Merge pull request #100 from victorhahncastell/master

Provide SSL certificate verification
9 years ago · d0f2f829f7
parent 256cafe826 acb13cffaf
commit d0f2f829f7
3 changed files with 131 additions and 18 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 /**
 * Copyright (C) 2011-2013 Valery Komarov <komarov@valerka.net>
 * Copyright (C) 2013 Jiri Hruska <jirka@fud.cz>
+ * Copyright (C) 2015 Victor Hahn Castell <victor.hahn@flexoptix.net>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
--- a/README.md
+++ b/README.md
@ -71,3 +71,52 @@ And add required servers in correct order into your location/server directive:

    }
 ```
+
+# Available config parameters
+
+## url
+expected value: string
+
+Available URL schemes: ldap://, ldaps://
+
+## binddn
+expected value: string
+
+## binddn_passwd
+expected value: string
+
+## group_attribute
+expected value: string
+
+## group_attribute_is_dn
+expected value: on or off, default off
+
+## require
+expected value: valid_user, user, group
+
+## satisfy
+expected value: all, any
+
+## connections
+expected value: a number greater than 0
+
+## ssl_check_cert
+expected value: on or off, default off
+
+Verify the remote certificate for LDAPs connections. If disabled, any remote ceritificate will be
+accepted which exposes you to possible man-in-the-middle attacks. Note that the server's
+certificate will need to be signed by a proper CA trusted by your system if this is enabled.
+See below how to trust CAs without installing them system-wide.
+
+## ssl_ca_file
+expected value: file path
+
+Trust the CA certificate in this file (see ssl_check_cert above).
+
+## ssl_ca_dir
+expected value: directory path
+
+Trust all CA certificates in this directory (see ssl_check_cert above).
+
+Note that you need to provide hash-based symlinks in the directory for this to work;
+you'll basically need to run OpenSSL's c_rehash command in this directory.
--- a/ngx_http_auth_ldap_module.c
+++ b/ngx_http_auth_ldap_module.c
@ -62,6 +62,10 @@ typedef struct {
    ngx_str_t group_attribute;
    ngx_flag_t group_attribute_dn;

+    ngx_flag_t ssl_check_cert;
+    ngx_str_t ssl_ca_dir;
+    ngx_str_t ssl_ca_file;
+
    ngx_array_t *require_group;     /* array of ngx_http_complex_value_t */
    ngx_array_t *require_user;      /* array of ngx_http_complex_value_t */
    ngx_flag_t require_valid_user;
@ -378,6 +382,12 @@ ngx_http_auth_ldap_ldap_server(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
            return NGX_CONF_ERROR;
        }
        server->connections = i;
+    } else if (ngx_strcmp(value[0].data, "ssl_check_cert") == 0  && ngx_strcmp(value[1].data, "on") == 0) {
+      server->ssl_check_cert = 1;
+    } else if (ngx_strcmp(value[0].data, "ssl_ca_dir") == 0) {
+      server->ssl_ca_dir = value[1];
+    } else if (ngx_strcmp(value[0].data, "ssl_ca_file") == 0) {
+      server->ssl_ca_file = value[1];
    }
    else CONF_MSEC_VALUE(cf,value,server,connect_timeout)
    else CONF_MSEC_VALUE(cf,value,server,reconnect_timeout)
@ -1129,7 +1139,7 @@ ngx_http_auth_ldap_dummy_write_handler(ngx_event_t *wev)


 #if (NGX_OPENSSL)
-/* Make sure the event hendlers are activated. */
+/* Make sure the event handlers are activated. */
 static ngx_int_t
 ngx_http_auth_ldap_restore_handlers(ngx_connection_t *conn)
 {
@ -1212,23 +1222,45 @@ ngx_http_auth_ldap_connection_established(ngx_http_auth_ldap_connection_t *c)

 #if (NGX_OPENSSL)
 static void
-ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn)
+ngx_http_auth_ldap_ssl_handshake_handler(ngx_connection_t *conn, ngx_flag_t validate)
 {
    ngx_http_auth_ldap_connection_t *c;

    c = conn->data;

    if (conn->ssl->handshaked) {
-        conn->read->handler = &ngx_http_auth_ldap_read_handler;
-        ngx_http_auth_ldap_restore_handlers(conn);
-        ngx_http_auth_ldap_connection_established(c);
-        return;
+        // verify remote certificate
+        X509 *cert = SSL_get_peer_certificate(conn->ssl->connection);
+        long verified = SSL_get_verify_result(conn->ssl->connection);
+
+        if (!validate || (cert && verified == X509_V_OK) ) { // everything fine
+          conn->read->handler = &ngx_http_auth_ldap_read_handler;
+          ngx_http_auth_ldap_restore_handlers(conn);
+          ngx_http_auth_ldap_connection_established(c);
+          return;
+        } else { // smells fishy
+          ngx_log_error(NGX_LOG_ERR, c->log, 0,
+            "http_auth_ldap: Remote side presented invalid SSL certificate: error %l, %s",
+            verified, X509_verify_cert_error_string(verified));
+          ngx_http_auth_ldap_close_connection(c);
+          return;
+        }
    }

    ngx_log_error(NGX_LOG_ERR, c->log, 0, "http_auth_ldap: SSL handshake failed");
    ngx_http_auth_ldap_close_connection(c);
 }

+static void
+ngx_http_auth_ldap_ssl_handshake_validating_handler(ngx_connection_t *conn)
+{ ngx_http_auth_ldap_ssl_handshake_handler(conn, 1); }
+
+static void
+ngx_http_auth_ldap_ssl_handshake_non_validating_handler(ngx_connection_t *conn)
+{ ngx_http_auth_ldap_ssl_handshake_handler(conn, 0); }
+
+typedef void (*ngx_http_auth_ldap_ssl_callback)(ngx_connection_t *conn);
+
 static void
 ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c)
 {
@ -1243,14 +1275,45 @@ ngx_http_auth_ldap_ssl_handshake(ngx_http_auth_ldap_connection_t *c)
    }

    c->log->action = "SSL handshaking to LDAP server";
+    ngx_connection_t *transport = c->conn.connection;
+
+    ngx_http_auth_ldap_ssl_callback callback;
+    if (c->server->ssl_check_cert) {
+      // load CA certificates: custom ones if specified, default ones instead
+      if (c->server->ssl_ca_file.data || c->server->ssl_ca_dir.data) {
+        int setcode = SSL_CTX_load_verify_locations(transport->ssl->connection->ctx,
+          (char*)(c->server->ssl_ca_file.data), (char*)(c->server->ssl_ca_dir.data));
+        if (setcode != 1) {
+          unsigned long error_code = ERR_get_error();
+          char *error_msg = ERR_error_string(error_code, NULL);
+          ngx_log_error(NGX_LOG_ERR, c->log, 0,
+            "http_auth_ldap: SSL initialization failed. Could not set custom CA certificate location. "
+            "Error: %lu, %s", error_code, error_msg);
+        }
+      }
+      int setcode = SSL_CTX_set_default_verify_paths(transport->ssl->connection->ctx);
+      if (setcode != 1) {
+        unsigned long error_code = ERR_get_error();
+        char *error_msg = ERR_error_string(error_code, NULL);
+        ngx_log_error(NGX_LOG_ERR, c->log, 0,
+          "http_auth_ldap: SSL initialization failed. Could not use default CA certificate location. "
+          "Error: %lu, %s", error_code, error_msg);
+      }
+
+      // use validating version of next function
+      callback = &ngx_http_auth_ldap_ssl_handshake_validating_handler;
+    } else {
+      // use non-validating version of next function
+      callback = &ngx_http_auth_ldap_ssl_handshake_non_validating_handler;
+    }

-    rc = ngx_ssl_handshake(c->conn.connection);
+    rc = ngx_ssl_handshake(transport);
    if (rc == NGX_AGAIN) {
-        c->conn.connection->ssl->handler = &ngx_http_auth_ldap_ssl_handshake_handler;
+        transport->ssl->handler = callback;
        return;
    }

-    ngx_http_auth_ldap_ssl_handshake_handler(c->conn.connection);
+    (*callback)(transport);
    return;
 }
 #endif