Lev,
I thought the core already did that server cert verification (controlled
by some config setting). If it doesn't it should. I'll track it down
later today or tomorrow.
But even so, offering a plugin hook point on the handshake with the
origin server seems valuable as well. The ssl_cert_cb as offered by
openssl is not that point. It gets called when you select a
certificate, so if ATS was providing a client certificate, it would be
called. But I assume there is some other callback that gets triggered
after server hello in all cases.
Susan
On 1/29/2015 1:30 AM, Lev Stipakov wrote:
Hi Susan,
Is it so, that TS_SSL_CERT_HOOK will (could?) be also called for
server certificates inside ServerHello handler?
In this case ATS, being a SSL proxy, could provide a way to validate
server certs chain and prevent a MITM attack if browser (for example)
has 3rd party Root CA installed.
-Lev
2015-01-27 21:58 GMT+02:00 Susan Hinrichs <shinr...@network-geographics.com>:
I've rejiggered things to be in a single callback, and I think it looks a
lot simpler for the plugin writer. As you noted multiple callbacks can be
confusing.
I'm going to get my changes rest over night and post them tomorrow for
review.
On 1/27/2015 11:04 AM, Roland Zink wrote:
It is quite possible that the SNI option is used to select an appropriate
certificate (usually web servers do this), when a plugin try to do this then
the existence of more than one callback to do this could be confusing. SNI
is a TLS option but there are others like ALPN so all of them could
potential be in one callback.
Regards,
Roland
-----Original Message-----
From: Susan Hinrichs [mailto:shinr...@network-geographics.com]
Sent: Tuesday, January 27, 2015 5:34 PM
To: dev@trafficserver.apache.org
Subject: Re: Certificate process in openssl 1.0.2
On 1/27/2015 10:30 AM, James Peach wrote:
On Jan 27, 2015, at 8:18 AM, Susan Hinrichs
<shinr...@network-geographics.com> wrote:
Originally, I was planning on leaving in plugin support for both the SNI
callback and the cert callback. But as I reflect, I question that decision.
I think it adds complexity without giving more power to the plugin writer.
Both callbacks take place at the same point in the handshake. From both
callbacks you can set the certificate. Depending on the version and patch
level, only one of the callbacks will let you pause processing.
Perhaps it is better to support only point for the plugin to callback
after the client hello during the handshake processing? If we did that, ATS
could adapt depending on the linked version of openssl and the plugin would
not change. I'd still add a TS_SSL_CERT_HOOK for clarity, but I'd make it
the same value as TS_SSL_SNI_HOOK.
Why do you need to make this change? What is the compatibility impact?
Well we do need to support the certificate callbacks in openssl 1.0.2, so
we have a means to pause handshake processing to load certificates, etc in a
stock version of openssl.
If openssl 1.0.1 is linked, it would execute the plugin's callback
during the SNI callback. If openssl 1.0.2 is linked, it would execute the
plugin's callback during the certificate callback.
Did openssl 1.0.1 contain your patch? If there is no released version of
openssl that contains the original callback you added, what is is that we
need to support?
My patch was not rolled into open ssl. The only reason to continue to
support it is that we had previously supported it. If you are unable to
move to openssl 1.0.2, then at least you can patch up openssl 1.0.1 (though
if you can run with a patched version you can likely upgrade too).
My second idea, would have the least impact upon people who have already
invested effort in writing plugins on the SNI callback.
Judging from your questions, you don't see a reason to support both a SNI
callback and a certificate callback either. Is that right?
What are people's thoughts?
Thanks,
Susan
On 1/27/2015 10:08 AM, Susan Hinrichs wrote:
Hi All,
With 1.0.2 openssl expanded their support of the certificate callback
to handle pausing processing during the SSL handshake negotiation. This
replaces the functionality I added to the SNI callback in my patch for
openssl 1.0.1.
With TS-3319, I'm updating the ATS callback logic to support the
certificate callback if you are compiling against openssl 1.0.2.
There is a new hook constant, TS_SSL_CERT_HOOK. If you had a SNI
callback that was pausing the handshake to make decisions about the
certificate, you can move it from the TS_SSL_SNI_HOOK to the
TS_SSL_CERT_HOOK.
I'm finishing tidying up TS-3319. It should be ready later today or
tomorrow.
Susan
