diff options
author | thiagoftsm <thiagoftsm@gmail.com> | 2019-07-29 12:27:32 +0000 |
---|---|---|
committer | Paul Emm. Katsoulakis <34388743+paulkatsoulakis@users.noreply.github.com> | 2019-07-29 15:27:32 +0300 |
commit | 551617bd322e2b855ccf19375650348fda77938a (patch) | |
tree | e329b8e38550c634181332ca3f882bc52c082cbf /libnetdata | |
parent | 7d0250e3afc48b16fd01de36ced2b76d64201adc (diff) |
Add configurable default locations for trusted CA certificates (#6549)
* sslcertificate: Trust certificate
The netdata could not allow invalid certificate or certificate with invalid chain
this commit fixes this!
* sslcertificate: Changing name
We are binging the same names used by the OpenSSL library to simplify the understand of the parameters
* sslcertificate: Name changes and explicity directory
This commit fix the problem with Streams and rename correctly the files in the option, it also uses stat to define the existence of a file
* sslcertificate: Documentation
Fix grammar for the newest section in the documentation
* sslcertificate: Rename variables
The old variables did not represent well what they are doing, so it was renamed
Diffstat (limited to 'libnetdata')
-rw-r--r-- | libnetdata/socket/security.c | 57 | ||||
-rw-r--r-- | libnetdata/socket/security.h | 1 |
2 files changed, 57 insertions, 1 deletions
diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c index 9eb8e60247..ab324a1691 100644 --- a/libnetdata/socket/security.c +++ b/libnetdata/socket/security.c @@ -164,7 +164,7 @@ void security_start_ssl(int selector) { switch (selector) { case NETDATA_SSL_CONTEXT_SERVER: { struct stat statbuf; - if (stat(security_key,&statbuf) || stat(security_cert,&statbuf)) { + if (stat(security_key, &statbuf) || stat(security_cert, &statbuf)) { info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n"); return; } @@ -186,6 +186,11 @@ void security_start_ssl(int selector) { } } +/** + * Clean Open SSL + * + * Clean all the allocated contexts from netdata. + */ void security_clean_openssl() { if (netdata_srv_ctx) { @@ -265,6 +270,15 @@ int security_process_accept(SSL *ssl,int msg) { return NETDATA_SSL_HANDSHAKE_COMPLETE; } +/** + * Test Certificate + * + * Check the certificate of Netdata master + * + * @param ssl is the connection structure + * + * @return It returns 0 on success and -1 otherwise + */ int security_test_certificate(SSL *ssl) { X509* cert = SSL_get_peer_certificate(ssl); int ret; @@ -283,7 +297,48 @@ int security_test_certificate(SSL *ssl) { } else { ret = 0; } + return ret; } +/** + * Location for context + * + * Case the user give us a directory with the certificates available and + * the Netdata master certificate, we use this function to validate the certificate. + * + * @param ctx the context where the path will be set. + * @param file the file with Netdata master certificate. + * @param path the directory where the certificates are stored. + * + * @return It returns 0 on success and -1 otherwise. + */ +int security_location_for_context(SSL_CTX *ctx, char *file, char *path) { + struct stat statbuf; + if (stat(file, &statbuf)) { + info("Netdata does not have a SSL master certificate, so it will use the default OpenSSL configuration to validate certificates!"); + return 0; + } + + ERR_clear_error(); + u_long err; + char buf[256]; + if(!SSL_CTX_load_verify_locations(ctx, file, path)) { + goto slfc; + } + + if(!SSL_CTX_set_default_verify_paths(ctx)) { + goto slfc; + } + + return 0; + +slfc: + while ((err = ERR_get_error()) != 0) { + ERR_error_string_n(err, buf, sizeof(buf)); + error("Cannot set the directory for the certificates and the master SSL certificate: %s",buf); + } + return -1; +} + #endif diff --git a/libnetdata/socket/security.h b/libnetdata/socket/security.h index cc870ce17b..697e0fda1f 100644 --- a/libnetdata/socket/security.h +++ b/libnetdata/socket/security.h @@ -34,6 +34,7 @@ extern SSL_CTX *netdata_srv_ctx; extern const char *security_key; extern const char *security_cert; extern int netdata_validate_server; +extern int security_location_for_context(SSL_CTX *ctx,char *file,char *path); void security_openssl_library(); void security_clean_openssl(); |