Commit 5ce9d3f1 authored by louiz’'s avatar louiz’

Make the CA file configurable

parent e8386bd1
...@@ -114,6 +114,12 @@ The configuration file uses a simple format of the form ...@@ -114,6 +114,12 @@ The configuration file uses a simple format of the form
from 0 to 3. 0 is debug, 1 is info, 2 is warning, 3 is error. The from 0 to 3. 0 is debug, 1 is info, 2 is warning, 3 is error. The
default is 0, but a more practical value for production use is 1. default is 0, but a more practical value for production use is 1.
`ca_file`
Specifies which file should be use as the list of trusted CA when
negociating a TLS session. By default this value is unset and biboumi
tries a list of well-known paths.
The configuration can be re-read at runtime (you can for example change the The configuration can be re-read at runtime (you can for example change the
log level without having to restart biboumi) by sending SIGUSR1 or SIGUSR2 log level without having to restart biboumi) by sending SIGUSR1 or SIGUSR2
(see kill(1)) to the process. (see kill(1)) to the process.
......
...@@ -5,11 +5,22 @@ ...@@ -5,11 +5,22 @@
#include <network/credentials_manager.hpp> #include <network/credentials_manager.hpp>
#include <logger/logger.hpp> #include <logger/logger.hpp>
#include <botan/tls_exceptn.h> #include <botan/tls_exceptn.h>
#include <config/config.hpp>
#ifdef USE_DATABASE #ifdef USE_DATABASE
# include <database/database.hpp> # include <database/database.hpp>
#endif #endif
/**
* TODO find a standard way to find that out.
*/
static const std::vector<std::string> default_cert_files = {
"/etc/ssl/certs/ca-bundle.crt",
"/etc/pki/tls/certs/ca-bundle.crt",
"/etc/ssl/certs/ca-certificates.crt",
"/etc/ca-certificates/extracted/tls-ca-bundle.pem"
};
Botan::Certificate_Store_In_Memory Basic_Credentials_Manager::certificate_store; Botan::Certificate_Store_In_Memory Basic_Credentials_Manager::certificate_store;
bool Basic_Credentials_Manager::certs_loaded = false; bool Basic_Credentials_Manager::certs_loaded = false;
...@@ -43,16 +54,34 @@ void Basic_Credentials_Manager::load_certs() ...@@ -43,16 +54,34 @@ void Basic_Credentials_Manager::load_certs()
// Only load the certificates the first time // Only load the certificates the first time
if (Basic_Credentials_Manager::certs_loaded) if (Basic_Credentials_Manager::certs_loaded)
return; return;
const std::vector<std::string> paths = {"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"}; const std::string conf_path = Config::get("ca_file", "");
std::vector<std::string> paths;
if (conf_path.empty())
paths = default_cert_files;
else
paths.push_back(conf_path);
for (const auto& path: paths) for (const auto& path: paths)
{ {
Botan::DataSource_Stream bundle(path); try
while (!bundle.end_of_data() && bundle.check_available(27)) {
Botan::DataSource_Stream bundle(path);
log_debug("Using ca bundle: " << path);
while (!bundle.end_of_data() && bundle.check_available(27))
{
const Botan::X509_Certificate cert(bundle);
Basic_Credentials_Manager::certificate_store.add_certificate(cert);
}
// Only use the first file that can successfully be read.
goto success;
}
catch (Botan::Stream_IO_Error& e)
{ {
const Botan::X509_Certificate cert(bundle); log_debug(e.what());
Basic_Credentials_Manager::certificate_store.add_certificate(cert);
} }
} }
// If we could not open one of the files, print a warning
log_warning("The CA could not be loaded, TLS negociation will probably fail.");
success:
Basic_Credentials_Manager::certs_loaded = true; Basic_Credentials_Manager::certs_loaded = true;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment