[Sblim-commit] Git: SFCB - Small Footprint CIM Broker branch, master, updated. SFCB_1_4_0-211-g5649

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "SFCB - Small Footprint CIM Broker".

The branch, master has been updated
       via  56496a5d8e82c3053409f1060f3c1c3fa5baa2af (commit)
      from  8291ca31eabb4fc700efa729b6021e122e14db2c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 56496a5d8e82c3053409f1060f3c1c3fa5baa2af
Author: Dave Heller <hel...@us...>
Date:   Fri Mar 16 19:20:12 2012 -0400

    [ 3506453 ] Support peer cert verification for SSL indications

-----------------------------------------------------------------------

Summary of changes:

diff --git a/ChangeLog b/ChangeLog
index 7dc0bb0..b8973c9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2012-03-16 Dave Heller <hel...@us...>
+
+	* control.c, indCIMXMLExport.c, sfcb.cfg.pre.in:
+	[ 3506453 ] Support peer cert verification for SSL indications
+
 2012-03-15  Chris Buccella  <buc...@li...>
 
 	* brokerUpc.c:
diff --git a/NEWS b/NEWS
index 593b98d..7abe185 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ Everything in 1.3.13 and 1.3.14, plus:
 New features:
 - 3441679 Add a feature to validate CMPI types
 - 3497831 Updates to sfcb-ps test script
+- 3506453 Support peer cert verification for SSL indications
 
 Bugs fixed: 
 - 3495804 Cleanup: httpProcId still defined, wrong define in cimXmlGen
diff --git a/control.c b/control.c
index d84810d..108d227 100644
--- a/control.c
+++ b/control.c
@@ -108,6 +108,7 @@ Control         init[] = {
   {"enableInterOp", 2, "true"},
   {"sslClientTrustStore", 0, SFCB_CONFDIR "/client.pem"},
   {"sslClientCertificate", 0, "ignore"},
+  {"sslIndicationReceiverCert", 0, "ignore" },
   {"certificateAuthLib", 0, "sfcCertificateAuthentication"},
   {"localSocketPath", 0, "/tmp/sfcbLocalSocket"},
   {"httpSocketPath", 0, "/tmp/sfcbHttpSocket"},
diff --git a/indCIMXMLExport.c b/indCIMXMLExport.c
index 959c4e0..1c00e0d 100644
--- a/indCIMXMLExport.c
+++ b/indCIMXMLExport.c
@@ -150,7 +150,9 @@ genRequest(CurlData * cd, char *url, char **msg)
 {
   CURLcode        rv;
   char           *fnc,
-                 *fnk;
+                 *fnk,
+                 *fnt,
+                 *fnl;
 
   *msg = NULL;
 
@@ -180,10 +182,38 @@ genRequest(CurlData * cd, char *url, char **msg)
   rv = curl_easy_setopt(cd->mHandle, CURLOPT_POST, 1);
 
   /*
-   * Disable SSL verification 
+   * Enable endpoint cert verification as required
    */
-  rv = curl_easy_setopt(cd->mHandle, CURLOPT_SSL_VERIFYHOST, 0);
-  rv = curl_easy_setopt(cd->mHandle, CURLOPT_SSL_VERIFYPEER, 0);
+  getControlChars("sslIndicationReceiverCert", &fnl);
+  for(;;) {
+    if (strcasecmp(fnl, "ignore") == 0) {
+      rv = curl_easy_setopt(cd->mHandle, CURLOPT_SSL_VERIFYPEER, 0);
+      rv = curl_easy_setopt(cd->mHandle, CURLOPT_SSL_VERIFYHOST, 0);
+      break;
+    } else if ((strcasecmp(fnl, "verify") == 0) ||
+               (strcasecmp(fnl, "verifyhostname") == 0)) {
+      if (getControlChars("sslClientTrustStore", &fnt) == 0) {
+        rv = curl_easy_setopt(cd->mHandle, CURLOPT_CAINFO, fnt);
+      } else {
+        /* possible? */
+        *msg=strdup("Cannot determine value of sslClientTrustStore parameter.");
+        return 3;
+      }
+      rv = curl_easy_setopt(cd->mHandle, CURLOPT_SSL_VERIFYPEER, 1);
+      if (strcasecmp(fnl, "verify") == 0) {
+        rv = curl_easy_setopt(cd->mHandle, CURLOPT_SSL_VERIFYHOST, 0);
+        break;
+      } else {  /* verifyhostname */
+        rv = curl_easy_setopt(cd->mHandle, CURLOPT_SSL_VERIFYHOST, 2);
+        break;
+      }
+    } else {
+      // Since we don't know user intent in this case, assume the strictest.
+      mlogf(M_ERROR,M_SHOW,
+          "--- ERROR: Invalid value for sslIndicationReceiverCert, setting to: verifyhostname.\n");
+      fnl = "verifyhostname";
+    }
+  }
 
   /*
    * set up client side cert usage 
@@ -228,7 +258,7 @@ genRequest(CurlData * cd, char *url, char **msg)
   rv = curl_easy_setopt(cd->mHandle, CURLOPT_FAILONERROR, 1);
 
   // Turn this on to enable debugging
-  // rv = curl_easy_setopt(mHandle, CURLOPT_VERBOSE, 1);
+  // rv = curl_easy_setopt(cd->mHandle, CURLOPT_VERBOSE, 1);
 
   return 0;
 }
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index 47a2acb..be7922a 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -172,15 +172,24 @@ enableHttps:    @SFCB_CONF_HTTPS@
 httpsPort:      5989
 
 ## Filename containing the private key for the server's certificate. The file 
-## must be in PEM format and may not be passphrase-protected. 
+## must be in PEM format and may not be passphrase-protected. The file is
+## relevant for both client connect and indications sent via https.
+## For client connect: the file must be present if enableHttps is true.
+## For indications: the file is required only if the indication receiver
+## will attempt to verify the sender (sfcb) certificate.
 ## Default is @sysconfdir@/sfcb/file.pem
 sslKeyFilePath: @sysconfdir@/sfcb/file.pem
 
 ## Filename containing the server's certificate. Must be in PEM format.
+## The file is relevant for both client connect and indications sent via https.
+## For client connect: the file must be present if enableHttps is true.
+## For indications: the file is required only if the indication receiver
+## will attempt to verify the sender (sfcb) certificate.
 ## Default is @sysconfdir@/sfcb/server.pem
 sslCertificateFilePath: @sysconfdir@/sfcb/server.pem
 
-## Filename containing list of certificates server accepts
+## Filename containing list of certificates server accepts.
+## The file is relevant client connect only.
 ## Default is @sysconfdir@/sfcb/clist.pem
 sslCertList: @sysconfdir@/sfcb/clist.pem
 
@@ -192,8 +201,23 @@ sslCertList: @sysconfdir@/sfcb/clist.pem
 ## Default is ignore
 sslClientCertificate: ignore
 
-## Location of the trust store. If sslClientCertificate is set to "require", 
+## How SFCB handles verification of the endpoint certificate when sending
+## an indication via https.
+## ignore - do not attempt to validate the endpoint certificate
+## verify - validate the certificate against known CA certs in the trust store;
+##          do not send the indication if verification fails.
+## verifyhostname - additionally validate the certificate CN (common name)
+##          against the indication handler Destination address; 
+##          do not send the indication if verification fails.
+## Default is ignore (always send the indication)
+sslIndicationReceiverCert: ignore
+
+## Location of the trust store. Contains one or more CA certificates.
+## The file is relevant for both client connect and indications sent via https.
+## For client connect: if sslClientCertificate is set to "require", 
 ## certificate presented must present valid according to the trust store.
+## For indications: if sslIndicationReceiverCert is set to "verify" or
+## "verifyhostname", the endpoint's certificate is checked against this file.
 ## Default: @sysconfdir@/sfcb/client.pem
 sslClientTrustStore: @sysconfdir@/sfcb/client.pem
 


hooks/post-receive
-- 
SFCB - Small Footprint CIM Broker




[Sblim-commit] Git: SFCB - Small Footprint CIM Broker branch, master, updated. SFCB_1_4_0-211-g5649

[Sblim-commit] Git: SFCB - Small Footprint CIM Broker branch, master, updated. SFCB_1_4_0-211-g56496a5