 @@ namespace mbedTLS
                                const std::string& castr, const std::string& crlstr,
                                unsigned int recsize,
                                CTRDRBG& ctrdrbg,
-                               int minver, int maxver
+                               int minver, int maxver,
+                               bool requestclientcert
                                )
                        : name(profilename)
                        , x509cred(certstr, keystr)
@@ -414,7 +419,13 @@ namespace mbedTLS
                                serverctx.SetDHParams(dhparams);
                        }
 
-                       serverctx.SetCA(cacerts, crl);
+                       clientctx.SetOptionalVerifyCert();
+                       // The default for servers is to not request a client certificate from the peer
+                       if (requestclientcert)
+                       {
+                               serverctx.SetOptionalVerifyCert();
+                               serverctx.SetCA(cacerts, crl);
+                       }
                }
 
                static std::string ReadFile(const std::string& filename)
@@ -451,7 +462,8 @@ namespace mbedTLS
                        int minver = tag->getInt("minver");
                        int maxver = tag->getInt("maxver");
                        unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
-                       return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver);
+                       const bool requestclientcert = tag->getBool("requestclientcert", true);
+                       return new Profile(profilename, certstr, keystr, dhstr, mindh, hashstr, ciphersuitestr, curvestr, castr, crlstr, outrecsize, ctr_drbg, minver, maxver, requestclientcert);
                }
 
                /** Set up the given session with the settings in this profile

diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 4ad55643890dc2b009a56702ecca5154cb0ef685..4df0d8962e96b98367d1fc3d339bb2109eae9c5a 100644 (file)
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -132,7 +132,7 @@ namespace OpenSSL
                        mode |= SSL_MODE_RELEASE_BUFFERS;
 #endif
                        SSL_CTX_set_mode(ctx, mode);
-                       SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+                       SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
                        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
                        SSL_CTX_set_info_callback(ctx, StaticSSLInfoCallback);
                }
@@ -206,6 +206,11 @@ namespace OpenSSL
                        return SSL_CTX_clear_options(ctx, clearoptions);
                }
 
+               void SetVerifyCert()
+               {
+                       SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, OnVerify);
+               }
+
                SSL* CreateServerSession()
                {
                        SSL* sess = SSL_new(ctx);
@@ -345,6 +350,10 @@ namespace OpenSSL
                                ERR_print_errors_cb(error_callback, this);
                                ServerInstance->Logs->Log(MODNAME, LOG_DEFAULT, "Can't read CA list from %s. This is only a problem if you want to verify client certificates, otherwise it's safe to ignore this message. Error: %s", filename.c_str(), lasterr.c_str());
                        }
+
+                       clictx.SetVerifyCert();
+                       if (tag->getBool("requestclientcert", true))
+                               ctx.SetVerifyCert();
                }
 
                const std::string& GetName() const { return name; }