[jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option

[Bert Huijben (JIRA)]

[ 
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348073#comment-15348073
 ] 

Bert Huijben edited comment on SERF-179 at 6/24/16 9:46 AM:


I don't think we should require recompiling to change settings like these. We 
already have apis, for applying these settings so applications can expose these 
options in their own config file. We also have a function to enable loading the 
OpenSSL (or other SSL implementation if you choose) default CA settings.

Applications like Subversion already use these features. 

And at least FreeBSD and Ubuntu (including Ubuntu on Windows) configure 
Subversion that I don't have to accept servers manually using their managed 
lists using the current support.


was (Author: rhuijben):
I don't think we should require recompiling to change settings like these. We 
already have apis for changing these so applications can expose these options 
in their config file. We also have a function to enable loading the OpenSSL (or 
other SSL implementation if you choose) default CA settings.

Applications like Subversion already use these features. 

And at least FreeBSD and Ubuntu (including Ubuntu on Windows) configure 
Subversion that I don't have to accept servers manually using their managed 
lists using the current support.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -
>
> Key: SERF-179
> URL: https://issues.apache.org/jira/browse/SERF-179
> Project: serf
>  Issue Type: Improvement
>Affects Versions: serf-1.3.8
>Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with 
> CAs. Subversion always nags whether the target host can be trusted. This is 
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and 
> {{SERF_CA_FALLBACK}}. This can be safely fed into 
> {{SSL_CTX_load_verify_locations(3)}} and 
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL 
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code 
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option

[Michael Osipov (JIRA)]

[ 
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348182#comment-15348182
 ] 

Michael Osipov edited comment on SERF-179 at 6/24/16 12:14 PM:
---

Bert, this would be effective if this compile flag is not overridden by the 
user by some means. At least on FreeBSD serf is compiled without that but 
{{ca_root_nss}} is available. This is bad user experience. One should have to 
configure as little as possible. I have noticed this when we lately refreshed 
our server certificate.
E.g., curl works out of the box on our FreeBSD and RHEL machines because at 
compile-time the default CA bundle is passed.

This option is solely interesting for OS/distro maintainers and admins. Not 
really users, they still can stick to the higher level conf and override it.


was (Author: michael-o):
Bert, this would be effective if this option is not overridden by the user by 
some means. At least on FreeBSD serf is compiled without that but 
{{ca_root_nss}} is available. This is bad user experience. One should have to 
configure as little as possible. I have noticed this when we lately refreshed 
our server certificate.
E.g., curl works out of the box on our FreeBSD and RHEL machines because at 
compile-time the default CA bundle is passed.

This option is solely interesting for OS/distro maintainers and admins. Not 
really users, they still can stick to the higher level conf and override it.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -
>
> Key: SERF-179
> URL: https://issues.apache.org/jira/browse/SERF-179
> Project: serf
>  Issue Type: Improvement
>Affects Versions: serf-1.3.8
>Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with 
> CAs. Subversion always nags whether the target host can be trusted. This is 
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and 
> {{SERF_CA_FALLBACK}}. This can be safely fed into 
> {{SSL_CTX_load_verify_locations(3)}} and 
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL 
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code 
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option

[Michael Osipov (JIRA)]

[ 
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348182#comment-15348182
 ] 

Michael Osipov edited comment on SERF-179 at 6/24/16 12:20 PM:
---

Bert, this would be effective if this compile flag is not overridden by the 
user by some means. At least on FreeBSD serf is compiled without that but 
{{ca_root_nss}} is available. This is bad user experience. One should have to 
configure as little as possible. I have noticed this when we lately refreshed 
our server certificate.
E.g., curl works out of the box on our FreeBSD and RHEL machines because at 
compile-time the default CA bundle is passed.

This option is solely interesting for OS/distro maintainers and admins. Not 
really users, they still can stick to the higher level conf and override it.

I also fail to see where one cann pass this option:

{noformat}
osipovmi@blnn719x:~/Projekte/serf/buckets$ fgrep -R SSL_CTX_ . | less
./ssl_buckets.c:ssl_ctx->ctx = SSL_CTX_new(SSLv23_client_method());
./ssl_buckets.c:SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_NO_SSLv2 | 
SSL_OP_NO_SSLv3);
./ssl_buckets.c:SSL_CTX_set_mode(ssl_ctx->ctx, 
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
./ssl_buckets.c:SSL_CTX_set_client_cert_cb(ssl_ctx->ctx, 
ssl_need_client_cert);
./ssl_buckets.c:SSL_CTX_set_verify(ssl_ctx->ctx, SSL_VERIFY_PEER,
./ssl_buckets.c:SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_ALL);
./ssl_buckets.c:SSL_CTX_sess_set_new_cb(ssl_ctx->ctx, ssl_new_session);
./ssl_buckets.c:SSL_CTX_set_info_callback(ssl_ctx->ctx, 
apps_ssl_info_callback);
./ssl_buckets.c:SSL_CTX_free(ssl_ctx->ctx);
./ssl_buckets.c:X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
./ssl_buckets.c:X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
./ssl_buckets.c:X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
./ssl_buckets.c:store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
./ssl_buckets.c:SSL_CTX_set_tlsext_status_cb(ssl_ctx->ctx, ocsp_callback);
./ssl_buckets.c:SSL_CTX_set_tlsext_status_arg(ssl_ctx->ctx, ssl_ctx);
./ssl_buckets.c:SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_NO_COMPRESSION);
./ssl_buckets.c:SSL_CTX_set_info_callback(ssl_ctx->ctx, 
detect_renegotiate);
{noformat}



was (Author: michael-o):
Bert, this would be effective if this compile flag is not overridden by the 
user by some means. At least on FreeBSD serf is compiled without that but 
{{ca_root_nss}} is available. This is bad user experience. One should have to 
configure as little as possible. I have noticed this when we lately refreshed 
our server certificate.
E.g., curl works out of the box on our FreeBSD and RHEL machines because at 
compile-time the default CA bundle is passed.

This option is solely interesting for OS/distro maintainers and admins. Not 
really users, they still can stick to the higher level conf and override it.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -
>
> Key: SERF-179
> URL: https://issues.apache.org/jira/browse/SERF-179
> Project: serf
>  Issue Type: Improvement
>Affects Versions: serf-1.3.8
>Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with 
> CAs. Subversion always nags whether the target host can be trusted. This is 
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and 
> {{SERF_CA_FALLBACK}}. This can be safely fed into 
> {{SSL_CTX_load_verify_locations(3)}} and 
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL 
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code 
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option

[Bert Huijben (JIRA)]

[ 
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348206#comment-15348206
 ] 

Bert Huijben edited comment on SERF-179 at 6/24/16 12:42 PM:
-

An application can call serf_ssl_use_default_certificates() (as Subversion 
does, unless you explicitly configure in its config file that it shouldn't). 
This makes serf ask OpenSSL to use the default config, that should have been 
configured by the platform maintainer.

I'm not a platform maintainer, but if I was one I would rather configure this 
once for OpenSSL, than separately for every application that uses openssl.

On FreeBSD the 'ca_root_nss' package maintains a set of root certificates in a 
way that they are directly handled by OpenSSL, and via that path Subversion.


was (Author: rhuijben):
An application can call serf_ssl_use_default_certificates() (as Subversion 
does, unless you explicitly configure in its config file that it shouldn't). 
This makes serf ask OpenSSL to use the default config, that should have been 
configured by the platform maintainer.

I'm not a platform maintainer, but if I was one I would rather configure this 
once for OpenSSL, than separately for every application that uses openssl.

On FreeBSD the 'ca_root_nss' package maintains a set of root certificates in a 
way that they are directly handled by OpenSSL, and -via that path- Subversion.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -
>
> Key: SERF-179
> URL: https://issues.apache.org/jira/browse/SERF-179
> Project: serf
>  Issue Type: Improvement
>Affects Versions: serf-1.3.8
>Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with 
> CAs. Subversion always nags whether the target host can be trusted. This is 
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and 
> {{SERF_CA_FALLBACK}}. This can be safely fed into 
> {{SSL_CTX_load_verify_locations(3)}} and 
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL 
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code 
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option

[Michael Osipov (JIRA)]

[ 
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348228#comment-15348228
 ] 

Michael Osipov edited comment on SERF-179 at 6/24/16 1:04 PM:
--

Just checked the function and it uses {{X509_STORE_set_default_paths}} and it 
seems like that this function is not publically documented in manmaster of 
OpenSSL.

Something seems to be fishly here. I will try with serf from trunk and 
{{strace}} whether an {{fopen}} is really performed to that file. There must be 
some reason why Subversion tells me that it does not trust my cert. Though, I 
would swap the internal X509 with 
[{{SSL_CTX_set_default_verify_paths}}|https://github.com/openssl/openssl/blob/f430ba31ac81f27f0014320fee335d2dc4562a95/ssl/ssl_lib.c#L3351-L3353].

I will get back to you as soon as possible.


was (Author: michael-o):
Just checked the function and it uses {{X509_STORE_set_default_paths}} and it 
seems like that this function is not publically documented in manmaster of 
OpenSSL.

Something seems to be fishly here. I will try with serf from trunk and 
{{strace}} whether an {{fopen}} is really performed to that file. There must be 
some reason why Subversion tells me that it does not trust my cert. Though, I 
would swap the internal X509 with 
[{{SSL_CTX_set_default_verify_paths}}](https://github.com/openssl/openssl/blob/f430ba31ac81f27f0014320fee335d2dc4562a95/ssl/ssl_lib.c#L3351-L3353).

I will get back to you as soon as possible.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -
>
> Key: SERF-179
> URL: https://issues.apache.org/jira/browse/SERF-179
> Project: serf
>  Issue Type: Improvement
>Affects Versions: serf-1.3.8
>Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with 
> CAs. Subversion always nags whether the target host can be trusted. This is 
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and 
> {{SERF_CA_FALLBACK}}. This can be safely fed into 
> {{SSL_CTX_load_verify_locations(3)}} and 
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL 
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code 
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (SERF-179) Add CAFILE, CAPATH, CAFALLBACK as compile time option

[Michael Osipov (JIRA)]

[ 
https://issues.apache.org/jira/browse/SERF-179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15348270#comment-15348270
 ] 

Michael Osipov edited comment on SERF-179 at 6/24/16 1:41 PM:
--

I just tried tag 1.3.8 and Subversion 1.9.3 from ports. Yes, default PEM file 
is loaded and the file from {{servers}} ({{ssl-authority-files = 
/usr/local/share/certs/ca-root-nss.crt}}) but Subversion still nags me about 
the invalid certificate. Even {{ssl-trust-default-ca = yes}} does not help.

Shall I close this issue and create new one with serf or mail 
users@subversion.a.o? I can provide {{truss}} output for both cases.


was (Author: michael-o):
I just tried tag 1.3.8 from trunk and Subversion 1.9.3 from ports. Yes, default 
PEM file is loaded and the file from {{servers}} ({{ssl-authority-files = 
/usr/local/share/certs/ca-root-nss.crt}}) but Subversion still nags me about 
the invalid certificate. Even {{ssl-trust-default-ca = yes}} does not help.

Shall I close this issue and create new one with serf or mail 
users@subversion.a.o? I can provide {{truss}} output for both cases.

> Add CAFILE, CAPATH, CAFALLBACK as compile time option
> -
>
> Key: SERF-179
> URL: https://issues.apache.org/jira/browse/SERF-179
> Project: serf
>  Issue Type: Improvement
>Affects Versions: serf-1.3.8
>Reporter: Michael Osipov
>
> Currently, libserf does not provide an option to supply a PEM bundle with 
> CAs. Subversion always nags whether the target host can be trusted. This is 
> annoying and can be automated.
> Add three options supported by OpenSSL natively:
> * {{scons CAFILE=/path/to/ca.pem}}
> * {{scons CAPATH=/path/to/directory-with-pems}}
> * {{scons CAFALLBACK=yes}}
> Three defines can be added then: {{SERF_CA_BUNDLE}},  {{SERF_CA_PATH}} and 
> {{SERF_CA_FALLBACK}}. This can be safely fed into 
> {{SSL_CTX_load_verify_locations(3)}} and 
> {{SSL_CTX_set_default_verify_paths(3)}}. [OpenSSL 
> reference|https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html].
> This idea has freely been taken from {{libcurl}} which does this exactly.
> * [bundle and path m4 
> macos|https://github.com/curl/curl/blob/d9f3b365a3b663d6e45ff734a86b313e2fbcbbf2/acinclude.m4#L2560-L2719]
> * [Source code 
> spots|https://github.com/curl/curl/blob/master/lib/vtls/openssl.c#L1967-L2009]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)