From 402cc31039f9612519468b76645edca9c063984b Mon Sep 17 00:00:00 2001 From: Fabian Mauchle Date: Fri, 24 Mar 2017 11:05:18 +0100 Subject: [PATCH 1/3] create new cert_store before reloading CAs and CRLs --- ChangeLog | 1 + tlscommon.c | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 3195603..d4be0e1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,7 @@ Changes between 1.6.8 and the master branch - Don't use a smaller pthread stack size than what's allowed. - Don't follow NULL the pointer at debug level 5 (RADSECPROXY-68). - Avoid a deadlock situation with dynamic servers (RADSECPROXY-73). + - Completely reload CAs and CRLs with cacheExpiry (RADSECPROXY-50). 2016-09-21 1.6.8 Bug fixes: diff --git a/tlscommon.c b/tlscommon.c index f71cc11..842b955 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -153,6 +153,7 @@ static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { X509_STORE *x509_s; unsigned long error; + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) { while ((error = ERR_get_error())) debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); From 4f223d37143a1315cb756a17268c6af7673eed34 Mon Sep 17 00:00:00 2001 From: Fabian Mauchle Date: Fri, 24 Mar 2017 14:04:01 +0100 Subject: [PATCH 2/3] Reload TLS certificate CRLs on SIGHUP --- ChangeLog | 1 + radsecproxy.c | 3 +++ tlscommon.c | 17 +++++++++++++++++ tlscommon.h | 1 + 4 files changed, 22 insertions(+) diff --git a/ChangeLog b/ChangeLog index d4be0e1..c23f2cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ Changes between 1.6.8 and the master branch Enhancements: - Support the use of OpenSSL version 1.1 series (RADSECPROXY-66). + - Reload TLS certificate CRLs on SIGHUP Misc: - libnettle is now an unconditional dependency. diff --git a/radsecproxy.c b/radsecproxy.c index fe76f7c..f88d18c 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -3250,6 +3250,9 @@ void *sighandler(void *arg) { case SIGHUP: debug(DBG_INFO, "sighandler: got SIGHUP"); debug_reopen_log(); +#if defined(RADPROT_TLS) || defined(RADPROT_DTLS) + tlsreloadcrls(); +#endif break; case SIGPIPE: debug(DBG_WARN, "sighandler: got SIGPIPE, TLS write error?"); diff --git a/tlscommon.c b/tlscommon.c index 842b955..d2453be 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -335,6 +335,23 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { return NULL; } +void tlsreloadcrls() { + struct tls *conf; + struct hash_entry *entry; + + for(entry = hash_first(tlsconfs); entry; entry = hash_next(entry)) { + conf = (struct tls *)entry->data; +#ifdef RADPROT_TLS + if(conf->tlsctx) + tlsaddcacrl(conf->tlsctx, conf); +#endif +#ifdef RADPROT_DTLS + if(conf->dtlsctx) + tlsaddcacrl(conf->dtlsctx, conf); +#endif + } +} + X509 *verifytlscert(SSL *ssl) { X509 *cert; unsigned long error; diff --git a/tlscommon.h b/tlscommon.h index 5f8f149..2b98a9c 100644 --- a/tlscommon.h +++ b/tlscommon.h @@ -33,6 +33,7 @@ X509 *verifytlscert(SSL *ssl); int verifyconfcert(X509 *cert, struct clsrvconf *conf); int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val); int addmatchcertattr(struct clsrvconf *conf); +void tlsreloadcrls(); #endif /* Local Variables: */ From 05b832e03eb2a9dbf73bb672aa24d5dcad70c83b Mon Sep 17 00:00:00 2001 From: Fabian Mauchle Date: Fri, 24 Mar 2017 14:39:41 +0100 Subject: [PATCH 3/3] Reset expiry timers when reloading CRLs on SIGHUP --- tlscommon.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/tlscommon.c b/tlscommon.c index d2453be..8ca67f0 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -338,16 +338,25 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { void tlsreloadcrls() { struct tls *conf; struct hash_entry *entry; + struct timeval now; + + gettimeofday(&now, NULL); - for(entry = hash_first(tlsconfs); entry; entry = hash_next(entry)) { + for (entry = hash_first(tlsconfs); entry; entry = hash_next(entry)) { conf = (struct tls *)entry->data; #ifdef RADPROT_TLS - if(conf->tlsctx) + if (conf->tlsctx) { + if (conf->tlsexpiry) + conf->tlsexpiry = now.tv_sec + conf->cacheexpiry; tlsaddcacrl(conf->tlsctx, conf); + } #endif #ifdef RADPROT_DTLS - if(conf->dtlsctx) + if (conf->dtlsctx) { + if (conf->dtlsexpiry) + conf->dtlsexpiry = now.tv_sec + conf->cacheexpiry; tlsaddcacrl(conf->dtlsctx, conf); + } #endif } }