summaryrefslogtreecommitdiffstats
path: root/libnetdata/socket/security.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2022-11-30 18:47:05 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2022-11-30 18:47:05 +0000
commit97e01009d69b8fbebfebf68f51e3d126d0ed43fc (patch)
tree02e8b836c3a9d89806f3e67d4a5fe9f52dbb0061 /libnetdata/socket/security.c
parentReleasing debian version 1.36.1-1. (diff)
downloadnetdata-97e01009d69b8fbebfebf68f51e3d126d0ed43fc.tar.xz
netdata-97e01009d69b8fbebfebf68f51e3d126d0ed43fc.zip
Merging upstream version 1.37.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'libnetdata/socket/security.c')
-rw-r--r--libnetdata/socket/security.c76
1 files changed, 34 insertions, 42 deletions
diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c
index 6ac512de5..f7b44049b 100644
--- a/libnetdata/socket/security.c
+++ b/libnetdata/socket/security.c
@@ -2,14 +2,14 @@
#ifdef ENABLE_HTTPS
-SSL_CTX *netdata_exporting_ctx=NULL;
-SSL_CTX *netdata_client_ctx=NULL;
-SSL_CTX *netdata_srv_ctx=NULL;
-const char *security_key=NULL;
-const char *security_cert=NULL;
+SSL_CTX *netdata_ssl_exporting_ctx =NULL;
+SSL_CTX *netdata_ssl_client_ctx =NULL;
+SSL_CTX *netdata_ssl_srv_ctx =NULL;
+const char *netdata_ssl_security_key =NULL;
+const char *netdata_ssl_security_cert =NULL;
const char *tls_version=NULL;
const char *tls_ciphers=NULL;
-int netdata_validate_server = NETDATA_SSL_VALID_CERTIFICATE;
+int netdata_ssl_validate_server = NETDATA_SSL_VALID_CERTIFICATE;
/**
* Info Callback
@@ -161,7 +161,7 @@ static SSL_CTX * security_initialize_openssl_server() {
return NULL;
}
- SSL_CTX_use_certificate_file(ctx, security_cert, SSL_FILETYPE_PEM);
+ SSL_CTX_use_certificate_file(ctx, netdata_ssl_security_cert, SSL_FILETYPE_PEM);
#else
ctx = SSL_CTX_new(TLS_server_method());
if (!ctx) {
@@ -169,11 +169,11 @@ static SSL_CTX * security_initialize_openssl_server() {
return NULL;
}
- SSL_CTX_use_certificate_chain_file(ctx, security_cert);
+ SSL_CTX_use_certificate_chain_file(ctx, netdata_ssl_security_cert);
#endif
security_openssl_common_options(ctx, 0);
- SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM);
+ SSL_CTX_use_PrivateKey_file(ctx, netdata_ssl_security_key,SSL_FILETYPE_PEM);
if (!SSL_CTX_check_private_key(ctx)) {
ERR_error_string_n(ERR_get_error(),lerror,sizeof(lerror));
@@ -207,24 +207,25 @@ void security_start_ssl(int selector) {
switch (selector) {
case NETDATA_SSL_CONTEXT_SERVER: {
struct stat statbuf;
- if (stat(security_key, &statbuf) || stat(security_cert, &statbuf)) {
+ if (stat(netdata_ssl_security_key, &statbuf) || stat(netdata_ssl_security_cert, &statbuf)) {
info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n");
return;
}
- netdata_srv_ctx = security_initialize_openssl_server();
- SSL_CTX_set_mode(netdata_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+ netdata_ssl_srv_ctx = security_initialize_openssl_server();
+ SSL_CTX_set_mode(netdata_ssl_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
break;
}
case NETDATA_SSL_CONTEXT_STREAMING: {
- netdata_client_ctx = security_initialize_openssl_client();
+ netdata_ssl_client_ctx = security_initialize_openssl_client();
//This is necessary for the stream, because it is working sometimes with nonblock socket.
//It returns the bitmask after to change, there is not any description of errors in the documentation
- SSL_CTX_set_mode(netdata_client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |SSL_MODE_AUTO_RETRY);
+ SSL_CTX_set_mode(
+ netdata_ssl_client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |SSL_MODE_AUTO_RETRY);
break;
}
case NETDATA_SSL_CONTEXT_EXPORTING: {
- netdata_exporting_ctx = security_initialize_openssl_client();
+ netdata_ssl_exporting_ctx = security_initialize_openssl_client();
break;
}
}
@@ -237,16 +238,16 @@ void security_start_ssl(int selector) {
*/
void security_clean_openssl()
{
- if (netdata_srv_ctx) {
- SSL_CTX_free(netdata_srv_ctx);
+ if (netdata_ssl_srv_ctx) {
+ SSL_CTX_free(netdata_ssl_srv_ctx);
}
- if (netdata_client_ctx) {
- SSL_CTX_free(netdata_client_ctx);
+ if (netdata_ssl_client_ctx) {
+ SSL_CTX_free(netdata_ssl_client_ctx);
}
- if (netdata_exporting_ctx) {
- SSL_CTX_free(netdata_exporting_ctx);
+ if (netdata_ssl_exporting_ctx) {
+ SSL_CTX_free(netdata_ssl_exporting_ctx);
}
#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110
@@ -355,32 +356,23 @@ int security_test_certificate(SSL *ssl) {
*
* @return It returns 0 on success and -1 otherwise.
*/
-int security_location_for_context(SSL_CTX *ctx, char *file, char *path) {
- struct stat statbuf;
- if (stat(file, &statbuf)) {
- info("Netdata does not have the parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!");
- return 0;
- }
-
- ERR_clear_error();
- u_long err;
- char buf[256];
- if(!SSL_CTX_load_verify_locations(ctx, file, path)) {
- goto slfc;
+int ssl_security_location_for_context(SSL_CTX *ctx, char *file, char *path) {
+ int load_custom = 1, load_default = 1;
+ if (file || path) {
+ if(!SSL_CTX_load_verify_locations(ctx, file, path)) {
+ info("Netdata can not verify custom CAfile or CApath for parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!");
+ load_custom = 0;
+ }
}
if(!SSL_CTX_set_default_verify_paths(ctx)) {
- goto slfc;
+ info("Can not verify default OpenSSL configuration to validate certificates!");
+ load_default = 0;
}
- return 0;
+ if (load_custom == 0 && load_default == 0)
+ return -1;
-slfc:
- while ((err = ERR_get_error()) != 0) {
- ERR_error_string_n(err, buf, sizeof(buf));
- error("Cannot set the directory for the certificates and the parent SSL certificate: %s",buf);
- }
- return -1;
+ return 0;
}
-
#endif