Mailing List Archive: Cherokee: dev

Patch for SSL IP Vservers without SNI

Index | Next | Previous | View Threaded

bluedragonx at gmail

Sep 25, 2009, 8:57 AM

Post #1 of 12 (927 views)
Permalink

Patch for SSL IP Vservers without SNI

All:Currently the only way to do IP based virtual hosting without SNI in
Cherokee is to start multiple daemons and bind them to different IP
addresses. I've developed a patch that will allow a single instance of
Cherokee to serve multiple SSL enabled IP matched vservers without using
SNI.

I've done some testing against trunk with and without TLSEXT enabled, and it
works both ways. Some review of the code and additional testing may be
necessary to ensure I didn't introduce any bugs, but it works without any
issues in my test environment.

Let me know what ya'll think.

Thanks,
Ryan

Attachments:

cherokee-ssl-ip-vserver.patch (11.0 KB)

stefan at konink

Sep 25, 2009, 9:18 AM

Post #2 of 12 (879 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Ryan Bourgeois schreef:
> Let me know what ya'll think.

...maybe i don't get it. But where in the code is the SSL actually
matched to the server based on the incomming ip?

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkq87U0ACgkQYH1+F2Rqwn1+6gCfbYOVwcGEejqHW4S9WkepcSPv
9rYAnjFfRTyYITDgmuQhbcee0wDGpilH
=zki4
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

bluedragonx at gmail

Sep 25, 2009, 10:30 AM

Post #3 of 12 (878 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

> ...maybe i don't get it. But where in the code is the SSL actually
> matched to the server based on the incomming ip?

In short, it uses the virtual server host matches.

More specifically, it happens in the call to cherokee_server_get_vserver as
before. Previously the call was only made in the OpenSSL SNI callback
(openssl_sni_servername_cb) and the third argument, the connection object
(conn), was set to null. Now instead of erroring out if no SNI servername
is found, the servername is set to the IP address and conn is passed
to openssl_sni_servername_cb so that the matches can actually make an
informed decision.
If TLSEXT is disabled, the call to cherokee_server_get_vserver is made in
lieu of the call to SSL_set_app_arg by way of preprocessing directives.

The actual work of searching for the vserver and changing the certs has been
pulled out of openssl_sni_servername_cb and placed in a new
function, cherokee_cryptor_libssl_find_vserver, since it can either happen
inside of openssl_sni_servername_cb (if TLSEXT is enabled) or
in socket_initialize (if TLSEXT is disabled).

-Ryan

stefan at konink

Sep 25, 2009, 10:31 AM

Post #4 of 12 (876 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Ryan Bourgeois schreef:
>> ...maybe i don't get it. But where in the code is the SSL actually
>> matched to the server based on the incomming ip?
>
> In short, it uses the virtual server host matches.

But the connection is already made BEFORE a match can be done right?

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEUEAREKAAYFAkq8/nsACgkQYH1+F2Rqwn3wuwCXcw1RbSv1BsV9hIkpP91xkRV/
gACfWTVOFw2+3fM7ZVbAH2ALdYwWA2o=
=rfkB
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

bluedragonx at gmail

Sep 26, 2009, 7:06 AM

Post #5 of 12 (866 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

Stefan wrote:
> Ryan Bourgeois schreef:
> >> ...maybe i don't get it. But where in the code is the SSL actually
> >> matched to the server based on the incomming ip?
> >
> > In short, it uses the virtual server host matches.
>
> But the connection is already made BEFORE a match can be done right?

It happens during the TLS handshake immediately after the SNI
servername is read out. �So after the connection is made, but before a
TLS session is established (or at least that's how I understand it),
and well before any HTTP request has been made.

-Ryan
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

stefan at konink

Sep 26, 2009, 7:09 AM

Post #6 of 12 (866 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Ryan Bourgeois schreef:
> Stefan wrote:
>> Ryan Bourgeois schreef:
>>>> ...maybe i don't get it. But where in the code is the SSL actually
>>>> matched to the server based on the incomming ip?
>>> In short, it uses the virtual server host matches.
>> But the connection is already made BEFORE a match can be done right?
>
> It happens during the TLS handshake immediately after the SNI
> servername is read out. So after the connection is made, but before a
> TLS session is established (or at least that's how I understand it),
> and well before any HTTP request has been made.

If there is a TLS connection. A certificate has been used. So what
certificate is used if the certificate you want to select is based on a
decision you can only make if you match it on IP?

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkq+IJgACgkQYH1+F2Rqwn3s0wCgj4KJC9mmhhE+ks7KLWATbSnX
s4QAn24DgM7/NAmVPcAEcsaNAlwrOzGs
=vl7Y
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

bluedragonx at gmail

Sep 26, 2009, 3:07 PM

Post #7 of 12 (864 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

>> It happens during the TLS handshake immediately after the SNI
>> servername is read out. �So after the connection is made, but before a
>> TLS session is established (or at least that's how I understand it),
>> and well before any HTTP request has been made.
>
> If there is a TLS connection. A certificate has been used. So what
> certificate is used if the certificate you want to select is based on a
> decision you can only make if you match it on IP?

I think we're getting mixed up on terminology here. The "connection"
as I'm referring to it is the TCP/IP connection. The TLS handshake
happens after the TCP/IP connection is established. The SNI
servername is read, certificates are swapped, and a TLS session
established during the TLS handshake. After the TLS session is
established the HTTP request is made.

Now, with that clarification...

The virtual server match occurs during the TLS handshake immediately
before the server certificate is sent. At this point in the chain we
have a client IP address and, depending on whether SNI is operable, a
hostname.

There are three problems that must be solved in the current code base
in order to make the above possible.

1) We have to pass the active cherokee_connection_t object into
cryptor->init_tls() so that we can pass it to the call to
cherokee_server_get_vserver(). Currently NULL is passed, so the
vserver match does not know what the IP address is.

2) Make the call to cherokee_server_get_vserver() even when SNI fails
to retrieve a servername. I pass the IP addess as the servername when
SNI fails.

3) Make the call to cherokee_server_get_vserver() even when TLSEXT is
not enabled in the underlying SSL library. This happens in the call
to socket_initialize() which is called by cryptor->init_tls() for
libssl.

So that's what I did, and it works. I know it works as I've tested it
- I would not have submitted the patch without doing functionality
testing on it. Try it =)

-Ryan
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

williamottley at gmail

Oct 1, 2009, 1:40 PM

Post #8 of 12 (845 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

Trying to setup a proper cross development env. for windows.

I installed gentoo, and crossdev.
I have the environment setup for mingw32, but now i'm stuck on the pthreads
file:

checking for pthread_rwlock_t support... no
configure: error: pthread_rwlock_t support missing

how do I go about putting this support into cross dev?

is there any other environment variables I need to set?

Thanks!

stefan at konink

Oct 1, 2009, 2:13 PM

Post #9 of 12 (844 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

William Ottley schreef:
> how do I go about putting this support into cross dev?
>
> is there any other environment variables I need to set?

This /is/ described on the website. Check out pthreads-win32.

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkrFG24ACgkQYH1+F2Rqwn2iVwCgj84TPa2t1hqTL3mJLP3eoUTc
W5wAn3OCEoQcf2aZ2Wy6lndRNbg8Apnq
=DS/L
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

williamottley at gmail

Oct 1, 2009, 2:59 PM

Post #10 of 12 (843 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

Yep seen it. But since I'm not really a developer, I'm not aware if
there are any gentoo specific install instructions..

This is my 3rd attempt to create a cross compile enviornment. The
first two failed: centos & fedora. So I don't want to strike out lol

Sent from my iPhone

On 2009-10-01, at 5:13 PM, Stefan de Konink <stefan [at] konink> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> William Ottley schreef:
>> how do I go about putting this support into cross dev?
>>
>> is there any other environment variables I need to set?
>
> This /is/ described on the website. Check out pthreads-win32.
>
>
> Stefan
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEAREKAAYFAkrFG24ACgkQYH1+F2Rqwn2iVwCgj84TPa2t1hqTL3mJLP3eoUTc
> W5wAn3OCEoQcf2aZ2Wy6lndRNbg8Apnq
> =DS/L
> -----END PGP SIGNATURE-----
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

stefan at konink

Oct 1, 2009, 3:35 PM

Post #11 of 12 (842 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

William Ottley schreef:
> Yep seen it. But since I'm not really a developer, I'm not aware if
> there are any gentoo specific install instructions..
>
> This is my 3rd attempt to create a cross compile enviornment. The first
> two failed: centos & fedora. So I don't want to strike out lol

Pthreads-win32 is not part of cross-dev ;)

You have to install it manually in your toolchain.

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkrFLsoACgkQYH1+F2Rqwn1TvgCggq5Xqq+NsMpZb5esoS6w+5rD
9/cAniIj3U8EBX78W8vj7LCm/qfuHSVN
=5v6A
-----END PGP SIGNATURE-----
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

aperez at skarcha

Nov 4, 2010, 11:12 AM

Post #12 of 12 (399 views)
Permalink

Re: Patch for SSL IP Vservers without SNI [In reply to]

Hello,

On Fri, Sep 25, 2009 at 5:57 PM, Ryan Bourgeois <bluedragonx [at] gmail> wrote:

Long time... :-)

> Currently the only way to do IP based virtual hosting without SNI in
> Cherokee is to start multiple daemons and bind them to different IP
> addresses. �I've developed a patch that will allow a single instance of
> Cherokee to serve multiple SSL enabled IP matched vservers without using
> SNI.
> I've done some testing against trunk with and without TLSEXT enabled, and it
> works both ways. �Some review of the code and additional testing may be
> necessary to ensure I didn't introduce any bugs, but it works without any
> issues in my test environment.
>
> Let me know what ya'll think.

Your patch (with minor changes) has been commited to the repository[1]
and will be shipped with the upcoming Cherokee 1.0.9.

Thanks a million for it! :-)

[1] http://svn.cherokee-project.com/changeset/5682

--
Saludos:
Antonio P�rez
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev [at] lists
http://lists.octality.com/listinfo/cherokee-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads