Committing svn revision 39666: Merged [39537] [39539] [39631] : Fixes ZCP-11212
john
11 years ago
219 | 219 | { "log_timestamp", "1" }, |
220 | 220 | { "ssl_private_key_file", "/etc/zarafa/ical/privkey.pem" }, |
221 | 221 | { "ssl_certificate_file", "/etc/zarafa/ical/cert.pem" }, |
222 | { "ssl_enable_v2", "no" }, | |
222 | 223 | { "ssl_verify_client", "no" }, |
223 | 224 | { "ssl_verify_file", "" }, |
224 | 225 | { "ssl_verify_path", "" }, |
49 | 49 | #include "platform.h" |
50 | 50 | |
51 | 51 | #include "ECChannel.h" |
52 | #include "stringutil.h" | |
52 | 53 | #include <sys/types.h> |
53 | 54 | #include <sys/select.h> |
54 | 55 | #include <sys/socket.h> |
103 | 104 | |
104 | 105 | SSL_library_init(); |
105 | 106 | SSL_load_error_strings(); |
106 | lpCTX = SSL_CTX_new(SSLv23_server_method()); | |
107 | if (parseBool(lpConfig->GetSetting("ssl_enable_v2", "", "no"))) | |
108 | lpCTX = SSL_CTX_new(SSLv23_server_method()); | |
109 | else | |
110 | lpCTX = SSL_CTX_new(SSLv3_server_method()); | |
107 | 111 | SSL_CTX_set_options(lpCTX, SSL_OP_ALL); |
108 | 112 | SSL_CTX_set_default_verify_paths(lpCTX); |
109 | 113 |
79 | 79 | void ssl_threading_setup() { |
80 | 80 | if (ssl_locks) |
81 | 81 | return; |
82 | pthread_mutexattr_t mattr; | |
83 | // make recursive, because of openssl bug http://rt.openssl.org/Ticket/Display.html?id=2813&user=guest&pass=guest | |
84 | pthread_mutexattr_init(&mattr); | |
85 | pthread_mutexattr_settype(&mattr, PTHREAD_MUTEX_RECURSIVE); | |
82 | 86 | ssl_locks = new pthread_mutex_t[CRYPTO_num_locks()]; |
83 | 87 | for (int i=0; i < CRYPTO_num_locks(); i++) |
84 | pthread_mutex_init(&ssl_locks[i], NULL); | |
88 | pthread_mutex_init(&ssl_locks[i], &mattr); | |
85 | 89 | CRYPTO_set_locking_callback(ssl_lock); |
86 | 90 | // no need to set on win32 (or maybe use GetCurrentThreadId) |
87 | 91 | CRYPTO_set_id_callback(ssl_id_function); |
46 | 46 | * |
47 | 47 | */ |
48 | 48 | |
49 | #define PROJECT_VERSION_SERVER 7,1,3,39277 | |
50 | #define PROJECT_VERSION_SERVER_STR "7,1,3,39277" | |
51 | #define PROJECT_VERSION_CLIENT 7,1,3,39277 | |
52 | #define PROJECT_VERSION_CLIENT_STR "7,1,3,39277" | |
53 | #define PROJECT_VERSION_EXT_STR "7,1,3,39277" | |
54 | #define PROJECT_VERSION_SPOOLER_STR "7,1,3,39277" | |
55 | #define PROJECT_VERSION_GATEWAY_STR "7,1,3,39277" | |
56 | #define PROJECT_VERSION_CALDAV_STR "7,1,3,39277" | |
57 | #define PROJECT_VERSION_DAGENT_STR "7,1,3,39277" | |
58 | #define PROJECT_VERSION_PROFADMIN_STR "7,1,3,39277" | |
59 | #define PROJECT_VERSION_MONITOR_STR "7,1,3,39277" | |
60 | #define PROJECT_VERSION_PASSWD_STR "7,1,3,39277" | |
61 | #define PROJECT_VERSION_FBSYNCER_STR "7,1,3,39277" | |
62 | #define PROJECT_VERSION_SEARCH_STR "7,1,3,39277" | |
63 | #define PROJECT_VERSION_ARCHIVER_STR "7,1,3,39277" | |
49 | #define PROJECT_VERSION_SERVER 7,1,3,39666 | |
50 | #define PROJECT_VERSION_SERVER_STR "7,1,3,39666" | |
51 | #define PROJECT_VERSION_CLIENT 7,1,3,39666 | |
52 | #define PROJECT_VERSION_CLIENT_STR "7,1,3,39666" | |
53 | #define PROJECT_VERSION_EXT_STR "7,1,3,39666" | |
54 | #define PROJECT_VERSION_SPOOLER_STR "7,1,3,39666" | |
55 | #define PROJECT_VERSION_GATEWAY_STR "7,1,3,39666" | |
56 | #define PROJECT_VERSION_CALDAV_STR "7,1,3,39666" | |
57 | #define PROJECT_VERSION_DAGENT_STR "7,1,3,39666" | |
58 | #define PROJECT_VERSION_PROFADMIN_STR "7,1,3,39666" | |
59 | #define PROJECT_VERSION_MONITOR_STR "7,1,3,39666" | |
60 | #define PROJECT_VERSION_PASSWD_STR "7,1,3,39666" | |
61 | #define PROJECT_VERSION_FBSYNCER_STR "7,1,3,39666" | |
62 | #define PROJECT_VERSION_SEARCH_STR "7,1,3,39666" | |
63 | #define PROJECT_VERSION_ARCHIVER_STR "7,1,3,39666" | |
64 | 64 | #define PROJECT_VERSION_DOT_STR "7.1.3" |
65 | 65 | #define PROJECT_SPECIALBUILD "beta" |
66 | #define PROJECT_SVN_REV_STR "39277" | |
66 | #define PROJECT_SVN_REV_STR "39666" | |
67 | 67 | #define PROJECT_VERSION_MAJOR 7 |
68 | 68 | #define PROJECT_VERSION_MINOR 1 |
69 | #define PROJECT_VERSION_REVISION 39277 | |
69 | #define PROJECT_VERSION_REVISION 39666 |
4122 | 4122 | </listitem> |
4123 | 4123 | </varlistentry> |
4124 | 4124 | |
4125 | <varlistentry> | |
4126 | <term><option>server_ssl_enable_v2</option></term> | |
4127 | <listitem> | |
4128 | <para>Incoming SSL connections normally are v3.</para> | |
4129 | <para>Default: <replaceable>no</replaceable> | |
4130 | </para> | |
4131 | </listitem> | |
4132 | </varlistentry> | |
4133 | ||
4125 | 4134 | </variablelist> |
4126 | 4135 | </refsection> |
4127 | 4136 | |
7939 | 7948 | <para>The path with the files to verify the clients |
7940 | 7949 | certificates with.</para> |
7941 | 7950 | <para>Default: value not set.</para> |
7951 | </listitem> | |
7952 | </varlistentry> | |
7953 | ||
7954 | <varlistentry> | |
7955 | <term><option>ssl_enable_v2</option></term> | |
7956 | <listitem> | |
7957 | <para>Accept SSLv2 only connections. SSLv2 is considered | |
7958 | unsafe, and these connections should not be | |
7959 | accepted.</para> | |
7960 | <para>Default: <replaceable>no</replaceable></para> | |
7942 | 7961 | </listitem> |
7943 | 7962 | </varlistentry> |
7944 | 7963 | |
9938 | 9957 | </varlistentry> |
9939 | 9958 | |
9940 | 9959 | <varlistentry> |
9960 | <term><option>ssl_enable_v2</option></term> | |
9961 | <listitem> | |
9962 | <para>Accept SSLv2 only connections. SSLv2 is considered | |
9963 | unsafe, and these connections should not be | |
9964 | accepted.</para> | |
9965 | <para>Default: <replaceable>no</replaceable></para> | |
9966 | </listitem> | |
9967 | </varlistentry> | |
9968 | ||
9969 | <varlistentry> | |
9941 | 9970 | <term><option>log_method</option></term> |
9942 | 9971 | <listitem> |
9943 | 9972 | <para>The method which should be used for logging. Valid |
303 | 303 | Default: value not set\&. |
304 | 304 | .RE |
305 | 305 | .PP |
306 | \fBssl_enable_v2\fR | |
307 | .RS 4 | |
308 | Accept SSLv2 only connections\&. SSLv2 is considered unsafe, and these connections should not be accepted\&. | |
309 | .sp | |
310 | Default: | |
311 | \fIno\fR | |
312 | .RE | |
313 | .PP | |
306 | 314 | \fBlog_method\fR |
307 | 315 | .RS 4 |
308 | 316 | The method which should be used for logging\&. Valid values are: |
198 | 198 | Default: value not set\&. |
199 | 199 | .RE |
200 | 200 | .PP |
201 | \fBssl_enable_v2\fR | |
202 | .RS 4 | |
203 | Accept SSLv2 only connections\&. SSLv2 is considered unsafe, and these connections should not be accepted\&. | |
204 | .sp | |
205 | Default: | |
206 | \fIno\fR | |
207 | .RE | |
208 | .PP | |
201 | 209 | \fBlog_method\fR |
202 | 210 | .RS 4 |
203 | 211 | The method which should be used for logging\&. Valid values are: |
545 | 545 | Default: |
546 | 546 | \fI/etc/zarafa/sslkeys\fR |
547 | 547 | .RE |
548 | .PP | |
549 | \fBserver_ssl_enable_v2\fR | |
550 | .RS 4 | |
551 | Incoming SSL connections normally are v3\&. | |
552 | .sp | |
553 | Default: | |
554 | \fIno\fR | |
555 | .RE | |
548 | 556 | .SH "EXPLANATION OF THE THREADING PARAMETERS" |
549 | 557 | .PP |
550 | 558 | \fBthreads\fR |
361 | 361 | { "ssl_verify_client", "no" }, |
362 | 362 | { "ssl_verify_file", "" }, |
363 | 363 | { "ssl_verify_path", "" }, |
364 | { "ssl_enable_v2", "no" }, | |
364 | 365 | { "log_method", "file" }, |
365 | 366 | { "log_file", "-" }, |
366 | 367 | { "log_level", "2", CONFIGSETTING_RELOADABLE }, |
74 | 74 | ssl_verify_file = |
75 | 75 | ssl_verify_path = |
76 | 76 | |
77 | # Accept SSLv2 only incoming connections | |
78 | ssl_enable_v2 = no | |
79 | ||
77 | 80 | # Process model, using pthreads (thread) or processes (fork) |
78 | 81 | process_model = fork |
79 | 82 |
65 | 65 | ssl_verify_file = |
66 | 66 | ssl_verify_path = |
67 | 67 | |
68 | # Accept SSLv2 only incoming connections | |
69 | ssl_enable_v2 = no | |
70 | ||
68 | 71 | ############################################################## |
69 | 72 | # OTHER ICAL SETTINGS |
70 | 73 |
152 | 152 | |
153 | 153 | # Path with CA certificates, e.g. /etc/ssl/certs |
154 | 154 | server_ssl_ca_path = |
155 | ||
156 | # Accept SSLv2 only connections. Normally v3 connections are used. | |
157 | server_ssl_enable_v2 = no | |
155 | 158 | |
156 | 159 | # Path of SSL Public keys of clients |
157 | 160 | sslkeys_path = /etc/zarafa/sslkeys |
133 | 133 | soap_set_omode(lpCmd->soap, iSoapoMode); |
134 | 134 | |
135 | 135 | lpCmd->endpoint = strdup(strServerPath.c_str()); |
136 | ||
137 | // override the gsoap default v23 method to the force safer v3 only method. | |
138 | lpCmd->soap->ctx = SSL_CTX_new(SSLv3_method()); | |
136 | 139 | |
137 | 140 | #ifdef WITH_OPENSSL |
138 | 141 | if (strncmp("https:", lpCmd->endpoint, 6) == 0) { |
887 | 887 | { "server_ssl_key_pass", "server", CONFIGSETTING_EXACT }, |
888 | 888 | { "server_ssl_ca_file", "/etc/zarafa/ssl/cacert.pem" }, |
889 | 889 | { "server_ssl_ca_path", "" }, |
890 | { "server_ssl_enable_v2", "no" }, | |
890 | 891 | { "sslkeys_path", "/etc/zarafa/sslkeys" }, // login keys |
891 | 892 | // Database options |
892 | 893 | { "database_engine", "mysql" }, |
268 | 268 | er = ZARAFA_E_CALL_FAILED; |
269 | 269 | goto exit; |
270 | 270 | } |
271 | ||
272 | // disable SSLv2 support | |
273 | if (!parseBool(m_lpConfig->GetSetting("server_ssl_enable_v2", "", "no"))) | |
274 | SSL_CTX_set_options(lpsSoap->ctx, SSL_OP_NO_SSLv2); | |
271 | 275 | |
272 | 276 | // request certificate from client, is OK if not present. |
273 | 277 | SSL_CTX_set_verify(lpsSoap->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL); |