Commit f744757c authored by Petr Špaček's avatar Petr Špaček

Merge branch 'tls_polish' into 'master'

tls_client logging and doc improvements

See merge request !536
parents 236df989 c5d39719
......@@ -46,7 +46,7 @@
#endif
static char const server_logstring[] = "tls";
static char const client_logstring[] = "tls-client";
static char const client_logstring[] = "tls_client";
static int client_verify_certificate(gnutls_session_t tls_session);
......@@ -171,7 +171,7 @@ void tls_close(struct tls_common_ctx *ctx)
if (ctx->handshake_state == TLS_HS_DONE) {
kr_log_verbose("[%s] closing tls connection to `%s`\n",
ctx->client_side ? "tls-client" : "tls",
ctx->client_side ? "tls_client" : "tls",
kr_straddr(&ctx->session->peer.ip));
ctx->handshake_state = TLS_HS_CLOSING;
gnutls_bye(ctx->tls_session, GNUTLS_SHUT_RDWR);
......@@ -639,6 +639,10 @@ int tls_client_params_set(map_t *tls_client_paramlist,
value, gnutls_strerror_name(res));
/* value will be freed at cleanup */
ret = kr_error(EINVAL);
} else {
kr_log_verbose("[tls_client] imported %d certs from file '%s'\n",
res, value);
}
}
}
......@@ -790,23 +794,36 @@ static int client_verify_certificate(gnutls_session_t tls_session)
return GNUTLS_E_CERTIFICATE_ERROR;
}
int ret;
unsigned int status;
for (size_t i = 0; i < ctx->params->hostnames.len; ++i) {
gnutls_typed_vdata_st data[2] = {
{ .type = GNUTLS_DT_KEY_PURPOSE_OID,
.data = (void *)GNUTLS_KP_TLS_WWW_SERVER },
{ .type = GNUTLS_DT_DNS_HOSTNAME,
.data = (void *)ctx->params->hostnames.at[i] }
};
size_t data_count = 2;
unsigned int status;
int ret = gnutls_certificate_verify_peers(ctx->c.tls_session, data,
data_count, &status);
ret = gnutls_certificate_verify_peers3(
ctx->c.tls_session,
ctx->params->hostnames.at[i],
&status);
if ((ret == GNUTLS_E_SUCCESS) && (status == 0)) {
return GNUTLS_E_SUCCESS;
}
}
kr_log_error("[tls_client] failed to verify peer certificate\n");
if (ret == GNUTLS_E_SUCCESS) {
gnutls_datum_t msg;
ret = gnutls_certificate_verification_status_print(
status, gnutls_certificate_type_get(ctx->c.tls_session), &msg, 0);
if (ret == GNUTLS_E_SUCCESS) {
kr_log_error("[tls_client] failed to verify peer certificate: "
"%s\n", msg.data);
gnutls_free(msg.data);
} else {
kr_log_error("[tls_client] failed to verify peer certificate: "
"unable to print reason: %s (%s)\n",
gnutls_strerror(ret), gnutls_strerror_name(ret));
} /* gnutls_certificate_verification_status_print end */
} else {
kr_log_error("[tls_client] failed to verify peer certificate: "
"gnutls_certificate_verify_peers3 error: %s (%s)\n",
gnutls_strerror(ret), gnutls_strerror_name(ret));
} /* gnutls_certificate_verify_peers3 end */
return GNUTLS_E_CERTIFICATE_ERROR;
}
......
......@@ -904,7 +904,7 @@ ssize_t worker_gnutls_push(gnutls_transport_ptr_t h, const void *buf, size_t len
t->session->handle->type == UV_TCP);
VERBOSE_MSG(NULL,"[%s] push %zu <%p>\n",
t->client_side ? "tls-client" : "tls", len, h);
t->client_side ? "tls_client" : "tls", len, h);
struct worker_ctx *worker = t->worker;
assert(worker);
......@@ -948,7 +948,7 @@ ssize_t worker_gnutls_push(gnutls_transport_ptr_t h, const void *buf, size_t len
worker->stats.ipv4 += 1;
} else {
VERBOSE_MSG(NULL,"[%s] uv_write: %s\n",
t->client_side ? "tls-client" : "tls", uv_strerror(res));
t->client_side ? "tls_client" : "tls", uv_strerror(res));
iorequest_release(worker, ioreq);
errno = EIO;
}
......
......@@ -63,6 +63,18 @@ To test this feature you need to either :ref:`configure Knot Resolver as DNS-ove
When multiple servers are specified, the one with the lowest round-trip time is used.
CA+hostname authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~
Traditional PKI authentication requires server to present certificate with specified hostname, which is issued by one of trusted CAs. Example policy is:
.. code-block:: lua
policy.TLS_FORWARD({
{'2001:DB8::d0c', hostname='res.example.com', ca_file='/etc/knot-resolver/tlsca.crt'}})
- `hostname` must exactly match hostname in server's certificate, i.e. in most cases it must not contain trailing dot (`res.example.com`).
- `ca_file` must be path to CA certificate (or certificate bundle) in `PEM format`_.
TLS Examples
~~~~~~~~~~~~
......@@ -82,7 +94,7 @@ TLS Examples
policy.TLS_FORWARD({ -- please note that { here starts list of servers
{'192.0.2.1', pin_sha256='Wg=='},
-- server must present certificate issued by specified CA and hostname must match
{'2001:DB8::d0c', hostname='res.example.', ca_file='/etc/knot-resolver/tlsca.crt'}
{'2001:DB8::d0c', hostname='res.example.com', ca_file='/etc/knot-resolver/tlsca.crt'}
})
.. _policy_examples:
......@@ -207,6 +219,7 @@ This module is enabled by default because it implements mandatory :rfc:`6761` lo
.. _`Aho-Corasick`: https://en.wikipedia.org/wiki/Aho%E2%80%93Corasick_string_matching_algorithm
.. _`@jgrahamc`: https://github.com/jgrahamc/aho-corasick-lua
.. _RPZ: https://dnsrpz.info/
.. _`PEM format`: https://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail
.. _`Pro DNS and BIND`: http://www.zytrax.com/books/dns/ch7/rpz.html
.. _`Jan-Piet Mens's post`: http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/
.. _`Transport Layer Security`: https://en.wikipedia.org/wiki/Transport_Layer_Security
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment