Browse code

tls: CRL support

Support for certificate revocation lists.
Patch by Couprie Geoffroy geoffroy.couprie atosorigin com
(FS#88) ported to 3.1 (config framework, relative pathname support)
and with more docs.

Closes FS#88.

Andrei Pelinescu-Onciul authored on 09/09/2010 18:50:24
Showing 11 changed files
... ...
@@ -101,6 +101,7 @@ modules:
101 101
            blst_rpl_clear_ignore(mask): like blst_rpl_ignore(mask), but
102 102
             clears instead of setting.
103 103
    - tls:
104
+          certificate revocation list (CRL) support.
104 105
           asynchronous TLS support
105 106
           new TLS RPCs (tls.info, tls.options), tls.list more detailed.
106 107
           removed handshake_timeout and send_timeout module parameters /
... ...
@@ -108,6 +109,7 @@ modules:
108 109
             (tcp_connect_timeout and tcp_send_timeout).
109 110
           runtime config support
110 111
           more config options:
112
+            crl - certificate revocation list file path (PEM format).
111 113
             send_close_notify - enables/disables sending close notify
112 114
               alerts prior to closing the corresponding TCP connection.
113 115
               Sending the close notify prior to tcp shutdown is "nicer"
... ...
@@ -52,7 +52,7 @@
52 52
 #define TLS_PKEY_FILE "cert.pem" 	/*!< The certificate private key file */
53 53
 #define TLS_CERT_FILE "cert.pem"	/*!< The certificate file */
54 54
 #define TLS_CA_FILE 0			/*!< no CA list file by default */
55
-
55
+#define TLS_CRL_FILE 0 /*!< no CRL by default */
56 56
 
57 57
 #define MAX_LISTEN 16			/*!< maximum number of addresses on which we will listen */
58 58
 
... ...
@@ -23,28 +23,29 @@ Andrei Pelinescu-Onciul
23 23
         1.9.2. certificate (string)
24 24
         1.9.3. private_key (string)
25 25
         1.9.4. ca_list (string)
26
-        1.9.5. verify_certificate (boolean)
27
-        1.9.6. verify_depth (integer)
28
-        1.9.7. require_certificate (boolean)
29
-        1.9.8. cipher_list (string)
30
-        1.9.9. send_timeout (int)
31
-        1.9.10. handshake_timeout (int)
32
-        1.9.11. connection_timeout (int)
33
-        1.9.12. tls_disable_compression (boolean)
34
-        1.9.13. ssl_release_buffers (integer)
35
-        1.9.14. ssl_free_list_max_len (integer)
36
-        1.9.15. ssl_max_send_fragment (integer)
37
-        1.9.16. ssl_read_ahead (boolean)
38
-        1.9.17. send_close_notify (boolean)
39
-        1.9.18. con_ct_wq_max (integer)
40
-        1.9.19. ct_wq_max (integer)
41
-        1.9.20. ct_wq_blk_size (integer)
42
-        1.9.21. tls_log (int)
43
-        1.9.22. tls_debug (int)
44
-        1.9.23. low_mem_threshold1 (integer)
45
-        1.9.24. low_mem_threshold2 (integer)
46
-        1.9.25. tls_force_run (boolean)
47
-        1.9.26. config (string)
26
+        1.9.5. crl (string)
27
+        1.9.6. verify_certificate (boolean)
28
+        1.9.7. verify_depth (integer)
29
+        1.9.8. require_certificate (boolean)
30
+        1.9.9. cipher_list (string)
31
+        1.9.10. send_timeout (int)
32
+        1.9.11. handshake_timeout (int)
33
+        1.9.12. connection_timeout (int)
34
+        1.9.13. tls_disable_compression (boolean)
35
+        1.9.14. ssl_release_buffers (integer)
36
+        1.9.15. ssl_free_list_max_len (integer)
37
+        1.9.16. ssl_max_send_fragment (integer)
38
+        1.9.17. ssl_read_ahead (boolean)
39
+        1.9.18. send_close_notify (boolean)
40
+        1.9.19. con_ct_wq_max (integer)
41
+        1.9.20. ct_wq_max (integer)
42
+        1.9.21. ct_wq_blk_size (integer)
43
+        1.9.22. tls_log (int)
44
+        1.9.23. tls_debug (int)
45
+        1.9.24. low_mem_threshold1 (integer)
46
+        1.9.25. low_mem_threshold2 (integer)
47
+        1.9.26. tls_force_run (boolean)
48
+        1.9.27. config (string)
48 49
 
49 50
    1.10. Functions
50 51
 
... ...
@@ -363,8 +364,7 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
363 364
 
364 365
    Sets the CA list file name. This file contains a list of all the
365 366
    trusted CAs certificates. If a signature in a certificate chain belongs
366
-   to one of the listed CAs, the authentication will succeed. See also
367
-   verify_certificate, verify_depth and require_certificate.
367
+   to one of the listed CAs, the authentication will succeed.
368 368
 
369 369
    If the file name starts with a '.' the path will be relative to the
370 370
    working directory (at runtime). If it starts with a '/' it will be an
... ...
@@ -378,12 +378,61 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
378 378
    certificate in the PEM format to one file, e.g.: for f in
379 379
    trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
380 380
 
381
+   See also verify_certificate, verify_depth, require_certificate and crl.
382
+
381 383
    Example 6. Set ca_list parameter
382 384
 ...
383 385
 modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
384 386
 ...
385 387
 
386
-1.9.5. verify_certificate (boolean)
388
+1.9.5. crl (string)
389
+
390
+   Sets the certificate revocation list file name. This file contains a
391
+   list of revoked certificates. Any attempt to verify a revoked
392
+   certificate will fail.
393
+
394
+   If not set, no crl list will be used.
395
+
396
+   If the file name starts with a '.' the path will be relative to the
397
+   working directory (at runtime). If it starts with a '/' it will be an
398
+   absolute path and if it starts with anything else the path will be
399
+   relative to the main config file directory (e.g.: for ser -f
400
+   /etc/ser/ser.cfg it will be relative to /etc/ser/).
401
+
402
+Note
403
+
404
+   If set, require_certificate should also be set or it will not have any
405
+   effect.
406
+
407
+   By default the crl file is not set.
408
+
409
+   To update the crl in a running ser, make sure you configure tls via a
410
+   separate tls config file (the config modparam) and issue a tls.reload
411
+   RPC call, e.g.:
412
+ $ sercmd tls.reload
413
+
414
+   A quick way to create the CRL in PEM format, using openssl is:
415
+ $ openssl ca -gencrl -keyfile cacert.key -cert cacert.pem -out my_crl.pem
416
+
417
+   my_crl.pem will contain the signed list of the revoked certificates.
418
+
419
+   To revoke a certificate use something like:
420
+ $ openssl ca -revoke bad_cert.pem -keyfile cacert.key -cert cacert.pem
421
+
422
+   and then refresh the crl file using the command above.
423
+
424
+   To display the CRL contents use:
425
+ $ openssl crl -in crl.pem -noout -text
426
+
427
+   See also ca_list, verify_certificate, verify_depth and
428
+   require_certificate.
429
+
430
+   Example 7. Set crl parameter
431
+...
432
+modparam("tls", "crl", "/usr/local/etc/ser/crl.pem")
433
+...
434
+
435
+1.9.6. verify_certificate (boolean)
387 436
 
388 437
    If enabled it will force certificate verification. For more information
389 438
    see the verify(1) openssl man page.
... ...
@@ -395,12 +444,12 @@ modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
395 444
 
396 445
    By default the certificate verification is off.
397 446
 
398
-   Example 7. Set verify_certificate parameter
447
+   Example 8. Set verify_certificate parameter
399 448
 ...
400 449
 modparam("tls", "verify_certificate", 1)
401 450
 ...
402 451
 
403
-1.9.6. verify_depth (integer)
452
+1.9.7. verify_depth (integer)
404 453
 
405 454
    Sets how far up the certificate chain will the certificate verification
406 455
    go in the search for a trusted CA.
... ...
@@ -409,12 +458,12 @@ modparam("tls", "verify_certificate", 1)
409 458
 
410 459
    The default value is 9.
411 460
 
412
-   Example 8. Set verify_depth parameter
461
+   Example 9. Set verify_depth parameter
413 462
 ...
414 463
 modparam("tls", "verify_depth", 9)
415 464
 ...
416 465
 
417
-1.9.7. require_certificate (boolean)
466
+1.9.8. require_certificate (boolean)
418 467
 
419 468
    When enabled it will require a certificate from a client. If the client
420 469
    does not offer a certificate and verify_certificate is on, the
... ...
@@ -422,12 +471,12 @@ modparam("tls", "verify_depth", 9)
422 471
 
423 472
    The default value is off.
424 473
 
425
-   Example 9. Set require_certificate parameter
474
+   Example 10. Set require_certificate parameter
426 475
 ...
427 476
 modparam("tls", "require_certificate", 1)
428 477
 ...
429 478
 
430
-1.9.8. cipher_list (string)
479
+1.9.9. cipher_list (string)
431 480
 
432 481
    Sets the list of accepted ciphers. The list consists of cipher strings
433 482
    separated by colons. For more information on the cipher list format see
... ...
@@ -436,24 +485,24 @@ modparam("tls", "require_certificate", 1)
436 485
    The default value is not set (all the Openssl supported ciphers are
437 486
    enabled).
438 487
 
439
-   Example 10. Set cipher_list parameter
488
+   Example 11. Set cipher_list parameter
440 489
 ...
441 490
 modparam("tls", "cipher_list", "HIGH")
442 491
 ...
443 492
 
444
-1.9.9. send_timeout (int)
493
+1.9.10. send_timeout (int)
445 494
 
446 495
    This parameter is obsolete and cannot be used in newer TLS versions (>
447 496
    sip-router 3.0). In these versions the send_timeout is replaced by
448 497
    tcp_send_timeout (common with all the tcp connections).
449 498
 
450
-1.9.10. handshake_timeout (int)
499
+1.9.11. handshake_timeout (int)
451 500
 
452 501
    This parameter is obsolete and cannot be used in newer TLS versions (>
453 502
    sip-router 3.0). In these versions the handshake_timeout is replaced by
454 503
    tcp_connect_timeout (common with all the tcp connections).
455 504
 
456
-1.9.11. connection_timeout (int)
505
+1.9.12. connection_timeout (int)
457 506
 
458 507
    Sets the amount of time after which an idle TLS connection will be
459 508
    closed, if no I/O ever occured after the initial open. If an I/O event
... ...
@@ -467,15 +516,15 @@ modparam("tls", "cipher_list", "HIGH")
467 516
    It can be changed also at runtime, via the RPC interface and config
468 517
    framework. The config variable name is tls.connection_timeout.
469 518
 
470
-   Example 11. Set connection_timeout parameter
519
+   Example 12. Set connection_timeout parameter
471 520
 ...
472 521
 modparam("tls", "connection_timeout", 60)
473 522
 ...
474 523
 
475
-   Example 12. Set tls.connection_timeout at runtime
524
+   Example 13. Set tls.connection_timeout at runtime
476 525
  $ sercmd cfg.set_now_int tls connection_timeout 180
477 526
 
478
-1.9.12. tls_disable_compression (boolean)
527
+1.9.13. tls_disable_compression (boolean)
479 528
 
480 529
    If set compression over SSL/TLS will be disabled. Note that compression
481 530
    uses a lot of memory (about 10x more then with the compression
... ...
@@ -484,12 +533,12 @@ modparam("tls", "connection_timeout", 60)
484 533
 
485 534
    By default compression is disabled.
486 535
 
487
-   Example 13. Set tls_disable_compression parameter
536
+   Example 14. Set tls_disable_compression parameter
488 537
 ...
489 538
 modparam("tls", "tls_disable_compression", 0) # enable
490 539
 ...
491 540
 
492
-1.9.13. ssl_release_buffers (integer)
541
+1.9.14. ssl_release_buffers (integer)
493 542
 
494 543
    Release internal OpenSSL read or write buffers as soon as they are no
495 544
    longer needed. Combined with ssl_free_list_max_len has the potential of
... ...
@@ -508,10 +557,10 @@ Note
508 557
    This option is supported only for OpenSSL versions >= 1.0.0. On all the
509 558
    other versions attempting to change the default will trigger an error.
510 559
 
511
-   Example 14. Set ssl_release_buffers parameter
560
+   Example 15. Set ssl_release_buffers parameter
512 561
 modparam("tls", "ssl_release_buffers", 1)
513 562
 
514
-1.9.14. ssl_free_list_max_len (integer)
563
+1.9.15. ssl_free_list_max_len (integer)
515 564
 
516 565
    Sets the maximum number of free memory chunks, that OpenSSL will keep
517 566
    per connection. Setting it to 0 would cause any unused memory chunk to
... ...
@@ -531,10 +580,10 @@ Note
531 580
    This option is supported only for OpenSSL versions >= 1.0.0. On all the
532 581
    other versions attempting to change the default will trigger an error.
533 582
 
534
-   Example 15. Set ssl_freelist_max_len parameter
583
+   Example 16. Set ssl_freelist_max_len parameter
535 584
 modparam("tls", "ssl_freelist_max_len", 0)
536 585
 
537
-1.9.15. ssl_max_send_fragment (integer)
586
+1.9.16. ssl_max_send_fragment (integer)
538 587
 
539 588
    Sets the maximum number of bytes (from the clear text) sent into one
540 589
    TLS or SSL record. Valid values are between 512 and 16384. Note however
... ...
@@ -566,10 +615,10 @@ Note
566 615
    This option is supported only for OpenSSL versions >= 0.9.9. On all the
567 616
    other versions attempting to change the default will trigger an error.
568 617
 
569
-   Example 16. Set ssl_max_send_fragment parameter
618
+   Example 17. Set ssl_max_send_fragment parameter
570 619
 modparam("tls", "ssl_max_send_fragment", 4096)
571 620
 
572
-1.9.16. ssl_read_ahead (boolean)
621
+1.9.17. ssl_read_ahead (boolean)
573 622
 
574 623
    Enables read ahead, reducing the number of internal OpenSSL BIO read()
575 624
    calls. This option has only debugging value, in normal circumstances it
... ...
@@ -588,10 +637,10 @@ modparam("tls", "ssl_max_send_fragment", 4096)
588 637
 
589 638
    By default the value is 0 (disabled).
590 639
 
591
-   Example 17. Set ssl_read_ahead parameter
640
+   Example 18. Set ssl_read_ahead parameter
592 641
 modparam("tls", "ssl_read_ahead", 1)
593 642
 
594
-1.9.17. send_close_notify (boolean)
643
+1.9.18. send_close_notify (boolean)
595 644
 
596 645
    Enables/disables sending close notify alerts prior to closing the
597 646
    corresponding TCP connection. Sending the close notify prior to tcp
... ...
@@ -604,15 +653,15 @@ modparam("tls", "ssl_read_ahead", 1)
604 653
    It can be changed also at runtime, via the RPC interface and config
605 654
    framework. The config variable name is tls.send_close_notify.
606 655
 
607
-   Example 18. Set send_close_notify parameter
656
+   Example 19. Set send_close_notify parameter
608 657
 ...
609 658
 modparam("tls", "send_close_notify", 1)
610 659
 ...
611 660
 
612
-   Example 19. Set tls.send_close_notify at runtime
661
+   Example 20. Set tls.send_close_notify at runtime
613 662
  $ sercmd cfg.set_now_int tls send_close_notify 1
614 663
 
615
-1.9.18. con_ct_wq_max (integer)
664
+1.9.19. con_ct_wq_max (integer)
616 665
 
617 666
    Sets the maximum allowed per connection clear-text send queue size in
618 667
    bytes. This queue is used when data cannot be encrypted and sent
... ...
@@ -623,15 +672,15 @@ modparam("tls", "send_close_notify", 1)
623 672
    It can be changed also at runtime, via the RPC interface and config
624 673
    framework. The config variable name is tls.con_ct_wq_max.
625 674
 
626
-   Example 20. Set con_ct_wq_max parameter
675
+   Example 21. Set con_ct_wq_max parameter
627 676
 ...
628 677
 modparam("tls", "con_ct_wq_max", 1048576)
629 678
 ...
630 679
 
631
-   Example 21. Set tls.con_ct_wq_max at runtime
680
+   Example 22. Set tls.con_ct_wq_max at runtime
632 681
  $ sercmd cfg.set_now_int tls con_ct_wq_max 1048576
633 682
 
634
-1.9.19. ct_wq_max (integer)
683
+1.9.20. ct_wq_max (integer)
635 684
 
636 685
    Sets the maximum total number of bytes queued in all the clear-text
637 686
    send queues. These queues are used when data cannot be encrypted and
... ...
@@ -642,15 +691,15 @@ modparam("tls", "con_ct_wq_max", 1048576)
642 691
    It can be changed also at runtime, via the RPC interface and config
643 692
    framework. The config variable name is tls.ct_wq_max.
644 693
 
645
-   Example 22. Set ct_wq_max parameter
694
+   Example 23. Set ct_wq_max parameter
646 695
 ...
647 696
 modparam("tls", "ct_wq_max", 4194304)
648 697
 ...
649 698
 
650
-   Example 23. Set tls.ct_wq_max at runtime
699
+   Example 24. Set tls.ct_wq_max at runtime
651 700
  $ sercmd cfg.set_now_int tls ct_wq_max 4194304
652 701
 
653
-1.9.20. ct_wq_blk_size (integer)
702
+1.9.21. ct_wq_blk_size (integer)
654 703
 
655 704
    Minimum block size for the internal clear-text send queues (debugging /
656 705
    advanced tunning). Good values are multiple of typical datagram sizes.
... ...
@@ -660,15 +709,15 @@ modparam("tls", "ct_wq_max", 4194304)
660 709
    It can be changed also at runtime, via the RPC interface and config
661 710
    framework. The config variable name is tls.ct_wq_blk_size.
662 711
 
663
-   Example 24. Set ct_wq_blk_size parameter
712
+   Example 25. Set ct_wq_blk_size parameter
664 713
 ...
665 714
 modparam("tls", "ct_wq_blk_size", 2048)
666 715
 ...
667 716
 
668
-   Example 25. Set tls.ct_wq_max at runtime
717
+   Example 26. Set tls.ct_wq_max at runtime
669 718
  $ sercmd cfg.set_now_int tls ct_wq_blk_size 2048
670 719
 
671
-1.9.21. tls_log (int)
720
+1.9.22. tls_log (int)
672 721
 
673 722
    Sets the log level at which TLS related messages will be logged.
674 723
 
... ...
@@ -677,16 +726,16 @@ modparam("tls", "ct_wq_blk_size", 2048)
677 726
    It can be changed also at runtime, via the RPC interface and config
678 727
    framework. The config variable name is tls.log.
679 728
 
680
-   Example 26. Set tls_log parameter
729
+   Example 27. Set tls_log parameter
681 730
 ...
682 731
 # ignore TLS messages if SIP-router is started with debug less than 10
683 732
 modparam("tls", "tls_log", 10)
684 733
 ...
685 734
 
686
-   Example 27. Set tls.log at runtime
735
+   Example 28. Set tls.log at runtime
687 736
  $ sercmd cfg.set_now_int tls log 10
688 737
 
689
-1.9.22. tls_debug (int)
738
+1.9.23. tls_debug (int)
690 739
 
691 740
    Sets the log level at which TLS debug messages will be logged. Note
692 741
    that TLS debug messages are enabled only if the TLS module is compiled
... ...
@@ -698,16 +747,16 @@ modparam("tls", "tls_log", 10)
698 747
    It can be changed also at runtime, via the RPC interface and config
699 748
    framework. The config variable name is tls.debug.
700 749
 
701
-   Example 28. Set tls_debug parameter
750
+   Example 29. Set tls_debug parameter
702 751
 ...
703 752
 # ignore TLS debug messages if SIP-router is started with debug less than 10
704 753
 modparam("tls", "tls_debug", 10)
705 754
 ...
706 755
 
707
-   Example 29. Set tls.debug at runtime
756
+   Example 30. Set tls.debug at runtime
708 757
  $ sercmd cfg.set_now_int tls debug 10
709 758
 
710
-1.9.23. low_mem_threshold1 (integer)
759
+1.9.24. low_mem_threshold1 (integer)
711 760
 
712 761
    Sets the minimal free memory from which attempts to open or accept new
713 762
    TLS connections will start to fail. The value is expressed in KB.
... ...
@@ -730,15 +779,15 @@ modparam("tls", "tls_debug", 10)
730 779
 
731 780
    See also low_mem_threshold2.
732 781
 
733
-   Example 30. Set low_mem_threshold1 parameter
782
+   Example 31. Set low_mem_threshold1 parameter
734 783
 ...
735 784
 modparam("tls", "low_mem_threshold1", -1)
736 785
 ...
737 786
 
738
-   Example 31. Set tls.low_mem_threshold1 at runtime
787
+   Example 32. Set tls.low_mem_threshold1 at runtime
739 788
  $ sercmd cfg.set_now_int tls low_mem_threshold1 2048
740 789
 
741
-1.9.24. low_mem_threshold2 (integer)
790
+1.9.25. low_mem_threshold2 (integer)
742 791
 
743 792
    Sets the minimal free memory from which TLS operations on already
744 793
    established TLS connections will start to fail preemptively. The value
... ...
@@ -762,15 +811,15 @@ modparam("tls", "low_mem_threshold1", -1)
762 811
 
763 812
    See also low_mem_threshold1.
764 813
 
765
-   Example 32. Set low_mem_threshold2 parameter
814
+   Example 33. Set low_mem_threshold2 parameter
766 815
 ...
767 816
 modparam("tls", "low_mem_threshold2", -1)
768 817
 ...
769 818
 
770
-   Example 33. Set tls.low_mem_threshold2 at runtime
819
+   Example 34. Set tls.low_mem_threshold2 at runtime
771 820
  $ sercmd cfg.set_now_int tls low_mem_threshold2 1024
772 821
 
773
-1.9.25. tls_force_run (boolean)
822
+1.9.26. tls_force_run (boolean)
774 823
 
775 824
    If enabled SIP-router will start even if some of the openssl sanity
776 825
    checks fail (turn it on at your own risk).
... ...
@@ -786,12 +835,12 @@ modparam("tls", "low_mem_threshold2", -1)
786 835
 
787 836
    By default tls_force_run is disabled.
788 837
 
789
-   Example 34. Set tls_force_run parameter
838
+   Example 35. Set tls_force_run parameter
790 839
 ...
791 840
 modparam("tls", "tls_force_run", 11)
792 841
 ...
793 842
 
794
-1.9.26. config (string)
843
+1.9.27. config (string)
795 844
 
796 845
    Sets the name of the TLS specific config file.
797 846
 
... ...
@@ -817,6 +866,7 @@ modparam("tls", "tls_force_run", 11)
817 866
      * certificate
818 867
      * verify_depth
819 868
      * ca_list
869
+     * crl
820 870
      * cipher_list
821 871
 
822 872
    All the parameters that take filenames as values will be resolved using
... ...
@@ -829,14 +879,15 @@ modparam("tls", "tls_force_run", 11)
829 879
    client when it initiates a new connection by itself (it connects to
830 880
    something).
831 881
 
832
-   Example 35. Short config file
882
+   Example 36. Short config file
833 883
 [server:default]
834 884
 method = TLSv1
835
-verify_certificate = no
836
-require_certificate = no
885
+verify_certificate = yes
886
+require_certificate = yes
837 887
 private_key = default_key.pem
838 888
 certificate = default_cert.pem
839 889
 ca_list = default_ca.pem
890
+crl = default_crl.pem
840 891
 
841 892
 [client:default]
842 893
 verify_certificate = yes
... ...
@@ -855,7 +906,7 @@ ca_list = local_ca.pem
855 906
    For a more complete example check the tls.cfg distributed with the
856 907
    SIP-router source (sip_router/modules/tls/tls.cfg).
857 908
 
858
-   Example 36. Set config parameter
909
+   Example 37. Set config parameter
859 910
 ...
860 911
 modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
861 912
 ...
... ...
@@ -863,7 +914,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
863 914
    It can be changed also at runtime. The new config will not be loaded
864 915
    immediately, but after the first tls.reload RPC call.
865 916
 
866
-   Example 37. Change and reload tls config at runtime
917
+   Example 38. Change and reload tls config at runtime
867 918
  $ sercmd cfg.set_now_string tls config "/usr/local/etc/ser/new_tls.cfg"
868 919
  $ sercmd tls.reload
869 920
 
... ...
@@ -878,7 +929,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
878 929
    , the peer presented an X509 certificate and the certificate chain
879 930
    verified ok. It can be used only in a request route.
880 931
 
881
-   Example 38. is_peer_verified usage
932
+   Example 39. is_peer_verified usage
882 933
         if (proto==TLS && !is_peer_verified()){
883 934
                 sl_send_reply("400", "No certificate or verification failed");
884 935
                 drop;
... ...
@@ -125,10 +125,7 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
125 125
 	<para>
126 126
 		Sets the CA list file name. This file contains a list of all the
127 127
 		trusted CAs certificates. If a signature in a certificate chain belongs
128
-		to one of the listed CAs, the authentication will succeed. See also
129
-		<emphasis>verify_certificate</emphasis>,
130
-		<emphasis>verify_depth</emphasis> and
131
-		<emphasis>require_certificate</emphasis>.
128
+		to one of the listed CAs, the authentication will succeed.
132 129
 	</para>
133 130
 	<para>
134 131
 		If the file name starts with a '.' the path will be relative to the
... ...
@@ -145,6 +142,13 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
145 142
 		certificate in the PEM format to one file, e.g.: for f in
146 143
 		trusted_cas/*.pem ; do cat "$f" &gt;&gt; ca_list.pem ; done .
147 144
 	</para>
145
+	<para>
146
+		See also
147
+		<emphasis>verify_certificate</emphasis>,
148
+		<emphasis>verify_depth</emphasis>,
149
+		<emphasis>require_certificate</emphasis> and
150
+		<emphasis>crl</emphasis>.
151
+	</para>
148 152
 	<example>
149 153
 	    <title>Set <varname>ca_list</varname> parameter</title>
150 154
 	    <programlisting>
... ...
@@ -155,6 +159,76 @@ modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
155 159
 	</example>
156 160
 	</section>
157 161
 
162
+<section id="crl">
163
+	<title><varname>crl</varname> (string)</title>
164
+	<para>
165
+		Sets the certificate revocation list file name. This file contains a
166
+		list of revoked certificates. Any attempt to verify a revoked
167
+		certificate will fail.
168
+	</para>
169
+	<para>
170
+		If not set, no crl list will be used.
171
+	</para>
172
+	<para>
173
+		If the file name starts with a '.' the path will be relative to the
174
+		working directory (<emphasis>at runtime</emphasis>). If it starts
175
+		with a '/' it will be an absolute path and if it starts with anything
176
+		else the path will be relative to the main config file directory
177
+		(e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
178
+	</para>
179
+	<note><para>
180
+		If set, <varname>require_certificate</varname> should also be set
181
+		or it will not have any effect.
182
+	</para></note>
183
+	<para>
184
+		By default the crl file is not set.
185
+	</para>
186
+	<para>
187
+		To update the crl in a running ser, make sure you configure tls
188
+		via a separate tls config file
189
+		(the <varname>config</varname> modparam) and issue a tls.reload
190
+		RPC call, e.g.:
191
+		<programlisting>
192
+ $ &sercmd; tls.reload
193
+		</programlisting>
194
+	</para>
195
+	<para>
196
+		A quick way to create the CRL in PEM format, using openssl is:
197
+		<programlisting>
198
+ $ openssl ca -gencrl -keyfile cacert.key -cert cacert.pem -out my_crl.pem
199
+		</programlisting>
200
+		 my_crl.pem will contain the signed list of the revoked certificates.
201
+	</para>
202
+	<para>
203
+		To revoke a certificate use something like:
204
+		<programlisting>
205
+ $ openssl ca -revoke bad_cert.pem -keyfile cacert.key -cert cacert.pem
206
+		</programlisting>
207
+		and then refresh the crl file using the command above.
208
+	</para>
209
+	<para>
210
+		To display the CRL contents use:
211
+		<programlisting>
212
+ $ openssl crl -in crl.pem -noout -text
213
+		</programlisting>
214
+	</para>
215
+	<para>
216
+		See also
217
+		<emphasis>ca_list</emphasis>,
218
+		<emphasis>verify_certificate</emphasis>,
219
+		<emphasis>verify_depth</emphasis> and
220
+		<emphasis>require_certificate</emphasis>.
221
+	</para>
222
+	<example>
223
+	    <title>Set <varname>crl</varname> parameter</title>
224
+	    <programlisting>
225
+...
226
+modparam("tls", "crl", "/usr/local/etc/ser/crl.pem")
227
+...
228
+	    </programlisting>
229
+	</example>
230
+	</section>
231
+
158 232
 <section id="verify_certificate">
159 233
 	<title><varname>verify_certificate</varname> (boolean)</title>
160 234
 	<para>
... ...
@@ -820,6 +894,7 @@ modparam("tls", "tls_force_run", 11)
820 894
 			<listitem><para>certificate</para></listitem>
821 895
 			<listitem><para>verify_depth</para></listitem>
822 896
 			<listitem><para>ca_list</para></listitem>
897
+			<listitem><para>crl</para></listitem>
823 898
 			<listitem><para>cipher_list</para></listitem>
824 899
 	</itemizedlist>
825 900
 	<para>
... ...
@@ -839,11 +914,12 @@ modparam("tls", "tls_force_run", 11)
839 914
 	<programlisting>
840 915
 [server:default]
841 916
 method = TLSv1
842
-verify_certificate = no
843
-require_certificate = no
917
+verify_certificate = yes
918
+require_certificate = yes
844 919
 private_key = default_key.pem
845 920
 certificate = default_cert.pem
846 921
 ca_list = default_ca.pem
922
+crl = default_crl.pem
847 923
 
848 924
 [client:default]
849 925
 verify_certificate = yes
... ...
@@ -19,6 +19,8 @@ verify_certificate = no
19 19
 require_certificate = no
20 20
 private_key = ./modules/tls/ser-selfsigned.key
21 21
 certificate = ./modules/tls/ser-selfsigned.pem
22
+#ca_list = ./modules/tls/cacert.pem
23
+#crl = ./modules/tls/crl.pem
22 24
 
23 25
 # This is the default client domain, settings
24 26
 # in this domain will be used for all outgoing
... ...
@@ -46,6 +48,7 @@ require_certificate = yes
46 48
 #certificate = ./modules/tls/local_cert.pem
47 49
 #verify_depth = 3
48 50
 #ca_list = local_ca.pem
51
+#crl = local_crl.pem
49 52
 
50 53
 # Special settings for the iptel.org public SIP
51 54
 # server. We do not verify the certificate of the
... ...
@@ -59,3 +62,4 @@ require_certificate = yes
59 62
 #certificate = ./modules/tls/iptel_client.pem
60 63
 #private_key = ./modules/tls/iptel_key.pem
61 64
 #ca_list = ./modules/tls/iptel_ca.pem
65
+#crl = ./modules/tls/iptel_crl.pem
... ...
@@ -41,6 +41,7 @@ struct cfg_group_tls default_tls_cfg = {
41 41
 	0, /* require_certificate */
42 42
 	STR_NULL, /* private_key (default value set in fix_tls_cfg) */
43 43
 	STR_NULL, /* ca_list (default value set in fix_tls_cfg) */
44
+	STR_NULL, /* crl (default value set in fix_tls_cfg) */
44 45
 	STR_NULL, /* certificate (default value set in fix_tls_cfg) */
45 46
 	STR_NULL, /* cipher_list (default value set in fix_tls_cfg) */
46 47
 	0, /* session_cache */
... ...
@@ -151,6 +152,9 @@ cfg_def_t	tls_cfg_def[] = {
151 152
 		" contained in the certificate file" },
152 153
 	{"ca_list", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
153 154
 		"name of the file containing the trusted CA list (pem format)" },
155
+	{"crl", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
156
+		"name of the file containing the CRL  (certificare revocation list"
157
+			" in pem format)" },
154 158
 	{"certificate", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
155 159
 		"name of the file containing the certificate (pem format)" },
156 160
 	{"cipher_list", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
... ...
@@ -263,6 +267,8 @@ int fix_tls_cfg(struct cfg_group_tls* cfg)
263 267
 		return -1;
264 268
 	if (fix_initial_pathname(&cfg->ca_list, TLS_CA_FILE) < 0 )
265 269
 		return -1;
270
+	if (fix_initial_pathname(&cfg->crl, TLS_CRL_FILE) < 0 )
271
+		return -1;
266 272
 	if (fix_initial_pathname(&cfg->certificate, TLS_CERT_FILE) < 0)
267 273
 		return -1;
268 274
 	
... ...
@@ -48,6 +48,7 @@ struct cfg_group_tls {
48 48
 	int require_cert;
49 49
 	str private_key;
50 50
 	str ca_list;
51
+	str crl;
51 52
 	str certificate;
52 53
 	str cipher_list;
53 54
 	int session_cache;
... ...
@@ -159,6 +159,7 @@ static cfg_option_t options[] = {
159 159
 	{"cert_file",           .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
160 160
 	{"cipher_list",         .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
161 161
 	{"ca_list",             .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
162
+	{"crl",                 .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
162 163
 	{0}
163 164
 };
164 165
 
... ...
@@ -181,6 +182,7 @@ static void update_opt_variables(void)
181 182
 	options[11].param = &domain->cert_file;
182 183
 	options[12].param = &domain->cipher_list;
183 184
 	options[13].param = &domain->ca_file;
185
+	options[14].param = &domain->crl_file;
184 186
 }
185 187
 
186 188
 
... ...
@@ -90,6 +90,7 @@ void tls_free_domain(tls_domain_t* d)
90 90
 
91 91
 	if (d->cipher_list.s) shm_free(d->cipher_list.s);
92 92
 	if (d->ca_file.s) shm_free(d->ca_file.s);
93
+	if (d->crl_file.s) shm_free(d->crl_file.s);
93 94
 	if (d->pkey_file.s) shm_free(d->pkey_file.s);
94 95
 	if (d->cert_file.s) shm_free(d->cert_file.s);
95 96
 	shm_free(d);
... ...
@@ -192,6 +193,13 @@ static int fill_missing(tls_domain_t* d, tls_domain_t* parent)
192 193
 		d->ca_file.len = parent->ca_file.len;
193 194
 	}
194 195
 	LOG(L_INFO, "%s: ca_list='%s'\n", tls_domain_str(d), d->ca_file.s);
196
+
197
+	if (!d->crl_file.s) {
198
+		if (shm_asciiz_dup(&d->crl_file.s, parent->crl_file.s) < 0)
199
+			return -1;
200
+		d->crl_file.len = parent->crl_file.len;
201
+	}
202
+	LOG(L_INFO, "%s: crl='%s'\n", tls_domain_str(d), d->crl_file.s);
195 203
 	
196 204
 	if (d->require_cert == -1) d->require_cert = parent->require_cert;
197 205
 	LOG(L_INFO, "%s: require_certificate=%d\n", tls_domain_str(d),
... ...
@@ -425,6 +433,40 @@ static int load_ca_list(tls_domain_t* d)
425 433
 	return 0;
426 434
 }
427 435
 
436
+
437
+/*
438
+ * Load CRL from file
439
+ */
440
+static int load_crl(tls_domain_t* d)
441
+{
442
+	int i;
443
+	int procs_no;
444
+	X509_STORE* store;
445
+
446
+	if (!d->crl_file.s) {
447
+		DBG("%s: No CRL configured\n", tls_domain_str(d));
448
+		return 0;
449
+	}
450
+	if (fix_shm_pathname(&d->crl_file) < 0)
451
+		return -1;
452
+	LOG(L_INFO, "%s: Certificate revocation lists will be checked (%.*s)\n",
453
+				tls_domain_str(d), d->crl_file.len, d->crl_file.s);
454
+	procs_no=get_max_procs();
455
+	for(i = 0; i < procs_no; i++) {
456
+		if (SSL_CTX_load_verify_locations(d->ctx[i], d->crl_file.s, 0) != 1) {
457
+			ERR("%s: Unable to load certificate revocation list '%s'\n",
458
+					tls_domain_str(d), d->crl_file.s);
459
+			TLS_ERR("load_crl:");
460
+			return -1;
461
+		}
462
+		store = SSL_CTX_get_cert_store(d->ctx[i]);
463
+		X509_STORE_set_flags(store,
464
+						X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
465
+	}
466
+	return 0;
467
+}
468
+
469
+
428 470
 #define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
429 471
 #define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
430 472
 #define C_NO_KRB5_SUFFIX ":!KRB5"
... ...
@@ -687,6 +729,7 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
687 729
 	
688 730
 	if (load_cert(d) < 0) return -1;
689 731
 	if (load_ca_list(d) < 0) return -1;
732
+	if (load_crl(d) < 0) return -1;
690 733
 	if (set_cipher_list(d) < 0) return -1;
691 734
 	if (set_verification(d) < 0) return -1;
692 735
 	if (set_ssl_options(d) < 0) return -1;
... ...
@@ -80,6 +80,7 @@ typedef struct tls_domain {
80 80
 	int require_cert;
81 81
 	str cipher_list;
82 82
 	enum tls_method method;
83
+	str crl_file;
83 84
 	struct tls_domain* next;
84 85
 } tls_domain_t;
85 86
 
... ...
@@ -119,6 +119,7 @@ static tls_domain_t mod_params = {
119 119
 	0,                /* Require certificate */
120 120
 	{0, },                /* Cipher list */
121 121
 	TLS_USE_TLSv1,    /* TLS method */
122
+	STR_STATIC_INIT(TLS_CRL_FILE), /* Certificate revocation list */
122 123
 	0                 /* next */
123 124
 };
124 125
 
... ...
@@ -139,6 +140,7 @@ tls_domain_t srv_defaults = {
139 140
 	0,                /* Require certificate */
140 141
 	{0, 0},                /* Cipher list */
141 142
 	TLS_USE_TLSv1,    /* TLS method */
143
+	STR_STATIC_INIT(TLS_CRL_FILE), /* Certificate revocation list */
142 144
 	0                 /* next */
143 145
 };
144 146
 
... ...
@@ -159,6 +161,7 @@ tls_domain_t cli_defaults = {
159 161
 	0,                /* Require certificate */
160 162
 	{0, 0},                /* Cipher list */
161 163
 	TLS_USE_TLSv1,    /* TLS method */
164
+	{0, 0}, /* Certificate revocation list */
162 165
 	0                 /* next */
163 166
 };
164 167
 
... ...
@@ -192,6 +195,7 @@ static param_export_t params[] = {
192 195
 	{"private_key",         PARAM_STR,    &default_tls_cfg.private_key  },
193 196
 	{"ca_list",             PARAM_STR,    &default_tls_cfg.ca_list      },
194 197
 	{"certificate",         PARAM_STR,    &default_tls_cfg.certificate  },
198
+	{"crl",                 PARAM_STR,    &default_tls_cfg.crl          },
195 199
 	{"cipher_list",         PARAM_STR,    &default_tls_cfg.cipher_list  },
196 200
 	{"connection_timeout",  PARAM_INT,    &default_tls_cfg.con_lifetime },
197 201
 	{"tls_log",             PARAM_INT,    &default_tls_cfg.log          },
... ...
@@ -299,6 +303,7 @@ static int mod_init(void)
299 303
 	mod_params.require_cert = cfg_get(tls, tls_cfg, require_cert);
300 304
 	mod_params.pkey_file = cfg_get(tls, tls_cfg, private_key);
301 305
 	mod_params.ca_file = cfg_get(tls, tls_cfg, ca_list);
306
+	mod_params.crl_file = cfg_get(tls, tls_cfg, crl);
302 307
 	mod_params.cert_file = cfg_get(tls, tls_cfg, certificate);
303 308
 	mod_params.cipher_list = cfg_get(tls, tls_cfg, cipher_list);
304 309