diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2017-02-28 11:47:32 +0100 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-03-30 19:08:00 +0200 |
| commit | 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 (patch) | |
| tree | c559db1c94f83a924d78e22bd7f2d9ddacded5da /src/responder/secrets | |
| parent | 06744bf5a47d5971a338281c8243b11cf72dac90 (diff) | |
| download | sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.tar.gz sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.tar.xz sssd-720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417.zip | |
secrets: allow to configure certificate check
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.
This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key
Resolves:
https://pagure.io/SSSD/sssd/issue/3192
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder/secrets')
| -rw-r--r-- | src/responder/secrets/proxy.c | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c index 3c4957160..240a1de1e 100644 --- a/src/responder/secrets/proxy.c +++ b/src/responder/secrets/proxy.c @@ -59,6 +59,13 @@ struct proxy_cfg { struct pat_basic_auth basic; struct pat_header header; } auth; + + char *key; + char *cert; + char *cacert; + char *capath; + bool verify_peer; + bool verify_host; }; static int proxy_get_config_string(struct proxy_context *pctx, @@ -129,6 +136,38 @@ static int proxy_sec_get_cfg(struct proxy_context *pctx, } } + ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_peer", + true, &cfg->verify_peer); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "verify_peer: %s\n", + (&cfg->verify_peer ? "true" : "false")); + + ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_host", + true, &cfg->verify_host); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "verify_host: %s\n", + (&cfg->verify_host ? "true" : "false")); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "capath", &cfg->capath); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "capath: %s\n", cfg->capath); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "cacert", &cfg->cacert); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "cacert: %s\n", cfg->cacert); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "cert", &cfg->cert); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "cert: %s\n", cfg->cert); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "key", &cfg->key); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "key: %s\n", cfg->key); + ret = confdb_get_string_as_list(pctx->cdb, cfg, secreq->cfg_section, "forward_headers", &cfg->fwd_headers); if ((ret != 0) && (ret != ENOENT)) goto done; @@ -385,6 +424,22 @@ static errno_t proxy_http_create_request(TALLOC_CTX *mem_ctx, goto done; } + /* Set TLS settings to verify peer. + * This has no effect for HTTP protocol so we can set it anyway. */ + ret = tcurl_req_verify_peer(tcurl_req, pcfg->capath, pcfg->cacert, + pcfg->verify_peer, pcfg->verify_host); + if (ret != EOK) { + goto done; + } + + /* Set client's certificate if required. */ + if (pcfg->cert != NULL) { + ret = tcurl_req_set_client_cert(tcurl_req, pcfg->cert, pcfg->key); + if (ret != EOK) { + goto done; + } + } + talloc_steal(tcurl_req, body); *_tcurl_req = talloc_steal(mem_ctx, tcurl_req); |