From a1ca280238512cf37cb7369103bfbdbdebc79442 Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Wed, 31 Jul 2019 11:20:08 +0300 Subject: [PATCH] When no CRL file is defined, CRL check should be disabled completely --- README.md | 2 +- apps/epp_proxy/src/epp_tls_acceptor.erl | 26 ++++++++++++++++++------- config/docker.config | 3 ++- config/sys.config | 2 +- 4 files changed, 23 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 2cb948e..37d8117 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ of Erlang property list. | `cacertfile_path` | `/opt/ca/ca.crt.pem` | SSLCACertificateFile | Where is the client root CA located. Can be inside apps/epp_proxy/priv or absolute path. | `certfile_path` | `/opt/ca/server.crt.pem` | SSLCertificateFile | Where is the server certificate located. Can be inside apps/epp_proxy/priv or absolute path. | `keyfile_path` | `/opt/ca/server.key.pem` | SSLCertificateKeyFile | Where is the server key located. Can be inside apps/epp_proxy/priv or absolute path. -| `crlfile_path` | `/opt/ca/crl.pem` | SSLCARevocationFile | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. +| `crlfile_path` | `/opt/ca/crl.pem` | SSLCARevocationFile | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. When not set, not CRL check is performed. Migrating from mod_epp diff --git a/apps/epp_proxy/src/epp_tls_acceptor.erl b/apps/epp_proxy/src/epp_tls_acceptor.erl index fd2bd9e..a3c0080 100644 --- a/apps/epp_proxy/src/epp_tls_acceptor.erl +++ b/apps/epp_proxy/src/epp_tls_acceptor.erl @@ -21,13 +21,12 @@ start_link(Port) -> []). init(Port) -> - Options = [binary, {packet, raw}, {active, false}, - {reuseaddr, true}, {verify, verify_peer}, {depth, 1}, - {cacertfile, ca_cert_file()}, {certfile, cert_file()}, - {keyfile, key_file()}, {crl_check, peer}, - {crl_cache, - {ssl_crl_cache, {internal, [{http, 5000}]}}}], - ssl_crl_cache:insert({file, crl_file()}), + DefaultOptions = [binary, {packet, raw}, + {active, false}, {reuseaddr, true}, + {verify, verify_peer}, {depth, 1}, + {cacertfile, ca_cert_file()}, {certfile, cert_file()}, + {keyfile, key_file()}], + Options = handle_crl_check_options(DefaultOptions), {ok, ListenSocket} = ssl:listen(Port, Options), gen_server:cast(self(), accept), {ok, @@ -88,3 +87,16 @@ crl_file() -> undefined -> undefined; {ok, CrlFile} -> epp_util:path_for_file(CrlFile) end. + +%% In some environments, we do not perform a CRL check. Therefore, we need +%% different options proplist. +handle_crl_check_options(Options) -> + case application:get_env(epp_proxy, crlfile_path) of + undefined -> Options; + {ok, _CrlFile} -> + ssl_crl_cache:insert({file, crl_file()}), + NewOptions = [{crl_check, peer}, + {crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}} + | Options], + NewOptions + end. diff --git a/config/docker.config b/config/docker.config index d25e978..fa8eee7 100644 --- a/config/docker.config +++ b/config/docker.config @@ -10,7 +10,8 @@ {cacertfile_path, "/opt/ca/certs/ca.crt.pem"}, {certfile_path, "/opt/ca/certs/apache.crt"}, {keyfile_path, "/opt/ca/private/apache.key"}, - {crlfile_path, "/opt/ca/crl/crl.pem"}]}, + {crlfile_path, "/opt/ca/crl/crl.pem"} + ]}, {lager, [ {handlers, [ {lager_console_backend, [{level, debug}]} diff --git a/config/sys.config b/config/sys.config index 30bd143..f895a3d 100644 --- a/config/sys.config +++ b/config/sys.config @@ -24,7 +24,7 @@ %% Path to server's key file. {keyfile_path, "/opt/shared/ca/certs/key.pem"}, - %% Path to CRL file. + %% Path to CRL file. When this option is undefined, no CRL check is performed. {crlfile_path, "/opt/shared/ca/certs/key.pem"}]}, {lager, [ {handlers, [