Commit 8b740536 authored by Sergey Lyubka's avatar Sergey Lyubka

Added ssl_ca_certificate option

parent 63490249
...@@ -23,17 +23,17 @@ ...@@ -23,17 +23,17 @@
// Copyright (c) 2014 Cesanta Software Limited // Copyright (c) 2014 Cesanta Software Limited
// All rights reserved // All rights reserved
// //
// This library is dual-licensed: you can redistribute it and/or modify // This software is dual-licensed: you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as // it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation. For the terms of this // published by the Free Software Foundation. For the terms of this
// license, see <http://www.gnu.org/licenses/>. // license, see <http://www.gnu.org/licenses/>.
// //
// You are free to use this library under the terms of the GNU General // You are free to use this software under the terms of the GNU General
// Public License, but WITHOUT ANY WARRANTY; without even the implied // Public License, but WITHOUT ANY WARRANTY; without even the implied
// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
// See the GNU General Public License for more details. // See the GNU General Public License for more details.
// //
// Alternatively, you can license this library under a commercial // Alternatively, you can license this software under a commercial
// license, as set out in <http://cesanta.com/>. // license, as set out in <http://cesanta.com/>.
#ifndef NS_SKELETON_HEADER_INCLUDED #ifndef NS_SKELETON_HEADER_INCLUDED
...@@ -203,10 +203,11 @@ struct ns_connection { ...@@ -203,10 +203,11 @@ struct ns_connection {
#define NSF_CONNECTING (1 << 3) #define NSF_CONNECTING (1 << 3)
#define NSF_CLOSE_IMMEDIATELY (1 << 4) #define NSF_CLOSE_IMMEDIATELY (1 << 4)
#define NSF_ACCEPTED (1 << 5) #define NSF_ACCEPTED (1 << 5)
#define NSF_USER_1 (1 << 6)
#define NSF_USER_2 (1 << 7) #define NSF_USER_1 (1 << 26)
#define NSF_USER_3 (1 << 8) #define NSF_USER_2 (1 << 27)
#define NSF_USER_4 (1 << 9) #define NSF_USER_3 (1 << 28)
#define NSF_USER_4 (1 << 29)
}; };
void ns_server_init(struct ns_server *, void *server_data, ns_callback_t); void ns_server_init(struct ns_server *, void *server_data, ns_callback_t);
...@@ -218,6 +219,7 @@ struct ns_connection *ns_add_sock(struct ns_server *, sock_t sock, void *p); ...@@ -218,6 +219,7 @@ struct ns_connection *ns_add_sock(struct ns_server *, sock_t sock, void *p);
int ns_bind(struct ns_server *, const char *addr); int ns_bind(struct ns_server *, const char *addr);
int ns_set_ssl_cert(struct ns_server *, const char *ssl_cert); int ns_set_ssl_cert(struct ns_server *, const char *ssl_cert);
int ns_set_ssl_ca_cert(struct ns_server *, const char *ssl_ca_cert);
struct ns_connection *ns_connect(struct ns_server *, const char *host, struct ns_connection *ns_connect(struct ns_server *, const char *host,
int port, int ssl, void *connection_param); int port, int ssl, void *connection_param);
...@@ -241,17 +243,17 @@ int ns_hexdump(const void *buf, int len, char *dst, int dst_len); ...@@ -241,17 +243,17 @@ int ns_hexdump(const void *buf, int len, char *dst, int dst_len);
// Copyright (c) 2014 Cesanta Software Limited // Copyright (c) 2014 Cesanta Software Limited
// All rights reserved // All rights reserved
// //
// This library is dual-licensed: you can redistribute it and/or modify // This software is dual-licensed: you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as // it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation. For the terms of this // published by the Free Software Foundation. For the terms of this
// license, see <http://www.gnu.org/licenses/>. // license, see <http://www.gnu.org/licenses/>.
// //
// You are free to use this library under the terms of the GNU General // You are free to use this software under the terms of the GNU General
// Public License, but WITHOUT ANY WARRANTY; without even the implied // Public License, but WITHOUT ANY WARRANTY; without even the implied
// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. // warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
// See the GNU General Public License for more details. // See the GNU General Public License for more details.
// //
// Alternatively, you can license this library under a commercial // Alternatively, you can license this software under a commercial
// license, as set out in <http://cesanta.com/>. // license, as set out in <http://cesanta.com/>.
...@@ -286,6 +288,7 @@ void iobuf_free(struct iobuf *iobuf) { ...@@ -286,6 +288,7 @@ void iobuf_free(struct iobuf *iobuf) {
size_t iobuf_append(struct iobuf *io, const void *buf, size_t len) { size_t iobuf_append(struct iobuf *io, const void *buf, size_t len) {
char *p = NULL; char *p = NULL;
assert(io != NULL);
assert(io->len <= io->size); assert(io->len <= io->size);
if (len <= 0) { if (len <= 0) {
...@@ -543,7 +546,41 @@ static sock_t ns_open_listening_socket(union socket_address *sa) { ...@@ -543,7 +546,41 @@ static sock_t ns_open_listening_socket(union socket_address *sa) {
return sock; return sock;
} }
// Generating signed CA certificate:
// openssl genrsa -out ca.key 2048
// openssl req -new -x509 -key ca.key -out ca.crt -days 9999
// cat ca.key ca.crt > ca.pem
// echo 77 > ca.srl
// Generating server certificate:
// openssl genrsa -out server.key 2048
// openssl req -key server.key -new -out server.req -days 9999
// openssl x509 -req -in server.req -CA ca.pem -CAkey ca.pem -out server.crt
// cat server.key server.crt > server.pem
// Generating client certificate:
// openssl genrsa -out client.key 2048
// openssl req -new -key client.key -out client.req -days 9999
// openssl x509 -req -in client.req -CA ca.pem -CAkey ca.pem -out client.crt
// cat client.key client.crt > client.pem
int ns_set_ssl_ca_cert(struct ns_server *server, const char *cert) {
int result = -1;
#ifdef NS_ENABLE_SSL
STACK_OF(X509_NAME) *list = SSL_load_client_CA_file(cert);
if (cert != NULL && server->ssl_ctx != NULL && list != NULL) {
SSL_CTX_set_client_CA_list(server->ssl_ctx, list);
SSL_CTX_set_verify(server->ssl_ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
result = 0;
}
#endif
return result;
}
// To generate self-signed server cert, do:
// openssl req -x509 -newkey rsa:2048 -keyout server.key -out cert.pem -days XXX
// openssl rsa -in server.key -out server2.key # This removes passphrase
// cat server2.key cert.pem > server.pem
int ns_set_ssl_cert(struct ns_server *server, const char *cert) { int ns_set_ssl_cert(struct ns_server *server, const char *cert) {
#ifdef NS_ENABLE_SSL #ifdef NS_ENABLE_SSL
if (cert != NULL && if (cert != NULL &&
...@@ -1136,6 +1173,7 @@ enum { ...@@ -1136,6 +1173,7 @@ enum {
#endif #endif
#ifdef NS_ENABLE_SSL #ifdef NS_ENABLE_SSL
SSL_CERTIFICATE, SSL_CERTIFICATE,
SSL_CA_CERTIFICATE,
#endif #endif
URL_REWRITES, URL_REWRITES,
NUM_OPTIONS NUM_OPTIONS
...@@ -1176,6 +1214,7 @@ static const char *static_config_options[] = { ...@@ -1176,6 +1214,7 @@ static const char *static_config_options[] = {
#endif #endif
#ifdef NS_ENABLE_SSL #ifdef NS_ENABLE_SSL
"ssl_certificate", NULL, "ssl_certificate", NULL,
"ssl_ca_certificate", NULL,
#endif #endif
"url_rewrites", NULL, "url_rewrites", NULL,
NULL NULL
...@@ -4506,6 +4545,10 @@ const char *mg_set_option(struct mg_server *server, const char *name, ...@@ -4506,6 +4545,10 @@ const char *mg_set_option(struct mg_server *server, const char *name,
} else if (res == -1) { } else if (res == -1) {
error_msg = "SSL_CTX_new() failed"; error_msg = "SSL_CTX_new() failed";
} }
} else if (ind == SSL_CA_CERTIFICATE) {
if (ns_set_ssl_ca_cert(&server->ns_server, value) != 0) {
error_msg = "Error setting CA cert";
}
#endif #endif
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment