Closed sjaeckel closed 3 years ago
sjaeckel
commented
3 years ago I've marked this as WIP since I'm not sure whether the "Client-auth mandatory" is enforceable as client or whether this code could be removed.
Maybe @ueno and someone from @openssl can give their feedback on whether this is possible in general, their lib and what I did in this regard makes sense!? I'm pretty sure it isn't possible, but having their view on this would be very helpful.
sjaeckel
commented
3 years ago Review is still in progress.
thanks for the thorough review! looking forward to the coming parts :)
... regarding the complete client certificate part it looks to me like the way how OpenSSL works internally is ... well how should I put it ... let's quote man SSL_CTX_set_client_cert_cb ...
NOTES
During a handshake (or renegotiation) a server may request a certificate from the client. A client certificate must only be sent, when the server did send the request.
When a certificate was set using the SSL_CTX_use_certificate(3) family of functions, it will be sent to the server. The TLS standard requires that only a certificate is
sent, if it matches the list of acceptable CAs sent by the server. This constraint is violated by the default behavior of the OpenSSL library. Using the callback
function it is possible to implement a proper selection routine or to allow a user interaction to choose the certificate to be sent.
If a callback function is defined and no certificate was yet defined for the SSL object, the callback function will be called. If the callback function returns a
certificate, the OpenSSL library will try to load the private key and certificate data into the SSL object using the SSL_use_certificate() and SSL_use_private_key()
functions. Thus it will permanently install the certificate and key for this SSL object. It will not be reset by calling SSL_clear(3). If the callback returns no
certificate, the OpenSSL library will not send a certificate.
- basic example should be clear and straightforward. Adding cert/key in this way overcomplicates the example. Maybe it will be better to provide them with options like
--tls-cert=<cert>and--tls-key=<key>. Alsobasiccan be used as a standalone debugging tool, so it's interface should be easy to understand from the 1st look.
please check if that's okay like I did it now ... I can also still revert it to the way it was before
- TLS modules implement
struct _tlswhich can hold preloaded cert during tls object initialization. In this way we can avoid multiple read operations per re-connect.
we have to wait until xmpp_connect_client() calls tls_new() before we can cache ... it complicates things a bit, but it's acceptable
pasis
commented
3 years ago Merged, thank you for contribution!
This PR adds TLS client authentication support via SASL EXTERNAL.
Testing was done via examples/basic against ejabberd.
I didn't add support for password-protected keys since this would require an interactive way of asking for the password to be secure and I doubt this to be in focus for most users of this library.
~I've marked this as WIP since I'm not sure whether the "Client-auth mandatory" is enforceable as client or whether this code could be removed.~
This fixes #162