Browse code

tls: CRL support

Support for certificate revocation lists.
Patch by Couprie Geoffroy geoffroy.couprie atosorigin com
(FS#88) ported to 3.1 (config framework, relative pathname support)
and with more docs.

Closes FS#88.

Andrei Pelinescu-Onciul authored on 09/09/2010 18:50:24
Showing 11 changed files
... ...
@@ -101,6 +101,7 @@ modules:
101 101
            blst_rpl_clear_ignore(mask): like blst_rpl_ignore(mask), but
102 102
             clears instead of setting.
103 103
    - tls:
104
+          certificate revocation list (CRL) support.
104 105
           asynchronous TLS support
105 106
           new TLS RPCs (tls.info, tls.options), tls.list more detailed.
106 107
           removed handshake_timeout and send_timeout module parameters /
... ...
@@ -108,6 +109,7 @@ modules:
108 108
             (tcp_connect_timeout and tcp_send_timeout).
109 109
           runtime config support
110 110
           more config options:
111
+            crl - certificate revocation list file path (PEM format).
111 112
             send_close_notify - enables/disables sending close notify
112 113
               alerts prior to closing the corresponding TCP connection.
113 114
               Sending the close notify prior to tcp shutdown is "nicer"
... ...
@@ -52,7 +52,7 @@
52 52
 #define TLS_PKEY_FILE "cert.pem" 	/*!< The certificate private key file */
53 53
 #define TLS_CERT_FILE "cert.pem"	/*!< The certificate file */
54 54
 #define TLS_CA_FILE 0			/*!< no CA list file by default */
55
-
55
+#define TLS_CRL_FILE 0 /*!< no CRL by default */
56 56
 
57 57
 #define MAX_LISTEN 16			/*!< maximum number of addresses on which we will listen */
58 58
 
... ...
@@ -23,28 +23,29 @@ Andrei Pelinescu-Onciul
23 23
         1.9.2. certificate (string)
24 24
         1.9.3. private_key (string)
25 25
         1.9.4. ca_list (string)
26
-        1.9.5. verify_certificate (boolean)
27
-        1.9.6. verify_depth (integer)
28
-        1.9.7. require_certificate (boolean)
29
-        1.9.8. cipher_list (string)
30
-        1.9.9. send_timeout (int)
31
-        1.9.10. handshake_timeout (int)
32
-        1.9.11. connection_timeout (int)
33
-        1.9.12. tls_disable_compression (boolean)
34
-        1.9.13. ssl_release_buffers (integer)
35
-        1.9.14. ssl_free_list_max_len (integer)
36
-        1.9.15. ssl_max_send_fragment (integer)
37
-        1.9.16. ssl_read_ahead (boolean)
38
-        1.9.17. send_close_notify (boolean)
39
-        1.9.18. con_ct_wq_max (integer)
40
-        1.9.19. ct_wq_max (integer)
41
-        1.9.20. ct_wq_blk_size (integer)
42
-        1.9.21. tls_log (int)
43
-        1.9.22. tls_debug (int)
44
-        1.9.23. low_mem_threshold1 (integer)
45
-        1.9.24. low_mem_threshold2 (integer)
46
-        1.9.25. tls_force_run (boolean)
47
-        1.9.26. config (string)
26
+        1.9.5. crl (string)
27
+        1.9.6. verify_certificate (boolean)
28
+        1.9.7. verify_depth (integer)
29
+        1.9.8. require_certificate (boolean)
30
+        1.9.9. cipher_list (string)
31
+        1.9.10. send_timeout (int)
32
+        1.9.11. handshake_timeout (int)
33
+        1.9.12. connection_timeout (int)
34
+        1.9.13. tls_disable_compression (boolean)
35
+        1.9.14. ssl_release_buffers (integer)
36
+        1.9.15. ssl_free_list_max_len (integer)
37
+        1.9.16. ssl_max_send_fragment (integer)
38
+        1.9.17. ssl_read_ahead (boolean)
39
+        1.9.18. send_close_notify (boolean)
40
+        1.9.19. con_ct_wq_max (integer)
41
+        1.9.20. ct_wq_max (integer)
42
+        1.9.21. ct_wq_blk_size (integer)
43
+        1.9.22. tls_log (int)
44
+        1.9.23. tls_debug (int)
45
+        1.9.24. low_mem_threshold1 (integer)
46
+        1.9.25. low_mem_threshold2 (integer)
47
+        1.9.26. tls_force_run (boolean)
48
+        1.9.27. config (string)
48 49
 
49 50
    1.10. Functions
50 51
 
... ...
@@ -363,8 +364,7 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
363 363
 
364 364
    Sets the CA list file name. This file contains a list of all the
365 365
    trusted CAs certificates. If a signature in a certificate chain belongs
366
-   to one of the listed CAs, the authentication will succeed. See also
367
-   verify_certificate, verify_depth and require_certificate.
366
+   to one of the listed CAs, the authentication will succeed.
368 367
 
369 368
    If the file name starts with a '.' the path will be relative to the
370 369
    working directory (at runtime). If it starts with a '/' it will be an
... ...
@@ -378,12 +378,61 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
378 378
    certificate in the PEM format to one file, e.g.: for f in
379 379
    trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
380 380
 
381
+   See also verify_certificate, verify_depth, require_certificate and crl.
382
+
381 383
    Example 6. Set ca_list parameter
382 384
 ...
383 385
 modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
384 386
 ...
385 387
 
386
-1.9.5. verify_certificate (boolean)
388
+1.9.5. crl (string)
389
+
390
+   Sets the certificate revocation list file name. This file contains a
391
+   list of revoked certificates. Any attempt to verify a revoked
392
+   certificate will fail.
393
+
394
+   If not set, no crl list will be used.
395
+
396
+   If the file name starts with a '.' the path will be relative to the
397
+   working directory (at runtime). If it starts with a '/' it will be an
398
+   absolute path and if it starts with anything else the path will be
399
+   relative to the main config file directory (e.g.: for ser -f
400
+   /etc/ser/ser.cfg it will be relative to /etc/ser/).
401
+
402
+Note
403
+
404
+   If set, require_certificate should also be set or it will not have any
405
+   effect.
406
+
407
+   By default the crl file is not set.
408
+
409
+   To update the crl in a running ser, make sure you configure tls via a
410
+   separate tls config file (the config modparam) and issue a tls.reload
411
+   RPC call, e.g.:
412
+ $ sercmd tls.reload
413
+
414
+   A quick way to create the CRL in PEM format, using openssl is:
415
+ $ openssl ca -gencrl -keyfile cacert.key -cert cacert.pem -out my_crl.pem
416
+
417
+   my_crl.pem will contain the signed list of the revoked certificates.
418
+
419
+   To revoke a certificate use something like:
420
+ $ openssl ca -revoke bad_cert.pem -keyfile cacert.key -cert cacert.pem
421
+
422
+   and then refresh the crl file using the command above.
423
+
424
+   To display the CRL contents use:
425
+ $ openssl crl -in crl.pem -noout -text
426
+
427
+   See also ca_list, verify_certificate, verify_depth and
428
+   require_certificate.
429
+
430
+   Example 7. Set crl parameter
431
+...
432
+modparam("tls", "crl", "/usr/local/etc/ser/crl.pem")
433
+...
434
+
435
+1.9.6. verify_certificate (boolean)
387 436
 
388 437
    If enabled it will force certificate verification. For more information
389 438
    see the verify(1) openssl man page.
... ...
@@ -395,12 +444,12 @@ modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
395 395
 
396 396
    By default the certificate verification is off.
397 397
 
398
-   Example 7. Set verify_certificate parameter
398
+   Example 8. Set verify_certificate parameter
399 399
 ...
400 400
 modparam("tls", "verify_certificate", 1)
401 401
 ...
402 402
 
403
-1.9.6. verify_depth (integer)
403
+1.9.7. verify_depth (integer)
404 404
 
405 405
    Sets how far up the certificate chain will the certificate verification
406 406
    go in the search for a trusted CA.
... ...
@@ -409,12 +458,12 @@ modparam("tls", "verify_certificate", 1)
409 409
 
410 410
    The default value is 9.
411 411
 
412
-   Example 8. Set verify_depth parameter
412
+   Example 9. Set verify_depth parameter
413 413
 ...
414 414
 modparam("tls", "verify_depth", 9)
415 415
 ...
416 416
 
417
-1.9.7. require_certificate (boolean)
417
+1.9.8. require_certificate (boolean)
418 418
 
419 419
    When enabled it will require a certificate from a client. If the client
420 420
    does not offer a certificate and verify_certificate is on, the
... ...
@@ -422,12 +471,12 @@ modparam("tls", "verify_depth", 9)
422 422
 
423 423
    The default value is off.
424 424
 
425
-   Example 9. Set require_certificate parameter
425
+   Example 10. Set require_certificate parameter
426 426
 ...
427 427
 modparam("tls", "require_certificate", 1)
428 428
 ...
429 429
 
430
-1.9.8. cipher_list (string)
430
+1.9.9. cipher_list (string)
431 431
 
432 432
    Sets the list of accepted ciphers. The list consists of cipher strings
433 433
    separated by colons. For more information on the cipher list format see
... ...
@@ -436,24 +485,24 @@ modparam("tls", "require_certificate", 1)
436 436
    The default value is not set (all the Openssl supported ciphers are
437 437
    enabled).
438 438
 
439
-   Example 10. Set cipher_list parameter
439
+   Example 11. Set cipher_list parameter
440 440
 ...
441 441
 modparam("tls", "cipher_list", "HIGH")
442 442
 ...
443 443
 
444
-1.9.9. send_timeout (int)
444
+1.9.10. send_timeout (int)
445 445
 
446 446
    This parameter is obsolete and cannot be used in newer TLS versions (>
447 447
    sip-router 3.0). In these versions the send_timeout is replaced by
448 448
    tcp_send_timeout (common with all the tcp connections).
449 449
 
450
-1.9.10. handshake_timeout (int)
450
+1.9.11. handshake_timeout (int)
451 451
 
452 452
    This parameter is obsolete and cannot be used in newer TLS versions (>
453 453
    sip-router 3.0). In these versions the handshake_timeout is replaced by
454 454
    tcp_connect_timeout (common with all the tcp connections).
455 455
 
456
-1.9.11. connection_timeout (int)
456
+1.9.12. connection_timeout (int)
457 457
 
458 458
    Sets the amount of time after which an idle TLS connection will be
459 459
    closed, if no I/O ever occured after the initial open. If an I/O event
... ...
@@ -467,15 +516,15 @@ modparam("tls", "cipher_list", "HIGH")
467 467
    It can be changed also at runtime, via the RPC interface and config
468 468
    framework. The config variable name is tls.connection_timeout.
469 469
 
470
-   Example 11. Set connection_timeout parameter
470
+   Example 12. Set connection_timeout parameter
471 471
 ...
472 472
 modparam("tls", "connection_timeout", 60)
473 473
 ...
474 474
 
475
-   Example 12. Set tls.connection_timeout at runtime
475
+   Example 13. Set tls.connection_timeout at runtime
476 476
  $ sercmd cfg.set_now_int tls connection_timeout 180
477 477
 
478
-1.9.12. tls_disable_compression (boolean)
478
+1.9.13. tls_disable_compression (boolean)
479 479
 
480 480
    If set compression over SSL/TLS will be disabled. Note that compression
481 481
    uses a lot of memory (about 10x more then with the compression
... ...
@@ -484,12 +533,12 @@ modparam("tls", "connection_timeout", 60)
484 484
 
485 485
    By default compression is disabled.
486 486
 
487
-   Example 13. Set tls_disable_compression parameter
487
+   Example 14. Set tls_disable_compression parameter
488 488
 ...
489 489
 modparam("tls", "tls_disable_compression", 0) # enable
490 490
 ...
491 491
 
492
-1.9.13. ssl_release_buffers (integer)
492
+1.9.14. ssl_release_buffers (integer)
493 493
 
494 494
    Release internal OpenSSL read or write buffers as soon as they are no
495 495
    longer needed. Combined with ssl_free_list_max_len has the potential of
... ...
@@ -508,10 +557,10 @@ Note
508 508
    This option is supported only for OpenSSL versions >= 1.0.0. On all the
509 509
    other versions attempting to change the default will trigger an error.
510 510
 
511
-   Example 14. Set ssl_release_buffers parameter
511
+   Example 15. Set ssl_release_buffers parameter
512 512
 modparam("tls", "ssl_release_buffers", 1)
513 513
 
514
-1.9.14. ssl_free_list_max_len (integer)
514
+1.9.15. ssl_free_list_max_len (integer)
515 515
 
516 516
    Sets the maximum number of free memory chunks, that OpenSSL will keep
517 517
    per connection. Setting it to 0 would cause any unused memory chunk to
... ...
@@ -531,10 +580,10 @@ Note
531 531
    This option is supported only for OpenSSL versions >= 1.0.0. On all the
532 532
    other versions attempting to change the default will trigger an error.
533 533
 
534
-   Example 15. Set ssl_freelist_max_len parameter
534
+   Example 16. Set ssl_freelist_max_len parameter
535 535
 modparam("tls", "ssl_freelist_max_len", 0)
536 536
 
537
-1.9.15. ssl_max_send_fragment (integer)
537
+1.9.16. ssl_max_send_fragment (integer)
538 538
 
539 539
    Sets the maximum number of bytes (from the clear text) sent into one
540 540
    TLS or SSL record. Valid values are between 512 and 16384. Note however
... ...
@@ -566,10 +615,10 @@ Note
566 566
    This option is supported only for OpenSSL versions >= 0.9.9. On all the
567 567
    other versions attempting to change the default will trigger an error.
568 568
 
569
-   Example 16. Set ssl_max_send_fragment parameter
569
+   Example 17. Set ssl_max_send_fragment parameter
570 570
 modparam("tls", "ssl_max_send_fragment", 4096)
571 571
 
572
-1.9.16. ssl_read_ahead (boolean)
572
+1.9.17. ssl_read_ahead (boolean)
573 573
 
574 574
    Enables read ahead, reducing the number of internal OpenSSL BIO read()
575 575
    calls. This option has only debugging value, in normal circumstances it
... ...
@@ -588,10 +637,10 @@ modparam("tls", "ssl_max_send_fragment", 4096)
588 588
 
589 589
    By default the value is 0 (disabled).
590 590
 
591
-   Example 17. Set ssl_read_ahead parameter
591
+   Example 18. Set ssl_read_ahead parameter
592 592
 modparam("tls", "ssl_read_ahead", 1)
593 593
 
594
-1.9.17. send_close_notify (boolean)
594
+1.9.18. send_close_notify (boolean)
595 595
 
596 596
    Enables/disables sending close notify alerts prior to closing the
597 597
    corresponding TCP connection. Sending the close notify prior to tcp
... ...
@@ -604,15 +653,15 @@ modparam("tls", "ssl_read_ahead", 1)
604 604
    It can be changed also at runtime, via the RPC interface and config
605 605
    framework. The config variable name is tls.send_close_notify.
606 606
 
607
-   Example 18. Set send_close_notify parameter
607
+   Example 19. Set send_close_notify parameter
608 608
 ...
609 609
 modparam("tls", "send_close_notify", 1)
610 610
 ...
611 611
 
612
-   Example 19. Set tls.send_close_notify at runtime
612
+   Example 20. Set tls.send_close_notify at runtime
613 613
  $ sercmd cfg.set_now_int tls send_close_notify 1
614 614
 
615
-1.9.18. con_ct_wq_max (integer)
615
+1.9.19. con_ct_wq_max (integer)
616 616
 
617 617
    Sets the maximum allowed per connection clear-text send queue size in
618 618
    bytes. This queue is used when data cannot be encrypted and sent
... ...
@@ -623,15 +672,15 @@ modparam("tls", "send_close_notify", 1)
623 623
    It can be changed also at runtime, via the RPC interface and config
624 624
    framework. The config variable name is tls.con_ct_wq_max.
625 625
 
626
-   Example 20. Set con_ct_wq_max parameter
626
+   Example 21. Set con_ct_wq_max parameter
627 627
 ...
628 628
 modparam("tls", "con_ct_wq_max", 1048576)
629 629
 ...
630 630
 
631
-   Example 21. Set tls.con_ct_wq_max at runtime
631
+   Example 22. Set tls.con_ct_wq_max at runtime
632 632
  $ sercmd cfg.set_now_int tls con_ct_wq_max 1048576
633 633
 
634
-1.9.19. ct_wq_max (integer)
634
+1.9.20. ct_wq_max (integer)
635 635
 
636 636
    Sets the maximum total number of bytes queued in all the clear-text
637 637
    send queues. These queues are used when data cannot be encrypted and
... ...
@@ -642,15 +691,15 @@ modparam("tls", "con_ct_wq_max", 1048576)
642 642
    It can be changed also at runtime, via the RPC interface and config
643 643
    framework. The config variable name is tls.ct_wq_max.
644 644
 
645
-   Example 22. Set ct_wq_max parameter
645
+   Example 23. Set ct_wq_max parameter
646 646
 ...
647 647
 modparam("tls", "ct_wq_max", 4194304)
648 648
 ...
649 649
 
650
-   Example 23. Set tls.ct_wq_max at runtime
650
+   Example 24. Set tls.ct_wq_max at runtime
651 651
  $ sercmd cfg.set_now_int tls ct_wq_max 4194304
652 652
 
653
-1.9.20. ct_wq_blk_size (integer)
653
+1.9.21. ct_wq_blk_size (integer)
654 654
 
655 655
    Minimum block size for the internal clear-text send queues (debugging /
656 656
    advanced tunning). Good values are multiple of typical datagram sizes.
... ...
@@ -660,15 +709,15 @@ modparam("tls", "ct_wq_max", 4194304)
660 660
    It can be changed also at runtime, via the RPC interface and config
661 661
    framework. The config variable name is tls.ct_wq_blk_size.
662 662
 
663
-   Example 24. Set ct_wq_blk_size parameter
663
+   Example 25. Set ct_wq_blk_size parameter
664 664
 ...
665 665
 modparam("tls", "ct_wq_blk_size", 2048)
666 666
 ...
667 667
 
668
-   Example 25. Set tls.ct_wq_max at runtime
668
+   Example 26. Set tls.ct_wq_max at runtime
669 669
  $ sercmd cfg.set_now_int tls ct_wq_blk_size 2048
670 670
 
671
-1.9.21. tls_log (int)
671
+1.9.22. tls_log (int)
672 672
 
673 673
    Sets the log level at which TLS related messages will be logged.
674 674
 
... ...
@@ -677,16 +726,16 @@ modparam("tls", "ct_wq_blk_size", 2048)
677 677
    It can be changed also at runtime, via the RPC interface and config
678 678
    framework. The config variable name is tls.log.
679 679
 
680
-   Example 26. Set tls_log parameter
680
+   Example 27. Set tls_log parameter
681 681
 ...
682 682
 # ignore TLS messages if SIP-router is started with debug less than 10
683 683
 modparam("tls", "tls_log", 10)
684 684
 ...
685 685
 
686
-   Example 27. Set tls.log at runtime
686
+   Example 28. Set tls.log at runtime
687 687
  $ sercmd cfg.set_now_int tls log 10
688 688
 
689
-1.9.22. tls_debug (int)
689
+1.9.23. tls_debug (int)
690 690
 
691 691
    Sets the log level at which TLS debug messages will be logged. Note
692 692
    that TLS debug messages are enabled only if the TLS module is compiled
... ...
@@ -698,16 +747,16 @@ modparam("tls", "tls_log", 10)
698 698
    It can be changed also at runtime, via the RPC interface and config
699 699
    framework. The config variable name is tls.debug.
700 700
 
701
-   Example 28. Set tls_debug parameter
701
+   Example 29. Set tls_debug parameter
702 702
 ...
703 703
 # ignore TLS debug messages if SIP-router is started with debug less than 10
704 704
 modparam("tls", "tls_debug", 10)
705 705
 ...
706 706
 
707
-   Example 29. Set tls.debug at runtime
707
+   Example 30. Set tls.debug at runtime
708 708
  $ sercmd cfg.set_now_int tls debug 10
709 709
 
710
-1.9.23. low_mem_threshold1 (integer)
710
+1.9.24. low_mem_threshold1 (integer)
711 711
 
712 712
    Sets the minimal free memory from which attempts to open or accept new
713 713
    TLS connections will start to fail. The value is expressed in KB.
... ...
@@ -730,15 +779,15 @@ modparam("tls", "tls_debug", 10)
730 730
 
731 731
    See also low_mem_threshold2.
732 732
 
733
-   Example 30. Set low_mem_threshold1 parameter
733
+   Example 31. Set low_mem_threshold1 parameter
734 734
 ...
735 735
 modparam("tls", "low_mem_threshold1", -1)
736 736
 ...
737 737
 
738
-   Example 31. Set tls.low_mem_threshold1 at runtime
738
+   Example 32. Set tls.low_mem_threshold1 at runtime
739 739
  $ sercmd cfg.set_now_int tls low_mem_threshold1 2048
740 740
 
741
-1.9.24. low_mem_threshold2 (integer)
741
+1.9.25. low_mem_threshold2 (integer)
742 742
 
743 743
    Sets the minimal free memory from which TLS operations on already
744 744
    established TLS connections will start to fail preemptively. The value
... ...
@@ -762,15 +811,15 @@ modparam("tls", "low_mem_threshold1", -1)
762 762
 
763 763
    See also low_mem_threshold1.
764 764
 
765
-   Example 32. Set low_mem_threshold2 parameter
765
+   Example 33. Set low_mem_threshold2 parameter
766 766
 ...
767 767
 modparam("tls", "low_mem_threshold2", -1)
768 768
 ...
769 769
 
770
-   Example 33. Set tls.low_mem_threshold2 at runtime
770
+   Example 34. Set tls.low_mem_threshold2 at runtime
771 771
  $ sercmd cfg.set_now_int tls low_mem_threshold2 1024
772 772
 
773
-1.9.25. tls_force_run (boolean)
773
+1.9.26. tls_force_run (boolean)
774 774
 
775 775
    If enabled SIP-router will start even if some of the openssl sanity
776 776
    checks fail (turn it on at your own risk).
... ...
@@ -786,12 +835,12 @@ modparam("tls", "low_mem_threshold2", -1)
786 786
 
787 787
    By default tls_force_run is disabled.
788 788
 
789
-   Example 34. Set tls_force_run parameter
789
+   Example 35. Set tls_force_run parameter
790 790
 ...
791 791
 modparam("tls", "tls_force_run", 11)
792 792
 ...
793 793
 
794
-1.9.26. config (string)
794
+1.9.27. config (string)
795 795
 
796 796
    Sets the name of the TLS specific config file.
797 797
 
... ...
@@ -817,6 +866,7 @@ modparam("tls", "tls_force_run", 11)
817 817
      * certificate
818 818
      * verify_depth
819 819
      * ca_list
820
+     * crl
820 821
      * cipher_list
821 822
 
822 823
    All the parameters that take filenames as values will be resolved using
... ...
@@ -829,14 +879,15 @@ modparam("tls", "tls_force_run", 11)
829 829
    client when it initiates a new connection by itself (it connects to
830 830
    something).
831 831
 
832
-   Example 35. Short config file
832
+   Example 36. Short config file
833 833
 [server:default]
834 834
 method = TLSv1
835
-verify_certificate = no
836
-require_certificate = no
835
+verify_certificate = yes
836
+require_certificate = yes
837 837
 private_key = default_key.pem
838 838
 certificate = default_cert.pem
839 839
 ca_list = default_ca.pem
840
+crl = default_crl.pem
840 841
 
841 842
 [client:default]
842 843
 verify_certificate = yes
... ...
@@ -855,7 +906,7 @@ ca_list = local_ca.pem
855 855
    For a more complete example check the tls.cfg distributed with the
856 856
    SIP-router source (sip_router/modules/tls/tls.cfg).
857 857
 
858
-   Example 36. Set config parameter
858
+   Example 37. Set config parameter
859 859
 ...
860 860
 modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
861 861
 ...
... ...
@@ -863,7 +914,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
863 863
    It can be changed also at runtime. The new config will not be loaded
864 864
    immediately, but after the first tls.reload RPC call.
865 865
 
866
-   Example 37. Change and reload tls config at runtime
866
+   Example 38. Change and reload tls config at runtime
867 867
  $ sercmd cfg.set_now_string tls config "/usr/local/etc/ser/new_tls.cfg"
868 868
  $ sercmd tls.reload
869 869
 
... ...
@@ -878,7 +929,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
878 878
    , the peer presented an X509 certificate and the certificate chain
879 879
    verified ok. It can be used only in a request route.
880 880
 
881
-   Example 38. is_peer_verified usage
881
+   Example 39. is_peer_verified usage
882 882
         if (proto==TLS && !is_peer_verified()){
883 883
                 sl_send_reply("400", "No certificate or verification failed");
884 884
                 drop;
... ...
@@ -125,10 +125,7 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
125 125
 	<para>
126 126
 		Sets the CA list file name. This file contains a list of all the
127 127
 		trusted CAs certificates. If a signature in a certificate chain belongs
128
-		to one of the listed CAs, the authentication will succeed. See also
129
-		<emphasis>verify_certificate</emphasis>,
130
-		<emphasis>verify_depth</emphasis> and
131
-		<emphasis>require_certificate</emphasis>.
128
+		to one of the listed CAs, the authentication will succeed.
132 129
 	</para>
133 130
 	<para>
134 131
 		If the file name starts with a '.' the path will be relative to the
... ...
@@ -145,6 +142,13 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
145 145
 		certificate in the PEM format to one file, e.g.: for f in
146 146
 		trusted_cas/*.pem ; do cat "$f" &gt;&gt; ca_list.pem ; done .
147 147
 	</para>
148
+	<para>
149
+		See also
150
+		<emphasis>verify_certificate</emphasis>,
151
+		<emphasis>verify_depth</emphasis>,
152
+		<emphasis>require_certificate</emphasis> and
153
+		<emphasis>crl</emphasis>.
154
+	</para>
148 155
 	<example>
149 156
 	    <title>Set <varname>ca_list</varname> parameter</title>
150 157
 	    <programlisting>
... ...
@@ -155,6 +159,76 @@ modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
155 155
 	</example>
156 156
 	</section>
157 157
 
158
+<section id="crl">
159
+	<title><varname>crl</varname> (string)</title>
160
+	<para>
161
+		Sets the certificate revocation list file name. This file contains a
162
+		list of revoked certificates. Any attempt to verify a revoked
163
+		certificate will fail.
164
+	</para>
165
+	<para>
166
+		If not set, no crl list will be used.
167
+	</para>
168
+	<para>
169
+		If the file name starts with a '.' the path will be relative to the
170
+		working directory (<emphasis>at runtime</emphasis>). If it starts
171
+		with a '/' it will be an absolute path and if it starts with anything
172
+		else the path will be relative to the main config file directory
173
+		(e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
174
+	</para>
175
+	<note><para>
176
+		If set, <varname>require_certificate</varname> should also be set
177
+		or it will not have any effect.
178
+	</para></note>
179
+	<para>
180
+		By default the crl file is not set.
181
+	</para>
182
+	<para>
183
+		To update the crl in a running ser, make sure you configure tls
184
+		via a separate tls config file
185
+		(the <varname>config</varname> modparam) and issue a tls.reload
186
+		RPC call, e.g.:
187
+		<programlisting>
188
+ $ &sercmd; tls.reload
189
+		</programlisting>
190
+	</para>
191
+	<para>
192
+		A quick way to create the CRL in PEM format, using openssl is:
193
+		<programlisting>
194
+ $ openssl ca -gencrl -keyfile cacert.key -cert cacert.pem -out my_crl.pem
195
+		</programlisting>
196
+		 my_crl.pem will contain the signed list of the revoked certificates.
197
+	</para>
198
+	<para>
199
+		To revoke a certificate use something like:
200
+		<programlisting>
201
+ $ openssl ca -revoke bad_cert.pem -keyfile cacert.key -cert cacert.pem
202
+		</programlisting>
203
+		and then refresh the crl file using the command above.
204
+	</para>
205
+	<para>
206
+		To display the CRL contents use:
207
+		<programlisting>
208
+ $ openssl crl -in crl.pem -noout -text
209
+		</programlisting>
210
+	</para>
211
+	<para>
212
+		See also
213
+		<emphasis>ca_list</emphasis>,
214
+		<emphasis>verify_certificate</emphasis>,
215
+		<emphasis>verify_depth</emphasis> and
216
+		<emphasis>require_certificate</emphasis>.
217
+	</para>
218
+	<example>
219
+	    <title>Set <varname>crl</varname> parameter</title>
220
+	    <programlisting>
221
+...
222
+modparam("tls", "crl", "/usr/local/etc/ser/crl.pem")
223
+...
224
+	    </programlisting>
225
+	</example>
226
+	</section>
227
+
158 228
 <section id="verify_certificate">
159 229
 	<title><varname>verify_certificate</varname> (boolean)</title>
160 230
 	<para>
... ...
@@ -820,6 +894,7 @@ modparam("tls", "tls_force_run", 11)
820 820
 			<listitem><para>certificate</para></listitem>
821 821
 			<listitem><para>verify_depth</para></listitem>
822 822
 			<listitem><para>ca_list</para></listitem>
823
+			<listitem><para>crl</para></listitem>
823 824
 			<listitem><para>cipher_list</para></listitem>
824 825
 	</itemizedlist>
825 826
 	<para>
... ...
@@ -839,11 +914,12 @@ modparam("tls", "tls_force_run", 11)
839 839
 	<programlisting>
840 840
 [server:default]
841 841
 method = TLSv1
842
-verify_certificate = no
843
-require_certificate = no
842
+verify_certificate = yes
843
+require_certificate = yes
844 844
 private_key = default_key.pem
845 845
 certificate = default_cert.pem
846 846
 ca_list = default_ca.pem
847
+crl = default_crl.pem
847 848
 
848 849
 [client:default]
849 850
 verify_certificate = yes
... ...
@@ -19,6 +19,8 @@ verify_certificate = no
19 19
 require_certificate = no
20 20
 private_key = ./modules/tls/ser-selfsigned.key
21 21
 certificate = ./modules/tls/ser-selfsigned.pem
22
+#ca_list = ./modules/tls/cacert.pem
23
+#crl = ./modules/tls/crl.pem
22 24
 
23 25
 # This is the default client domain, settings
24 26
 # in this domain will be used for all outgoing
... ...
@@ -46,6 +48,7 @@ require_certificate = yes
46 46
 #certificate = ./modules/tls/local_cert.pem
47 47
 #verify_depth = 3
48 48
 #ca_list = local_ca.pem
49
+#crl = local_crl.pem
49 50
 
50 51
 # Special settings for the iptel.org public SIP
51 52
 # server. We do not verify the certificate of the
... ...
@@ -59,3 +62,4 @@ require_certificate = yes
59 59
 #certificate = ./modules/tls/iptel_client.pem
60 60
 #private_key = ./modules/tls/iptel_key.pem
61 61
 #ca_list = ./modules/tls/iptel_ca.pem
62
+#crl = ./modules/tls/iptel_crl.pem
... ...
@@ -41,6 +41,7 @@ struct cfg_group_tls default_tls_cfg = {
41 41
 	0, /* require_certificate */
42 42
 	STR_NULL, /* private_key (default value set in fix_tls_cfg) */
43 43
 	STR_NULL, /* ca_list (default value set in fix_tls_cfg) */
44
+	STR_NULL, /* crl (default value set in fix_tls_cfg) */
44 45
 	STR_NULL, /* certificate (default value set in fix_tls_cfg) */
45 46
 	STR_NULL, /* cipher_list (default value set in fix_tls_cfg) */
46 47
 	0, /* session_cache */
... ...
@@ -151,6 +152,9 @@ cfg_def_t	tls_cfg_def[] = {
151 151
 		" contained in the certificate file" },
152 152
 	{"ca_list", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
153 153
 		"name of the file containing the trusted CA list (pem format)" },
154
+	{"crl", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
155
+		"name of the file containing the CRL  (certificare revocation list"
156
+			" in pem format)" },
154 157
 	{"certificate", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
155 158
 		"name of the file containing the certificate (pem format)" },
156 159
 	{"cipher_list", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
... ...
@@ -263,6 +267,8 @@ int fix_tls_cfg(struct cfg_group_tls* cfg)
263 263
 		return -1;
264 264
 	if (fix_initial_pathname(&cfg->ca_list, TLS_CA_FILE) < 0 )
265 265
 		return -1;
266
+	if (fix_initial_pathname(&cfg->crl, TLS_CRL_FILE) < 0 )
267
+		return -1;
266 268
 	if (fix_initial_pathname(&cfg->certificate, TLS_CERT_FILE) < 0)
267 269
 		return -1;
268 270
 	
... ...
@@ -48,6 +48,7 @@ struct cfg_group_tls {
48 48
 	int require_cert;
49 49
 	str private_key;
50 50
 	str ca_list;
51
+	str crl;
51 52
 	str certificate;
52 53
 	str cipher_list;
53 54
 	int session_cache;
... ...
@@ -159,6 +159,7 @@ static cfg_option_t options[] = {
159 159
 	{"cert_file",           .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
160 160
 	{"cipher_list",         .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
161 161
 	{"ca_list",             .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
162
+	{"crl",                 .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
162 163
 	{0}
163 164
 };
164 165
 
... ...
@@ -181,6 +182,7 @@ static void update_opt_variables(void)
181 181
 	options[11].param = &domain->cert_file;
182 182
 	options[12].param = &domain->cipher_list;
183 183
 	options[13].param = &domain->ca_file;
184
+	options[14].param = &domain->crl_file;
184 185
 }
185 186
 
186 187
 
... ...
@@ -90,6 +90,7 @@ void tls_free_domain(tls_domain_t* d)
90 90
 
91 91
 	if (d->cipher_list.s) shm_free(d->cipher_list.s);
92 92
 	if (d->ca_file.s) shm_free(d->ca_file.s);
93
+	if (d->crl_file.s) shm_free(d->crl_file.s);
93 94
 	if (d->pkey_file.s) shm_free(d->pkey_file.s);
94 95
 	if (d->cert_file.s) shm_free(d->cert_file.s);
95 96
 	shm_free(d);
... ...
@@ -192,6 +193,13 @@ static int fill_missing(tls_domain_t* d, tls_domain_t* parent)
192 192
 		d->ca_file.len = parent->ca_file.len;
193 193
 	}
194 194
 	LOG(L_INFO, "%s: ca_list='%s'\n", tls_domain_str(d), d->ca_file.s);
195
+
196
+	if (!d->crl_file.s) {
197
+		if (shm_asciiz_dup(&d->crl_file.s, parent->crl_file.s) < 0)
198
+			return -1;
199
+		d->crl_file.len = parent->crl_file.len;
200
+	}
201
+	LOG(L_INFO, "%s: crl='%s'\n", tls_domain_str(d), d->crl_file.s);
195 202
 	
196 203
 	if (d->require_cert == -1) d->require_cert = parent->require_cert;
197 204
 	LOG(L_INFO, "%s: require_certificate=%d\n", tls_domain_str(d),
... ...
@@ -425,6 +433,40 @@ static int load_ca_list(tls_domain_t* d)
425 425
 	return 0;
426 426
 }
427 427
 
428
+
429
+/*
430
+ * Load CRL from file
431
+ */
432
+static int load_crl(tls_domain_t* d)
433
+{
434
+	int i;
435
+	int procs_no;
436
+	X509_STORE* store;
437
+
438
+	if (!d->crl_file.s) {
439
+		DBG("%s: No CRL configured\n", tls_domain_str(d));
440
+		return 0;
441
+	}
442
+	if (fix_shm_pathname(&d->crl_file) < 0)
443
+		return -1;
444
+	LOG(L_INFO, "%s: Certificate revocation lists will be checked (%.*s)\n",
445
+				tls_domain_str(d), d->crl_file.len, d->crl_file.s);
446
+	procs_no=get_max_procs();
447
+	for(i = 0; i < procs_no; i++) {
448
+		if (SSL_CTX_load_verify_locations(d->ctx[i], d->crl_file.s, 0) != 1) {
449
+			ERR("%s: Unable to load certificate revocation list '%s'\n",
450
+					tls_domain_str(d), d->crl_file.s);
451
+			TLS_ERR("load_crl:");
452
+			return -1;
453
+		}
454
+		store = SSL_CTX_get_cert_store(d->ctx[i]);
455
+		X509_STORE_set_flags(store,
456
+						X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
457
+	}
458
+	return 0;
459
+}
460
+
461
+
428 462
 #define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
429 463
 #define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
430 464
 #define C_NO_KRB5_SUFFIX ":!KRB5"
... ...
@@ -687,6 +729,7 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
687 687
 	
688 688
 	if (load_cert(d) < 0) return -1;
689 689
 	if (load_ca_list(d) < 0) return -1;
690
+	if (load_crl(d) < 0) return -1;
690 691
 	if (set_cipher_list(d) < 0) return -1;
691 692
 	if (set_verification(d) < 0) return -1;
692 693
 	if (set_ssl_options(d) < 0) return -1;
... ...
@@ -80,6 +80,7 @@ typedef struct tls_domain {
80 80
 	int require_cert;
81 81
 	str cipher_list;
82 82
 	enum tls_method method;
83
+	str crl_file;
83 84
 	struct tls_domain* next;
84 85
 } tls_domain_t;
85 86
 
... ...
@@ -119,6 +119,7 @@ static tls_domain_t mod_params = {
119 119
 	0,                /* Require certificate */
120 120
 	{0, },                /* Cipher list */
121 121
 	TLS_USE_TLSv1,    /* TLS method */
122
+	STR_STATIC_INIT(TLS_CRL_FILE), /* Certificate revocation list */
122 123
 	0                 /* next */
123 124
 };
124 125
 
... ...
@@ -139,6 +140,7 @@ tls_domain_t srv_defaults = {
139 139
 	0,                /* Require certificate */
140 140
 	{0, 0},                /* Cipher list */
141 141
 	TLS_USE_TLSv1,    /* TLS method */
142
+	STR_STATIC_INIT(TLS_CRL_FILE), /* Certificate revocation list */
142 143
 	0                 /* next */
143 144
 };
144 145
 
... ...
@@ -159,6 +161,7 @@ tls_domain_t cli_defaults = {
159 159
 	0,                /* Require certificate */
160 160
 	{0, 0},                /* Cipher list */
161 161
 	TLS_USE_TLSv1,    /* TLS method */
162
+	{0, 0}, /* Certificate revocation list */
162 163
 	0                 /* next */
163 164
 };
164 165
 
... ...
@@ -192,6 +195,7 @@ static param_export_t params[] = {
192 192
 	{"private_key",         PARAM_STR,    &default_tls_cfg.private_key  },
193 193
 	{"ca_list",             PARAM_STR,    &default_tls_cfg.ca_list      },
194 194
 	{"certificate",         PARAM_STR,    &default_tls_cfg.certificate  },
195
+	{"crl",                 PARAM_STR,    &default_tls_cfg.crl          },
195 196
 	{"cipher_list",         PARAM_STR,    &default_tls_cfg.cipher_list  },
196 197
 	{"connection_timeout",  PARAM_INT,    &default_tls_cfg.con_lifetime },
197 198
 	{"tls_log",             PARAM_INT,    &default_tls_cfg.log          },
... ...
@@ -299,6 +303,7 @@ static int mod_init(void)
299 299
 	mod_params.require_cert = cfg_get(tls, tls_cfg, require_cert);
300 300
 	mod_params.pkey_file = cfg_get(tls, tls_cfg, private_key);
301 301
 	mod_params.ca_file = cfg_get(tls, tls_cfg, ca_list);
302
+	mod_params.crl_file = cfg_get(tls, tls_cfg, crl);
302 303
 	mod_params.cert_file = cfg_get(tls, tls_cfg, certificate);
303 304
 	mod_params.cipher_list = cfg_get(tls, tls_cfg, cipher_list);
304 305