diff options
-rw-r--r-- | lib/ssl.man | 6 | ||||
-rw-r--r-- | lib/stream-ssl.c | 22 |
2 files changed, 22 insertions, 6 deletions
diff --git a/lib/ssl.man b/lib/ssl.man index 63f56d5ff..5f0215c01 100644 --- a/lib/ssl.man +++ b/lib/ssl.man @@ -22,3 +22,9 @@ should use to verify certificates presented to it by SSL peers. (This may be the same certificate that SSL peers use to verify the certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may be a different one, depending on the PKI design in use.) +. +.IP "\fB\-C none\fR" +.IQ "\fB\-\-ca\-cert=none\fR" +Disables verification of certificates presented by SSL peers. This +introduces a security risk, because it means that certificates cannot +be verified to be those of known trusted hosts. diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 830b482f4..153357cd7 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -141,6 +141,11 @@ static struct ssl_config_file private_key; static struct ssl_config_file certificate; static struct ssl_config_file ca_cert; +/* Ordinarily, the SSL client and server verify each other's certificates using + * a CA certificate. Setting this to false disables this behavior. (This is a + * security risk.) */ +static bool verify_peer_cert = true; + /* Ordinarily, we require a CA certificate for the peer to be locally * available. We can, however, bootstrap the CA certificate from the peer at * the beginning of our first connection then use that certificate on all @@ -204,7 +209,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, VLOG_ERR("Certificate must be configured to use SSL"); retval = ENOPROTOOPT; } - if (!ca_cert.read && !bootstrap_ca_cert) { + if (!ca_cert.read && verify_peer_cert && !bootstrap_ca_cert) { VLOG_ERR("CA certificate must be configured to use SSL"); retval = ENOPROTOOPT; } @@ -243,7 +248,7 @@ new_ssl_stream(const char *name, int fd, enum session_type type, retval = ENOPROTOOPT; goto error; } - if (bootstrap_ca_cert && type == CLIENT) { + if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } @@ -425,9 +430,10 @@ ssl_connect(struct stream *stream) } } else if (bootstrap_ca_cert) { return do_ca_cert_bootstrap(stream); - } else if ((SSL_get_verify_mode(sslv->ssl) - & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) - != SSL_VERIFY_PEER) { + } else if (verify_peer_cert + && ((SSL_get_verify_mode(sslv->ssl) + & (SSL_VERIFY_NONE | SSL_VERIFY_PEER)) + != SSL_VERIFY_PEER)) { /* Two or more SSL connections completed at the same time while we * were in bootstrap mode. Only one of these can finish the * bootstrap successfully. The other one(s) must be rejected @@ -1106,7 +1112,11 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) size_t n_certs; struct stat s; - if (bootstrap && stat(file_name, &s) && errno == ENOENT) { + if (!strcmp(file_name, "none")) { + verify_peer_cert = false; + VLOG_WARN("Peer certificate validation disabled " + "(this is a security risk)"); + } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) { bootstrap_ca_cert = true; } else if (!read_cert_file(file_name, &certs, &n_certs)) { size_t i; |