[PATCH] (issue90) Use certificate pinning and forced ciphersuites for curl
Wald Commits
scm-commit at wald.intevation.org
Mon Sep 1 19:49:58 CEST 2014
# HG changeset patch
# User Andre Heinecke <andre.heinecke at intevation.de>
# Date 1409593794 -7200
# Node ID daa9448b64f5419b3611c8f812d9183be95aea71
# Parent 0570b1e562c21450dd39002690520b8f6aac5b9a
(issue90) Use certificate pinning and forced ciphersuites for curl
diff -r 0570b1e562c2 -r daa9448b64f5 ui/sslconnection_curl.cpp
--- a/ui/sslconnection_curl.cpp Mon Sep 01 19:48:53 2014 +0200
+++ b/ui/sslconnection_curl.cpp Mon Sep 01 19:49:54 2014 +0200
@@ -7,6 +7,8 @@
*/
#include "sslconnection_curl.h"
+
+#include <polarssl/ssl.h>
#include <QSaveFile>
#define CONNECTION_DEBUG
@@ -24,7 +26,25 @@
return;
}
+#ifdef RELEASE_BUILD
if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYPEER, 1L) != CURLE_OK) {
+#else
+ /* For testing we do not have to trust the issuer. This should not
+ * be dangerous as we pin the peer certificate directly. */
+ if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYPEER, 0L) != CURLE_OK) {
+#endif
+ /* Should be default anyway */
+ qDebug() << "Setting verifypeer failed";
+ return;
+ }
+
+#ifdef RELEASE_BUILD
+ if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYHOST, 1L) != CURLE_OK) {
+#else
+ /* For testing we do not have to trust host. This should not
+ * be dangerous as we pin the peer certificate directly. */
+ if (curl_easy_setopt(mCurl, CURLOPT_SSL_VERIFYHOST, 0L) != CURLE_OK) {
+#endif
/* Should be default anyway */
qDebug() << "Setting verifypeer failed";
return;
@@ -35,6 +55,13 @@
return;
}
+#ifdef RELEASE_BUILD
+ if (curl_easy_setopt(mCurl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2) != CURLE_OK) {
+ qDebug() << "Setting ssl version failed.";
+ return;
+ }
+#endif
+
mCertFile.open();
if (mCertFile.write(mPinnedCert) != mPinnedCert.size()) {
qDebug() << "Failed to write temporary certificate";
@@ -44,10 +71,17 @@
if (curl_easy_setopt(mCurl, CURLOPT_CAINFO,
mCertFile.fileName().toUtf8().constData()) != CURLE_OK) {
- qDebug() << "Failed to write temporary certificate";
+ qDebug() << "Failed to set ca certificate";
return;
}
+ /* If the build fails here maybe you probably forgot to apply the
+ * trustbridge patches to curl */
+ if (curl_easy_setopt(mCurl, CURLOPT_PEERCERT,
+ mCertFile.fileName().toUtf8().constData()) != CURLE_OK) {
+ qDebug() << "Failed set peer certificate.";
+ return;
+ }
mInitialized = true;
#ifdef CONNECTION_DEBUG
@@ -84,6 +118,10 @@
mErrorState = InvalidCertificate;
return -1;
}
+ if (retval == CURLE_SSL_CONNECT_ERROR) {
+ mErrorState = SSLHandshakeFailed;
+ return -1;
+ }
mErrorState = NoConnection;
return -1;
@@ -226,5 +264,14 @@
}
void SSLConnectionCurl::setCiphersuites(int ciphers[]) {
- qDebug() << "Set ciphersuites not supported.";
+ QStringList cipher_list;
+ for (int i = 0; ciphers[i] != 0; i++) {
+ cipher_list << ssl_get_ciphersuite_name(ciphers[i]);
+ }
+
+ if (curl_easy_setopt(mCurl, CURLOPT_SSL_CIPHER_LIST,
+ cipher_list.join(":").toLatin1().constData()) != CURLE_OK) {
+ qDebug() << "Failed to set cipher list";
+ return;
+ }
}
diff -r 0570b1e562c2 -r daa9448b64f5 ui/tests/downloadertest.cpp
--- a/ui/tests/downloadertest.cpp Mon Sep 01 19:48:53 2014 +0200
+++ b/ui/tests/downloadertest.cpp Mon Sep 01 19:49:54 2014 +0200
@@ -148,22 +148,22 @@
QVERIFY(error == SSLConnection::NoConnection);
}
+static int accept_ciphers[] = {
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+ 0
+};
void DownloaderTest::testForcedCiphers()
{
Downloader* downloader = new Downloader(this,
- QString::fromLatin1("https://files.intevation.de:443"),
+ QString::fromLatin1(SERVER_URL),
QByteArray(), /* Use default testing certificate */
QDateTime::currentDateTime(),
QDateTime::fromString("2010", "YYYY"),
"/users/aheinecke/development/TrustBridge-development.exe",
"/users/aheinecke/development/zertifikatsliste.txt");
- int accept_ciphers[] = {
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
- 0
- };
downloader->setCiphersuites(accept_ciphers);
More information about the Trustbridge-commits
mailing list