From 086afd1f490f1184dfb66e20a48fb24e9c59ee89 Mon Sep 17 00:00:00 2001 From: Nathan French Date: Mon, 18 Dec 2017 17:36:25 -0500 Subject: [PATCH] example_https_server now uses htp_sslutil_verify2opts --- examples/https/README.md | 9 +++--- examples/https/example_https_server.c | 44 +++++++++++++-------------- 2 files changed, 25 insertions(+), 28 deletions(-) diff --git a/examples/https/README.md b/examples/https/README.md index 075cf17..ea95044 100644 --- a/examples/https/README.md +++ b/examples/https/README.md @@ -9,7 +9,8 @@ After running `make examples`, if SSL is enabled, you can quickly test HTTPS, wi # Run the server ./examples/example_https_server \ -cert examples/https/server-crt.pem \ - -key examples/https/server-key.pem + -key examples/https/server-key.pem \ + -verify-client off # Make a request curl -vk https://localhost:4443/ @@ -20,16 +21,14 @@ curl -vk https://localhost:4443/ -cert examples/https/server-crt.pem \ -key examples/https/server-key.pem \ -ca examples/https/ca-crt.pem \ - -verify-peer \ - -verify-depth 2 \ - -enforce-peer-cert + -verify-client on \ + -verify-depth 2 # Make a request with the client key curl -kv \ --key examples/https/client1-key.pem \ --cert examples/https/client1-crt.pem \ https://localhost:4443/ - ``` The output (with client-certs) should look like: diff --git a/examples/https/example_https_server.c b/examples/https/example_https_server.c index 586f2d4..9dbe795 100644 --- a/examples/https/example_https_server.c +++ b/examples/https/example_https_server.c @@ -74,7 +74,6 @@ enum { OPTARG_CAPATH, OPTARG_CIPHERS, OPTARG_VERIFY_PEER, - OPTARG_ENFORCE_PEER_CERT, OPTARG_VERIFY_DEPTH, OPTARG_ENABLE_CACHE, OPTARG_CACHE_TIMEOUT, @@ -91,8 +90,11 @@ static const char * help = " -ca : File of PEM-encoded Server CA Certificates\n" " -capath : Directory of PEM-encoded CA Certificates for Client Auth\n" " -ciphers : Accepted SSL Ciphers\n" - " -verify-peer : Enable SSL client verification\n" - " -enforce-peer-cert : Reject clients without a cert\n" + " -verify-client (on | off | optional)\n" + " Enables verification of client certificates. \n" + " on : the client has to present a valid cert \n" + " off : no client cert is required at all \n" + " optional : the client may present a valid cert \n" " -verify-depth : Maximum depth of CA Certificates in Client Certificate verification\n" " -enable-protocol

: Enable one of the following protocols: SSLv2, SSLv3, TLSv1, or ALL\n" " -disable-protocol

: Disable one of the following protocols: SSLv2, SSLv3, TLSv1, or ALL\n" @@ -110,22 +112,21 @@ parse__ssl_opts_(int argc, char ** argv) { ssl_config->ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; static struct option long_options[] = { - { "cert", required_argument, 0, OPTARG_CERT }, - { "key", required_argument, 0, OPTARG_KEY }, - { "ca", required_argument, 0, OPTARG_CA }, - { "capath", required_argument, 0, OPTARG_CAPATH }, - { "ciphers", required_argument, 0, OPTARG_CIPHERS }, - { "verify-peer", no_argument, 0, OPTARG_VERIFY_PEER }, - { "enforce-peer-cert", no_argument, 0, OPTARG_ENFORCE_PEER_CERT }, - { "verify-depth", required_argument, 0, OPTARG_VERIFY_DEPTH }, - { "enable-cache", no_argument, 0, OPTARG_ENABLE_CACHE }, - { "cache-timeout", required_argument, 0, OPTARG_CACHE_TIMEOUT }, - { "cache-size", required_argument, 0, OPTARG_CACHE_SIZE }, - { "enable-protocol", required_argument, 0, OPTARG_ENABLE_PROTOCOL }, - { "disable-protocol", required_argument, 0, OPTARG_DISABLE_PROTOCOL }, - { "ctx-timeout", required_argument, 0, OPTARG_CTX_TIMEOUT }, - { "help", no_argument, 0, 'h' }, - { NULL, 0, 0, 0 } + { "cert", required_argument, 0, OPTARG_CERT }, + { "key", required_argument, 0, OPTARG_KEY }, + { "ca", required_argument, 0, OPTARG_CA }, + { "capath", required_argument, 0, OPTARG_CAPATH }, + { "ciphers", required_argument, 0, OPTARG_CIPHERS }, + { "verify-client", required_argument, 0, OPTARG_VERIFY_PEER }, + { "verify-depth", required_argument, 0, OPTARG_VERIFY_DEPTH }, + { "enable-cache", no_argument, 0, OPTARG_ENABLE_CACHE }, + { "cache-timeout", required_argument, 0, OPTARG_CACHE_TIMEOUT }, + { "cache-size", required_argument, 0, OPTARG_CACHE_SIZE }, + { "enable-protocol", required_argument, 0, OPTARG_ENABLE_PROTOCOL }, + { "disable-protocol", required_argument, 0, OPTARG_DISABLE_PROTOCOL }, + { "ctx-timeout", required_argument, 0, OPTARG_CTX_TIMEOUT }, + { "help", no_argument, 0, 'h' }, + { NULL, 0, 0, 0 } }; while ((opt = getopt_long_only(argc, argv, "", long_options, &long_index)) != -1) { @@ -152,10 +153,7 @@ parse__ssl_opts_(int argc, char ** argv) { ssl_config->verify_depth = atoi(optarg); break; case OPTARG_VERIFY_PEER: - ssl_verify_mode |= SSL_VERIFY_PEER; - break; - case OPTARG_ENFORCE_PEER_CERT: - ssl_verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + ssl_verify_mode = htp_sslutil_verify2opts(optarg); break; case OPTARG_ENABLE_CACHE: ssl_config->scache_type = evhtp_ssl_scache_type_internal;