Commit 1358a9af authored by Leigh Stoller's avatar Leigh Stoller

Extreme paranoia sanity check to make sure that the script was invoked

with the proper SSL environment. This is so we can use "optional"
client verification in the apache config file, and avoid SSL
renegotiation, which is currently a mess cause of the security flaws
in it.
parent 44c91102
#!/usr/bin/perl -w
#
# GENIPUBLIC-COPYRIGHT
# Copyright (c) 2008-2009 University of Utah and the Flux Group.
# Copyright (c) 2008-2010 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -64,6 +64,25 @@ if (!defined($certificate)) {
}
$ENV{'MYUUID'} = $certificate->uuid();
#
# Make sure the client presented a valid certificate that apache says
# is okay.
#
# THIS HAS TO BE HERE! Why? Cause recent security patches disable SSL
# renegotiation, which is needed when a subdir turns on ssl client
# verification (as httpd.conf used to). Now, we set it to "optional",
# which avoids the renegotiation problem, but we have to make that
# this interface is always invoked by a client supplying a verifiable
# certificate.
#
if (! (exists($ENV{'SSL_CLIENT_VERIFY'}) &&
$ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")) {
my $decoder = Frontier::RPC2->new();
print "Content-Type: text/xml \n\n";
print $decoder->encode_fault(-1, "Invalid or missing certificate");
exit(0);
}
#
# In the prototype, we accept certificate signed by trusted roots
# (CA certs we have locally cached). This script runs as "geniuser"
......
......@@ -79,6 +79,25 @@ $ENV{'MYUUID'} = $certificate->uuid();
# upgrade to URNs in their certificates, so we can't assume it yet.
$ENV{'MYURN'} = "urn:publicid:IDN+@OURDOMAIN@+authority+cm";
#
# Make sure the client presented a valid certificate that apache says
# is okay.
#
# THIS HAS TO BE HERE! Why? Cause recent security patches disable SSL
# renegotiation, which is needed when a subdir turns on ssl client
# verification (as httpd.conf used to). Now, we set it to "optional",
# which avoids the renegotiation problem, but we have to make that
# this interface is always invoked by a client supplying a verifiable
# certificate.
#
if (! (exists($ENV{'SSL_CLIENT_VERIFY'}) &&
$ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")) {
my $decoder = Frontier::RPC2->new();
print "Content-Type: text/xml \n\n";
print $decoder->encode_fault(-1, "Invalid or missing certificate");
exit(0);
}
#
# In the prototype, we accept certificate signed by trusted roots
# (CA certs we have locally cached). This script runs as "geniuser"
......
......@@ -30,6 +30,7 @@ use vars qw($GENI_DBNAME);
BEGIN { $GENI_DBNAME = "geni"; }
# Configure variables
my $TBOPS = "@TBOPSEMAIL@";
my $EMULAB_PEMFILE = "@prefix@/etc/genisa.pem";
my $MAINSITE = @TBMAINSITE@;
my $VERSION = "1.0";
......@@ -40,6 +41,7 @@ use GeniSA;
use Genixmlrpc;
use GeniResponse;
use libaudit;
use libtestbed;
# Geniuser.
my $user = "geniuser";
......@@ -66,6 +68,25 @@ if (!defined($certificate)) {
}
$ENV{'MYUUID'} = $certificate->uuid();
#
# Make sure the client presented a valid certificate that apache says
# is okay.
#
# THIS HAS TO BE HERE! Why? Cause recent security patches disable SSL
# renegotiation, which is needed when a subdir turns on ssl client
# verification (as httpd.conf used to). Now, we set it to "optional",
# which avoids the renegotiation problem, but we have to make that
# this interface is always invoked by a client supplying a verifiable
# certificate.
#
if (! (exists($ENV{'SSL_CLIENT_VERIFY'}) &&
$ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")) {
my $decoder = Frontier::RPC2->new();
print "Content-Type: text/xml \n\n";
print $decoder->encode_fault(-1, "Invalid or missing certificate");
exit(0);
}
#
# In the prototype, we accept certificate signed by trusted roots
# (CA certs we have locally cached). This script runs as "geniuser"
......
#!/usr/bin/perl -w
#
# GENIPUBLIC-COPYRIGHT
# Copyright (c) 2008-2009 University of Utah and the Flux Group.
# Copyright (c) 2008-2010 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -65,6 +65,25 @@ if (!defined($certificate)) {
}
$ENV{'MYUUID'} = $certificate->uuid();
#
# Make sure the client presented a valid certificate that apache says
# is okay.
#
# THIS HAS TO BE HERE! Why? Cause recent security patches disable SSL
# renegotiation, which is needed when a subdir turns on ssl client
# verification (as httpd.conf used to). Now, we set it to "optional",
# which avoids the renegotiation problem, but we have to make that
# this interface is always invoked by a client supplying a verifiable
# certificate.
#
if (! (exists($ENV{'SSL_CLIENT_VERIFY'}) &&
$ENV{'SSL_CLIENT_VERIFY'} eq "SUCCESS")) {
my $decoder = Frontier::RPC2->new();
print "Content-Type: text/xml \n\n";
print $decoder->encode_fault(-1, "Invalid or missing certificate");
exit(0);
}
#
# In the prototype, we accept certificate signed by trusted roots
# (CA certs we have locally cached). This script runs as "geniuser"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment