Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
biboumi
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
88
Issues
88
List
Boards
Labels
Service Desk
Milestones
Merge Requests
7
Merge Requests
7
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
louiz’
biboumi
Commits
5ce9d3f1
Commit
5ce9d3f1
authored
Nov 05, 2015
by
louiz’
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Make the CA file configurable
parent
e8386bd1
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
40 additions
and
5 deletions
+40
-5
doc/biboumi.1.md
doc/biboumi.1.md
+6
-0
louloulibs/network/credentials_manager.cpp
louloulibs/network/credentials_manager.cpp
+34
-5
No files found.
doc/biboumi.1.md
View file @
5ce9d3f1
...
...
@@ -114,6 +114,12 @@ The configuration file uses a simple format of the form
from 0 to 3. 0 is debug, 1 is info, 2 is warning, 3 is error. The
default is 0, but a more practical value for production use is 1.
`ca_file`
Specifies which file should be use as the list of trusted CA when
negociating a TLS session. By default this value is unset and biboumi
tries a list of well-known paths.
The configuration can be re-read at runtime (you can for example change the
log level without having to restart biboumi) by sending SIGUSR1 or SIGUSR2
(see kill(1)) to the process.
...
...
louloulibs/network/credentials_manager.cpp
View file @
5ce9d3f1
...
...
@@ -5,11 +5,22 @@
#include <network/credentials_manager.hpp>
#include <logger/logger.hpp>
#include <botan/tls_exceptn.h>
#include <config/config.hpp>
#ifdef USE_DATABASE
# include <database/database.hpp>
#endif
/**
* TODO find a standard way to find that out.
*/
static
const
std
::
vector
<
std
::
string
>
default_cert_files
=
{
"/etc/ssl/certs/ca-bundle.crt"
,
"/etc/pki/tls/certs/ca-bundle.crt"
,
"/etc/ssl/certs/ca-certificates.crt"
,
"/etc/ca-certificates/extracted/tls-ca-bundle.pem"
};
Botan
::
Certificate_Store_In_Memory
Basic_Credentials_Manager
::
certificate_store
;
bool
Basic_Credentials_Manager
::
certs_loaded
=
false
;
...
...
@@ -43,16 +54,34 @@ void Basic_Credentials_Manager::load_certs()
// Only load the certificates the first time
if
(
Basic_Credentials_Manager
::
certs_loaded
)
return
;
const
std
::
vector
<
std
::
string
>
paths
=
{
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
};
const
std
::
string
conf_path
=
Config
::
get
(
"ca_file"
,
""
);
std
::
vector
<
std
::
string
>
paths
;
if
(
conf_path
.
empty
())
paths
=
default_cert_files
;
else
paths
.
push_back
(
conf_path
);
for
(
const
auto
&
path
:
paths
)
{
Botan
::
DataSource_Stream
bundle
(
path
);
while
(
!
bundle
.
end_of_data
()
&&
bundle
.
check_available
(
27
))
try
{
Botan
::
DataSource_Stream
bundle
(
path
);
log_debug
(
"Using ca bundle: "
<<
path
);
while
(
!
bundle
.
end_of_data
()
&&
bundle
.
check_available
(
27
))
{
const
Botan
::
X509_Certificate
cert
(
bundle
);
Basic_Credentials_Manager
::
certificate_store
.
add_certificate
(
cert
);
}
// Only use the first file that can successfully be read.
goto
success
;
}
catch
(
Botan
::
Stream_IO_Error
&
e
)
{
const
Botan
::
X509_Certificate
cert
(
bundle
);
Basic_Credentials_Manager
::
certificate_store
.
add_certificate
(
cert
);
log_debug
(
e
.
what
());
}
}
// If we could not open one of the files, print a warning
log_warning
(
"The CA could not be loaded, TLS negociation will probably fail."
);
success:
Basic_Credentials_Manager
::
certs_loaded
=
true
;
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment