smirky/rmps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modify init_server_ctx to specify custom SSL modes

Browse Source
This commit is contained in:
Bogomil Vasilev
2016-09-04 12:49:02 +03:00
parent 87d16869ce
commit 1c2473505d
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
rmps.c
View File

@@ -23,7 +23,7 @@ static void cleanup(void);
static void signal_handler(int sig); static void signal_handler(int sig);
static void load_certificates(SSL_CTX *ctx, const char *certfile, static void load_certificates(SSL_CTX *ctx, const char *certfile,
const char *keyfile, const char *cafile); const char *keyfile, const char *cafile);
static SSL_CTX* init_server_ctx(const char *cipherlist); static SSL_CTX* init_server_ctx(const char *cipherlist, int mode);
static int pid_file_handle; static int pid_file_handle;
@@ -194,7 +194,7 @@ static int open_listener(int port)
} }
/* Init server and create context */ /* Init server and create context */
static SSL_CTX* init_server_ctx(const char *cipherlist) static SSL_CTX* init_server_ctx(const char *cipherlist, int mode)
{ {
SSL_CTX *ctx; SSL_CTX *ctx;
char ciphers[1024]; char ciphers[1024];
@@ -210,10 +210,7 @@ static SSL_CTX* init_server_ctx(const char *cipherlist)
log(ERROR, "RMPS failed to start, shutting down..."); log(ERROR, "RMPS failed to start, shutting down...");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER | SSL_CTX_set_verify(ctx, mode, NULL);
SSL_VERIFY_CLIENT_ONCE |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
ciphers[0] = 0; ciphers[0] = 0;
strcat(ciphers, "-ALL"); /* Disable any ciphers we have by default */ strcat(ciphers, "-ALL"); /* Disable any ciphers we have by default */
@@ -277,7 +274,10 @@ void launch_rmps(struct conf_table *conf, int fork_flag)
* -nodes is for not protecing with a passphrase * -nodes is for not protecing with a passphrase
* http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl * http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
*/ */
pool_args[0].ctx = init_server_ctx(conf->rmps.cipherlist); pool_args[0].ctx = init_server_ctx(conf->rmps.cipherlist,
SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
log(VERBOSE, "Loading agent certs and keys."); log(VERBOSE, "Loading agent certs and keys.");
load_certificates(pool_args[0].ctx, conf->rmps.agent_tls_crt, load_certificates(pool_args[0].ctx, conf->rmps.agent_tls_crt,
conf->rmps.agent_tls_key, conf->rmps.cafile); conf->rmps.agent_tls_key, conf->rmps.cafile);
@@ -287,7 +287,7 @@ void launch_rmps(struct conf_table *conf, int fork_flag)
log(VERBOSE, "Creating agent thread pool (mutex)."); log(VERBOSE, "Creating agent thread pool (mutex).");
pthread_create(&pool[0], NULL, agent_pool, &pool_args[0]); pthread_create(&pool[0], NULL, agent_pool, &pool_args[0]);
pool_args[1].ctx = init_server_ctx(conf->rmps.cipherlist); pool_args[1].ctx = init_server_ctx(conf->rmps.cipherlist, SSL_VERIFY_NONE);
log(VERBOSE, "Loading client certs and keys."); log(VERBOSE, "Loading client certs and keys.");
load_certificates(pool_args[1].ctx, conf->rmps.client_tls_crt, load_certificates(pool_args[1].ctx, conf->rmps.client_tls_crt,
conf->rmps.client_tls_key, conf->rmps.cafile); conf->rmps.client_tls_key, conf->rmps.cafile);