From 7a6e5aa9584995e47d1f1180b0ff44b4f42c8a9f Mon Sep 17 00:00:00 2001 From: lidakaml <52534475+lidakaml@users.noreply.github.com> Date: Tue, 7 Jun 2022 17:16:07 +0300 Subject: [PATCH 1/4] tls can be served without client cert tls can be served if require_client_certs option is set to false in config file --- apps/epp_proxy/src/epp_tls_worker.erl | 30 +++++++++++++++++++-------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/apps/epp_proxy/src/epp_tls_worker.erl b/apps/epp_proxy/src/epp_tls_worker.erl index 1941251..4e22287 100644 --- a/apps/epp_proxy/src/epp_tls_worker.erl +++ b/apps/epp_proxy/src/epp_tls_worker.erl @@ -169,20 +169,32 @@ log_opened_connection(Ip) -> "~p.~n", [ReadableIp, self()]). +require_client_certs() -> + case application:get_env(epp_proxy, require_client_certs) of + {ok, false} -> false; + {ok, true} -> true + end. + %% Extract state info from socket. Fail if you must. state_from_socket(Socket, State) -> - {ok, PeerCert} = ssl:peercert(Socket), {ok, {PeerIp, _PeerPort}} = ssl:peername(Socket), - {SSL_CLIENT_S_DN_CN, SSL_CLIENT_CERT} = - epp_certs:headers_from_cert(PeerCert), - Headers = [{"SSL-CLIENT-CERT", SSL_CLIENT_CERT}, - {"SSL-CLIENT-S-DN-CN", SSL_CLIENT_S_DN_CN}, - {"User-Agent", <<"EPP proxy">>}, - {"X-Forwarded-for", epp_util:readable_ip(PeerIp)}], + PlainHeaders = [ + {"User-Agent", <<"EPP proxy">>}, + {"X-Forwarded-for", epp_util:readable_ip(PeerIp)}], + case {ssl:peercert(Socket), require_client_certs()} of + {{error, no_peercert}, false} -> Headers = PlainHeaders; + % {{error, no_peercert}, true} -> ; %% TODO: maybe send the reason of connection close + {{ok, PeerCert}, _} -> + {SSL_CLIENT_S_DN_CN, SSL_CLIENT_CERT} = + epp_certs:headers_from_cert(PeerCert), + Headers = lists:append(PlainHeaders, [ + {"SSL-CLIENT-CERT", SSL_CLIENT_CERT}, + {"SSL-CLIENT-S-DN-CN", SSL_CLIENT_S_DN_CN}]) + end, NewState = State#state{socket = Socket, - headers = Headers}, + headers = Headers}, lager:info("Established connection with: [~p]~n", - [NewState]), + [NewState]), NewState. %% Get status, XML record, command and clTRID if defined. From 9334dfc55c57886fdaf36f492d3b55c3702aaf3b Mon Sep 17 00:00:00 2001 From: lidakaml <52534475+lidakaml@users.noreply.github.com> Date: Tue, 7 Jun 2022 17:31:43 +0300 Subject: [PATCH 2/4] added require_client_certs option to sys.config --- config/sys.config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/sys.config b/config/sys.config index c2f3ae4..f11d43b 100644 --- a/config/sys.config +++ b/config/sys.config @@ -17,6 +17,8 @@ {epp_session_url, "https://registry.test/epp/session/"}, {epp_command_url, "https://registry.test/epp/command/"}, {epp_error_url, "https://registry.test/epp/error/"}, + %% Allows client to connect to epp_proxy without client certificate using TLS + {require_client_certs, true}, %% Path to root CA that should check the client certificates. {cacertfile_path, "/opt/shared/ca/certs/ca.crt.pem"}, %% Path to server's certficate file. From c6a54750d7a01ff3c0ee7e710c9fce229b04b081 Mon Sep 17 00:00:00 2001 From: lidakaml <52534475+lidakaml@users.noreply.github.com> Date: Tue, 7 Jun 2022 17:33:54 +0300 Subject: [PATCH 3/4] if require_client_certs does not exist, require client certs by default --- apps/epp_proxy/src/epp_tls_worker.erl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/epp_proxy/src/epp_tls_worker.erl b/apps/epp_proxy/src/epp_tls_worker.erl index 4e22287..a8bf673 100644 --- a/apps/epp_proxy/src/epp_tls_worker.erl +++ b/apps/epp_proxy/src/epp_tls_worker.erl @@ -172,7 +172,8 @@ log_opened_connection(Ip) -> require_client_certs() -> case application:get_env(epp_proxy, require_client_certs) of {ok, false} -> false; - {ok, true} -> true + {ok, true} -> true; + _ -> true end. %% Extract state info from socket. Fail if you must. From 269aef9f24d787f6c3738dfd291af147f2273dfb Mon Sep 17 00:00:00 2001 From: lidakaml <52534475+lidakaml@users.noreply.github.com> Date: Tue, 7 Jun 2022 17:51:39 +0300 Subject: [PATCH 4/4] add require_client_certs description in readme.md --- README.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 65db7f1..c66406b 100644 --- a/README.md +++ b/README.md @@ -107,18 +107,19 @@ of Erlang property list. *Configuration variables* -| Variable name | Expected values | Apache equivalent | Definition ------------------------|------------------------------------|-----------------------|-------------------------------------------- -| `dev_mode` | `true`, `false` | None | Enables TCP access without TLS. -| `tls_port` | `700` | Listen | At which port should we open a TLS socket. Default is 700. -| `tcp_port` | `70000` | Listen | At which port should we open a TCP socket. Only in `dev_mode`. -| `epp_session_url` | `https://example.com/epp/session` | EppSessionRoot | HTTP address of the session endpoints including schema and port. -| `epp_command_url` | `https://example.com/epp/command` | EppCommandRoot | HTTP address of the command endpoints including schema and port. -| `epp_error_url` | `https://example.com/epp/error` | EppErrorRoot | HTTP address of the error endpoints including schema and port. -| `cacertfile_path` | `/opt/ca/ca.crt.pem` | SSLCACertificateFile | Where is the client root CA located. Can be inside apps/epp_proxy/priv or absolute path. -| `certfile_path` | `/opt/ca/server.crt.pem` | SSLCertificateFile | Where is the server certificate located. Can be inside apps/epp_proxy/priv or absolute path. -| `keyfile_path` | `/opt/ca/server.key.pem` | SSLCertificateKeyFile | Where is the server key located. Can be inside apps/epp_proxy/priv or absolute path. -| `crlfile_path` | `/opt/ca/crl.pem` | SSLCARevocationFile | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. When not set, not CRL check is performed. +| Variable name | Expected values | Apache equivalent | Definition +-------------------------|------------------------------------|-----------------------|-------------------------------------------- +| `dev_mode` | `true`, `false` | None | Enables TCP access without TLS. +| `tls_port` | `700` | Listen | At which port should we open a TLS socket. Default is 700. +| `tcp_port` | `70000` | Listen | At which port should we open a TCP socket. Only in `dev_mode`. +| `epp_session_url` | `https://example.com/epp/session` | EppSessionRoot | HTTP address of the session endpoints including schema and port. +| `epp_command_url` | `https://example.com/epp/command` | EppCommandRoot | HTTP address of the command endpoints including schema and port. +| `epp_error_url` | `https://example.com/epp/error` | EppErrorRoot | HTTP address of the error endpoints including schema and port. +| `require_client_certs` | `true`, `false` | None | Enables TLS connections with required or optional client certificates. Provided optional client certificates are still being verified. +| `cacertfile_path` | `/opt/ca/ca.crt.pem` | SSLCACertificateFile | Where is the client root CA located. Can be inside apps/epp_proxy/priv or absolute path. +| `certfile_path` | `/opt/ca/server.crt.pem` | SSLCertificateFile | Where is the server certificate located. Can be inside apps/epp_proxy/priv or absolute path. +| `keyfile_path` | `/opt/ca/server.key.pem` | SSLCertificateKeyFile | Where is the server key located. Can be inside apps/epp_proxy/priv or absolute path. +| `crlfile_path` | `/opt/ca/crl.pem` | SSLCARevocationFile | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. When not set, not CRL check is performed. Migrating from mod_epp