Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for setting SSL verification mode #286

Open
ben-palmer-sociomantic opened this issue Apr 6, 2018 · 5 comments
Open

Add support for setting SSL verification mode #286

ben-palmer-sociomantic opened this issue Apr 6, 2018 · 5 comments
Assignees
@andreas-bok-sociomantic
Milestone
Future work

Comments

@ben-palmer-sociomantic
Copy link
Collaborator

Currently the SSL connections in libdrizzle-redux do not support setting the verification mode for the SSL connection (https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html).

This should be set when setting up the SSL settings (

libdrizzle-redux/src/ssl.cc

Lines 49 to 90 in 597d2be

con->ssl_context= SSL_CTX_new(TLSv1_client_method());
if (cipher)
{
drizzle_set_error(con, __FILE_LINE_FUNC__, "Cannot set the SSL cipher list");
return DRIZZLE_RETURN_SSL_ERROR;
}
if (SSL_CTX_load_verify_locations((SSL_CTX*)con->ssl_context, ca, capath) != 1)
{
drizzle_set_error(con, __FILE_LINE_FUNC__, "Cannot load the SSL certificate authority file");
return DRIZZLE_RETURN_SSL_ERROR;
}
if (cert)
{
if (SSL_CTX_use_certificate_file((SSL_CTX*)con->ssl_context, cert, SSL_FILETYPE_PEM) != 1)
{
drizzle_set_error(con, __FILE_LINE_FUNC__, "Cannot load the SSL certificate file");
return DRIZZLE_RETURN_SSL_ERROR;
}
if (!key)
key= cert;
if (SSL_CTX_use_PrivateKey_file((SSL_CTX*)con->ssl_context, key, SSL_FILETYPE_PEM) != 1)
{
drizzle_set_error(con, __FILE_LINE_FUNC__, "Cannot load the SSL key file");
return DRIZZLE_RETURN_SSL_ERROR;
}
if (SSL_CTX_check_private_key((SSL_CTX*)con->ssl_context) != 1)
{
drizzle_set_error(con, __FILE_LINE_FUNC__, "Error validating the SSL private key");
return DRIZZLE_RETURN_SSL_ERROR;
}
}
con->ssl= SSL_new((SSL_CTX*)con->ssl_context);
return DRIZZLE_RETURN_OK;
}
).

Exception handling will need to be added for error conditions.
@ben-palmer-sociomantic ben-palmer-sociomantic added this to the v6.2.0 milestone Apr 6, 2018
@andreas-bok-sociomantic
Copy link
Contributor

It seems like the SSL support in libdrizzle-redux is rather outdated and possibly not working.
Setting up the encrypted connection with drizzle_set_ssl and connecting fails with:

drizzle_state_handshake_client_write:SSL error: 1 - error:1409F080: SSL routines:ssl3_write_pending: bio not set(DRIZZLE_RETURN_SSL_ERROR) ]

Thus it will require a more thorough review of the SSL support to get SSL_CTX_set_verify to work.

@andreas-bok-sociomantic
Copy link
Contributor

I discussed the implementation of support for encrypted connections with @nemanja-boric-sociomantic.
Apart from the need to set the SSL verification mode other issues must be addressed as well to fix the openssl support. I will create separate issues for these.

@ben-palmer-sociomantic
Copy link
Collaborator Author

Apart from the need to set the SSL verification mode other issues must be addressed as well to fix the openssl support.

Are these other fixes required to get a basic encrypted connection with no authentication?

@nemanja-boric-sociomantic
Copy link

nemanja-boric-sociomantic commented Apr 12, 2018
edited
Loading

The biggest issue is that libdrizzle doesn't support encrypted non-blocking reads/writes, which is a huge blocker. Nevertheless, I think it can be adapted to allow that.

Open
@ben-palmer-sociomantic
Copy link
Collaborator Author

Ok yeah that is a bit of a big problem.

@bokchan bokchan modified the milestones: v6.2.0, Future work Dec 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andreas-bok-sociomantic andreas-bok-sociomantic

Labels
None yet
Projects
None yet
Milestone
Future work
Development

No branches or pull requests
4 participants
@bokchan @ben-palmer-sociomantic @nemanja-boric-sociomantic @andreas-bok-sociomantic