[Devel] [ openser-Patches-1477147 ] TLS client domains (name/socket based) and more config

SourceForge.net noreply at sourceforge.net
Wed May 10 15:26:38 CEST 2006 

Patches item #1477147, was opened at 2006-04-26 20:35
Message generated for change (Comment added) made by klaus_darilion
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1477147&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: ver devel
Status: Open
Resolution: None
Priority: 5
Submitted By: Klaus Darilion (klaus_darilion)
Assigned to: Nobody/Anonymous (nobody)
Summary: TLS client domains (name/socket based) and more config

Initial Comment:
Hi!

I've extended the TLS stack. The changes does not
actually change the TLS processing, but the TLS
configuration and TLS initialization. This patch
includes the features of the previous patch
(http://sourceforge.net/tracker/index.php?func=detail&aid=1464264&group_id=139143&atid=743022)
and allows more flexible configuration.

Not extensive tested, but basic testing succeeded and
as there are no "deep" TLS changes, it should be as
stable as current version.

Detailed changes:

parameters:
- parameter tls_require_certificate renamed to
tls_require_client_certificate because it is more
intuitive.

- parameter tls_client_domain_avp added: allows
activating of a certain TLS client domain via AVP.

- TLS virtual domain configuration differs between
server and clients domain

internal:
- also the default TLS client and server uses the
tls_domain structure now. inside TLS code we have 4
domain lists:
  - tls_default_server_domain (this list has 1 entry)
  - tls_default_client_domain (this list has 1 entry)
  - tls_client_domains (this list has 0 or more entries)
  - tls_server_domains (this list has 0 or more entries)
  This allows configuring also the tls_cipher and
tls_verify_* and tls_require_client_certificate on a
per domain basis
  
- 2-stage TLS initialization in main.c: before and
after config file parsing

- docs updated

- default values for tls_handshake_timeout and
tls_send_timeout changed from 120 seconds to 30 seconds
as there is no reason for waiting 120 seconds

- removed duplicate TLS initialization code

- more logging and better error handling during
initialization

- added to tls_domain structure:
  + int   type;
  + int   verify_cert;
  + int   require_client_cert;
  + char *ciphers_list;
  + str name; Allows TLS domains lookup via a string
based identifier
  
  The type is "stolen" from ser's TLS code:
  enum tls_domain_type {                              
         
        TLS_DOMAIN_DEF = (1 << 0), /* Default domain */
      
        TLS_DOMAIN_SRV = (1 << 1), /* Server domain */
       
        TLS_DOMAIN_CLI = (1 << 2), /* Client domain */
       
        TLS_DOMAIN_NAME= (1 << 3)  /* Name based TLS
domain */
  };
  
- removed unused variables

----------------------------------------------------------------------

>Comment By: Klaus Darilion (klaus_darilion)
Date: 2006-05-10 15:26

Message:
Logged In: YES 
user_id=1318360

- updatet TLS patch (support for TLS client domains) to work
with AVP flags (see TLS README)
- tlsops module exports pseudo variables with TLS cert
parameters (see README of tlsops module)


----------------------------------------------------------------------

Comment By: Klaus Darilion (klaus_darilion)
Date: 2006-05-04 11:56

Message:
Logged In: YES 
user_id=1318360

delete patch as new patch coming soon.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1477147&group_id=139143

More information about the Devel mailing list