[ovs-dev] [PATCH 11/15] stream-ssl: Make it possible to avoid checking peer SSL certificate.
Ben Pfaff
blp at nicira.com
Wed Mar 24 20:18:14 UTC 2010
In Citrix XenServer, the hosts have SSL private keys and certificates, but
those certificates are not signed by any certificate authority. So we
must provide a way to avoid checking certificates against a CA if we want
other OVS tools to be able to talk to XenServer hosts over SSL. This
commit makes that possible.
---
lib/ssl.man | 6 ++++++
lib/stream-ssl.c | 22 ++++++++++++++++------
2 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/lib/ssl.man b/lib/ssl.man
index 12c497c..44a95fd 100644
--- a/lib/ssl.man
+++ b/lib/ssl.man
@@ -17,3 +17,9 @@ should use to verify certificates presented to it by SSL peers. (This
may be the same certificate that SSL peers use to verify the
certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may
be a different one, depending on the PKI design in use.)
+.
+.IP "\fB\-C none\fR"
+.IQ "\fB\-\-ca\-cert=none\fR"
+Disables verification of certificates presented by SSL peers. This
+introduces a security risk, because it means that certificates cannot
+be verified to be those of known trusted hosts.
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 215934d..4e2ad31 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -141,6 +141,11 @@ static struct ssl_config_file private_key;
static struct ssl_config_file certificate;
static struct ssl_config_file ca_cert;
+/* Ordinarily, the SSL client and server verify each other's certificates using
+ * a CA certificate. Setting this to false disables this behavior. (This is a
+ * security risk.) */
+static bool verify_peer_cert = true;
+
/* Ordinarily, we require a CA certificate for the peer to be locally
* available. We can, however, bootstrap the CA certificate from the peer at
* the beginning of our first connection then use that certificate on all
@@ -204,7 +209,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
VLOG_ERR("Certificate must be configured to use SSL");
retval = ENOPROTOOPT;
}
- if (!ca_cert.read && !bootstrap_ca_cert) {
+ if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) {
VLOG_ERR("CA certificate must be configured to use SSL");
retval = ENOPROTOOPT;
}
@@ -243,7 +248,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
retval = ENOPROTOOPT;
goto error;
}
- if (bootstrap_ca_cert && type == CLIENT) {
+ if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
}
@@ -426,9 +431,10 @@ ssl_connect(struct stream *stream)
}
} else if (bootstrap_ca_cert) {
return do_ca_cert_bootstrap(stream);
- } else if ((SSL_get_verify_mode(sslv->ssl)
- & (SSL_VERIFY_NONE | SSL_VERIFY_PEER))
- != SSL_VERIFY_PEER) {
+ } else if (verify_peer_cert
+ && ((SSL_get_verify_mode(sslv->ssl)
+ & (SSL_VERIFY_NONE | SSL_VERIFY_PEER))
+ != SSL_VERIFY_PEER)) {
/* Two or more SSL connections completed at the same time while we
* were in bootstrap mode. Only one of these can finish the
* bootstrap successfully. The other one(s) must be rejected
@@ -1107,7 +1113,11 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap)
size_t n_certs;
struct stat s;
- if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
+ if (!strcmp(file_name, "none")) {
+ verify_peer_cert = false;
+ VLOG_WARN("Peer certificate validation disabled "
+ "(this is a security risk)");
+ } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
bootstrap_ca_cert = true;
} else if (!read_cert_file(file_name, &certs, &n_certs)) {
size_t i;
--
1.6.6.1
More information about the dev
mailing list