Committing svn revision 39666: Merged [39537] [39539] [39631] : Fixes ZCP-11212
john
11 years ago
| 219 | 219 | { "log_timestamp", "1" }, |
| 220 | 220 | { "ssl_private_key_file", "/etc/zarafa/ical/privkey.pem" }, |
| 221 | 221 | { "ssl_certificate_file", "/etc/zarafa/ical/cert.pem" }, |
| 222 | { "ssl_enable_v2", "no" }, | |
| 222 | 223 | { "ssl_verify_client", "no" }, |
| 223 | 224 | { "ssl_verify_file", "" }, |
| 224 | 225 | { "ssl_verify_path", "" }, |
| 49 | 49 | #include "platform.h" |
| 50 | 50 | |
| 51 | 51 | #include "ECChannel.h" |
| 52 | #include "stringutil.h" | |
| 52 | 53 | #include <sys/types.h> |
| 53 | 54 | #include <sys/select.h> |
| 54 | 55 | #include <sys/socket.h> |
| 103 | 104 | |
| 104 | 105 | SSL_library_init(); |
| 105 | 106 | SSL_load_error_strings(); |
| 106 | lpCTX = SSL_CTX_new(SSLv23_server_method()); | |
| 107 | if (parseBool(lpConfig->GetSetting("ssl_enable_v2", "", "no"))) | |
| 108 | lpCTX = SSL_CTX_new(SSLv23_server_method()); | |
| 109 | else | |
| 110 | lpCTX = SSL_CTX_new(SSLv3_server_method()); | |
| 107 | 111 | SSL_CTX_set_options(lpCTX, SSL_OP_ALL); |
| 108 | 112 | SSL_CTX_set_default_verify_paths(lpCTX); |
| 109 | 113 | |
| 79 | 79 | void ssl_threading_setup() { |
| 80 | 80 | if (ssl_locks) |
| 81 | 81 | return; |
| 82 | pthread_mutexattr_t mattr; | |
| 83 | // make recursive, because of openssl bug http://rt.openssl.org/Ticket/Display.html?id=2813&user=guest&pass=guest | |
| 84 | pthread_mutexattr_init(&mattr); | |
| 85 | pthread_mutexattr_settype(&mattr, PTHREAD_MUTEX_RECURSIVE); | |
| 82 | 86 | ssl_locks = new pthread_mutex_t[CRYPTO_num_locks()]; |
| 83 | 87 | for (int i=0; i < CRYPTO_num_locks(); i++) |
| 84 | pthread_mutex_init(&ssl_locks[i], NULL); | |
| 88 | pthread_mutex_init(&ssl_locks[i], &mattr); | |
| 85 | 89 | CRYPTO_set_locking_callback(ssl_lock); |
| 86 | 90 | // no need to set on win32 (or maybe use GetCurrentThreadId) |
| 87 | 91 | CRYPTO_set_id_callback(ssl_id_function); |
| 46 | 46 | * |
| 47 | 47 | */ |
| 48 | 48 | |
| 49 | #define PROJECT_VERSION_SERVER 7,1,3,39277 | |
| 50 | #define PROJECT_VERSION_SERVER_STR "7,1,3,39277" | |
| 51 | #define PROJECT_VERSION_CLIENT 7,1,3,39277 | |
| 52 | #define PROJECT_VERSION_CLIENT_STR "7,1,3,39277" | |
| 53 | #define PROJECT_VERSION_EXT_STR "7,1,3,39277" | |
| 54 | #define PROJECT_VERSION_SPOOLER_STR "7,1,3,39277" | |
| 55 | #define PROJECT_VERSION_GATEWAY_STR "7,1,3,39277" | |
| 56 | #define PROJECT_VERSION_CALDAV_STR "7,1,3,39277" | |
| 57 | #define PROJECT_VERSION_DAGENT_STR "7,1,3,39277" | |
| 58 | #define PROJECT_VERSION_PROFADMIN_STR "7,1,3,39277" | |
| 59 | #define PROJECT_VERSION_MONITOR_STR "7,1,3,39277" | |
| 60 | #define PROJECT_VERSION_PASSWD_STR "7,1,3,39277" | |
| 61 | #define PROJECT_VERSION_FBSYNCER_STR "7,1,3,39277" | |
| 62 | #define PROJECT_VERSION_SEARCH_STR "7,1,3,39277" | |
| 63 | #define PROJECT_VERSION_ARCHIVER_STR "7,1,3,39277" | |
| 49 | #define PROJECT_VERSION_SERVER 7,1,3,39666 | |
| 50 | #define PROJECT_VERSION_SERVER_STR "7,1,3,39666" | |
| 51 | #define PROJECT_VERSION_CLIENT 7,1,3,39666 | |
| 52 | #define PROJECT_VERSION_CLIENT_STR "7,1,3,39666" | |
| 53 | #define PROJECT_VERSION_EXT_STR "7,1,3,39666" | |
| 54 | #define PROJECT_VERSION_SPOOLER_STR "7,1,3,39666" | |
| 55 | #define PROJECT_VERSION_GATEWAY_STR "7,1,3,39666" | |
| 56 | #define PROJECT_VERSION_CALDAV_STR "7,1,3,39666" | |
| 57 | #define PROJECT_VERSION_DAGENT_STR "7,1,3,39666" | |
| 58 | #define PROJECT_VERSION_PROFADMIN_STR "7,1,3,39666" | |
| 59 | #define PROJECT_VERSION_MONITOR_STR "7,1,3,39666" | |
| 60 | #define PROJECT_VERSION_PASSWD_STR "7,1,3,39666" | |
| 61 | #define PROJECT_VERSION_FBSYNCER_STR "7,1,3,39666" | |
| 62 | #define PROJECT_VERSION_SEARCH_STR "7,1,3,39666" | |
| 63 | #define PROJECT_VERSION_ARCHIVER_STR "7,1,3,39666" | |
| 64 | 64 | #define PROJECT_VERSION_DOT_STR "7.1.3" |
| 65 | 65 | #define PROJECT_SPECIALBUILD "beta" |
| 66 | #define PROJECT_SVN_REV_STR "39277" | |
| 66 | #define PROJECT_SVN_REV_STR "39666" | |
| 67 | 67 | #define PROJECT_VERSION_MAJOR 7 |
| 68 | 68 | #define PROJECT_VERSION_MINOR 1 |
| 69 | #define PROJECT_VERSION_REVISION 39277 | |
| 69 | #define PROJECT_VERSION_REVISION 39666 |
| 4122 | 4122 | </listitem> |
| 4123 | 4123 | </varlistentry> |
| 4124 | 4124 | |
| 4125 | <varlistentry> | |
| 4126 | <term><option>server_ssl_enable_v2</option></term> | |
| 4127 | <listitem> | |
| 4128 | <para>Incoming SSL connections normally are v3.</para> | |
| 4129 | <para>Default: <replaceable>no</replaceable> | |
| 4130 | </para> | |
| 4131 | </listitem> | |
| 4132 | </varlistentry> | |
| 4133 | ||
| 4125 | 4134 | </variablelist> |
| 4126 | 4135 | </refsection> |
| 4127 | 4136 | |
| 7939 | 7948 | <para>The path with the files to verify the clients |
| 7940 | 7949 | certificates with.</para> |
| 7941 | 7950 | <para>Default: value not set.</para> |
| 7951 | </listitem> | |
| 7952 | </varlistentry> | |
| 7953 | ||
| 7954 | <varlistentry> | |
| 7955 | <term><option>ssl_enable_v2</option></term> | |
| 7956 | <listitem> | |
| 7957 | <para>Accept SSLv2 only connections. SSLv2 is considered | |
| 7958 | unsafe, and these connections should not be | |
| 7959 | accepted.</para> | |
| 7960 | <para>Default: <replaceable>no</replaceable></para> | |
| 7942 | 7961 | </listitem> |
| 7943 | 7962 | </varlistentry> |
| 7944 | 7963 | |
| 9938 | 9957 | </varlistentry> |
| 9939 | 9958 | |
| 9940 | 9959 | <varlistentry> |
| 9960 | <term><option>ssl_enable_v2</option></term> | |
| 9961 | <listitem> | |
| 9962 | <para>Accept SSLv2 only connections. SSLv2 is considered | |
| 9963 | unsafe, and these connections should not be | |
| 9964 | accepted.</para> | |
| 9965 | <para>Default: <replaceable>no</replaceable></para> | |
| 9966 | </listitem> | |
| 9967 | </varlistentry> | |
| 9968 | ||
| 9969 | <varlistentry> | |
| 9941 | 9970 | <term><option>log_method</option></term> |
| 9942 | 9971 | <listitem> |
| 9943 | 9972 | <para>The method which should be used for logging. Valid |
| 303 | 303 | Default: value not set\&. |
| 304 | 304 | .RE |
| 305 | 305 | .PP |
| 306 | \fBssl_enable_v2\fR | |
| 307 | .RS 4 | |
| 308 | Accept SSLv2 only connections\&. SSLv2 is considered unsafe, and these connections should not be accepted\&. | |
| 309 | .sp | |
| 310 | Default: | |
| 311 | \fIno\fR | |
| 312 | .RE | |
| 313 | .PP | |
| 306 | 314 | \fBlog_method\fR |
| 307 | 315 | .RS 4 |
| 308 | 316 | The method which should be used for logging\&. Valid values are: |
| 198 | 198 | Default: value not set\&. |
| 199 | 199 | .RE |
| 200 | 200 | .PP |
| 201 | \fBssl_enable_v2\fR | |
| 202 | .RS 4 | |
| 203 | Accept SSLv2 only connections\&. SSLv2 is considered unsafe, and these connections should not be accepted\&. | |
| 204 | .sp | |
| 205 | Default: | |
| 206 | \fIno\fR | |
| 207 | .RE | |
| 208 | .PP | |
| 201 | 209 | \fBlog_method\fR |
| 202 | 210 | .RS 4 |
| 203 | 211 | The method which should be used for logging\&. Valid values are: |
| 545 | 545 | Default: |
| 546 | 546 | \fI/etc/zarafa/sslkeys\fR |
| 547 | 547 | .RE |
| 548 | .PP | |
| 549 | \fBserver_ssl_enable_v2\fR | |
| 550 | .RS 4 | |
| 551 | Incoming SSL connections normally are v3\&. | |
| 552 | .sp | |
| 553 | Default: | |
| 554 | \fIno\fR | |
| 555 | .RE | |
| 548 | 556 | .SH "EXPLANATION OF THE THREADING PARAMETERS" |
| 549 | 557 | .PP |
| 550 | 558 | \fBthreads\fR |
| 361 | 361 | { "ssl_verify_client", "no" }, |
| 362 | 362 | { "ssl_verify_file", "" }, |
| 363 | 363 | { "ssl_verify_path", "" }, |
| 364 | { "ssl_enable_v2", "no" }, | |
| 364 | 365 | { "log_method", "file" }, |
| 365 | 366 | { "log_file", "-" }, |
| 366 | 367 | { "log_level", "2", CONFIGSETTING_RELOADABLE }, |
| 74 | 74 | ssl_verify_file = |
| 75 | 75 | ssl_verify_path = |
| 76 | 76 | |
| 77 | # Accept SSLv2 only incoming connections | |
| 78 | ssl_enable_v2 = no | |
| 79 | ||
| 77 | 80 | # Process model, using pthreads (thread) or processes (fork) |
| 78 | 81 | process_model = fork |
| 79 | 82 |
| 65 | 65 | ssl_verify_file = |
| 66 | 66 | ssl_verify_path = |
| 67 | 67 | |
| 68 | # Accept SSLv2 only incoming connections | |
| 69 | ssl_enable_v2 = no | |
| 70 | ||
| 68 | 71 | ############################################################## |
| 69 | 72 | # OTHER ICAL SETTINGS |
| 70 | 73 |
| 152 | 152 | |
| 153 | 153 | # Path with CA certificates, e.g. /etc/ssl/certs |
| 154 | 154 | server_ssl_ca_path = |
| 155 | ||
| 156 | # Accept SSLv2 only connections. Normally v3 connections are used. | |
| 157 | server_ssl_enable_v2 = no | |
| 155 | 158 | |
| 156 | 159 | # Path of SSL Public keys of clients |
| 157 | 160 | sslkeys_path = /etc/zarafa/sslkeys |
| 133 | 133 | soap_set_omode(lpCmd->soap, iSoapoMode); |
| 134 | 134 | |
| 135 | 135 | lpCmd->endpoint = strdup(strServerPath.c_str()); |
| 136 | ||
| 137 | // override the gsoap default v23 method to the force safer v3 only method. | |
| 138 | lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method()); | |
| 136 | 139 | |
| 137 | 140 | #ifdef WITH_OPENSSL |
| 138 | 141 | if (strncmp("https:", lpCmd->endpoint, 6) == 0) { |
| 887 | 887 | { "server_ssl_key_pass", "server", CONFIGSETTING_EXACT }, |
| 888 | 888 | { "server_ssl_ca_file", "/etc/zarafa/ssl/cacert.pem" }, |
| 889 | 889 | { "server_ssl_ca_path", "" }, |
| 890 | { "server_ssl_enable_v2", "no" }, | |
| 890 | 891 | { "sslkeys_path", "/etc/zarafa/sslkeys" }, // login keys |
| 891 | 892 | // Database options |
| 892 | 893 | { "database_engine", "mysql" }, |
| 268 | 268 | er = ZARAFA_E_CALL_FAILED; |
| 269 | 269 | goto exit; |
| 270 | 270 | } |
| 271 | ||
| 272 | // disable SSLv2 support | |
| 273 | if (!parseBool(m_lpConfig->GetSetting("server_ssl_enable_v2", "", "no"))) | |
| 274 | SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_NO_SSLv2); | |
| 271 | 275 | |
| 272 | 276 | // request certificate from client, is OK if not present. |
| 273 | 277 | SSL_CTX_set_verify(lpsSoap->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL); |