TS_SSL_SERVER_VERIFY_HOOK questions

[Christopher Reynolds <Ch...@Clearswift.com>]

Hi,

I am trying to use this hook in version 7.1.2 of Traffic Server. I have backported the commit (https://github.com/apache/trafficserver/commit/00cf3d3b555a8d277831a9b49e1c293541a08724) and it is called from within the verify_callback function in SSLClientUtils. I have some questions though.


1.       I cannot seem to get hold of the certificate in my plugin using the hook. I can get the SSL object but then both SSL_get_certificate and SSL_get_peer_certificate return null. I have worked around this by using the SSL_set_ex_data function in verify_callback to set the X509_STORE_CTX which the certificate is contained within. Is there an easier way of obtaining this certificate?

2.       I could not work out how to fail the validation in my hook. For example if I do not like the certificate how do I indicate this? Again I used SSL_set_ex_data in the plugin hook this time to indicate a failure which was then read in verify_callback after netvc->callHooks(TS_EVENT_SSL_SERVER_VERIFY_HOOK) - and then returning 0 from the function. Is there another way? I did try to use SSL_set_verify_result and also setting the return code to TS_ERROR but neither had an effect.

3.       Linked to 2. Is there a way of customizing the error page that occurs when verification fails?

4.       Are there any plans to set the level of validation through the API? For example choosing whether the certificate chain or expiry should be checked. At the moment the TS_SSL_SERVER_VERIFY_HOOK is called after these checks.

Also note that I (chrisr-cs) raised the issue of the crash when TLS verification occurs in v8 on IRC - unfortunately due to networking problems I could not read the responses until today using the log feature. Thank you for raising the issue for me.

Thank-you in advance for looking at these questions.



Christopher Reynolds

Principal Software Engineer

[Telephone] +44 118 903 8611

[Twitter]@clearswift

[Clearswift] <http://www.clearswift.com/>

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | United Kingdom

Adaptive Security & Data Loss Prevention solutions for email, web, cloud apps and endpoint. On-premise, Hosted and Managed Service options available.

Looking for a Managed Email Security Service? Clearswift offers an affordable and effective solution. Learn more here.<https://www.clearswift.com/sites/default/files/documents/datasheets/Clearswift_Managed_Email_Security_Service_Datasheet.pdf>

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats. 

To find out more about Clearswift’s solutions please visit www.clearswift.com