hook default verification level from debug/experimental

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com> Change-Id: I138aeca51247cb173b1639cc4f5033ad9ce3265b
2024-05-28 12:12:45 +01:00 · 2024-05-28 12:12:45 +01:00 · 4346c2fdd3
commit 4346c2fdd3
parent bcc4a77408
6 changed files with 26 additions and 6 deletions
--- a/config.h.in
+++ b/config.h.in
@ -40,6 +40,9 @@
 /* Whether to enable SSL */
 #undef ENABLE_SSL

+/* Whether to default to using SSL_VERIFY_PEER */
+#undef SSL_VERIFY
+
 /* Whether to enable support key */
 #undef ENABLE_SUPPORT_KEY

--- a/configure.ac
+++ b/configure.ac
@ -426,6 +426,7 @@ experimental_msg="disabled by default"
 bundle_msg="using uglified bundled JS and CSS"
 LOK_LOG_ASSERTIONS=0
 log_asserts_msg="disabled"
+SSL_VERIFY="true"

 # a reasonable default
 NUM_PRESPAWN_CHILDREN=4
@ -443,6 +444,7 @@ if test "$enable_debug" = "yes"; then
   COOLWSD_ANONYMIZE_USER_DATA=false
   BROWSER_LOGGING="true"
   debug_msg="low security debugging mode"
+   SSL_VERIFY="false"

   # helps attaching to the right process
   NUM_PRESPAWN_CHILDREN=1
@ -520,9 +522,15 @@ fi
 if test "$enable_experimental" = "yes" ; then
  ENABLE_EXPERIMENTAL=true
  experimental_msg="enabled by default"
+  SSL_VERIFY="false"
 fi
 AC_SUBST(ENABLE_EXPERIMENTAL)

+AC_MSG_CHECKING([if ssl verification is enabled by default])
+AC_MSG_RESULT([$SSL_VERIFY])
+AC_DEFINE_UNQUOTED([SSL_VERIFY],["$SSL_VERIFY"],[Default SSL Verification mode])
+AC_SUBST(SSL_VERIFY)
+
 dnl check for a file at a path with an env-var with a given suffix
 AC_DEFUN([CHK_FILE_VAR], dnl env-var, suffix, file-to-match, msg
 [
@ -1301,7 +1309,7 @@ AC_SUBST(LIBPFM_LIBS)

 ENABLE_SSL=true
 if test "$enable_ssl" != "no" -a "$mobile_app" != "true"; then
-   ssl_msg="ssl enabled"
+   ssl_msg="ssl enabled. cert verification: $SSL_VERIFY"
   ENABLE_SSL=true
   AC_DEFINE([ENABLE_SSL],1,[Whether to enable SSL])
 else
--- a/coolwsd.xml.in
+++ b/coolwsd.xml.in
@ -197,6 +197,7 @@
        <cert_file_path desc="Path to the cert file" relative="false">/etc/coolwsd/cert.pem</cert_file_path>
        <key_file_path desc="Path to the key file" relative="false">/etc/coolwsd/key.pem</key_file_path>
        <ca_file_path desc="Path to the ca file" relative="false">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
+        <ssl_verification desc="Enable or disable SSL verification. You may have to disable it in test environments with self-signed certificates." type="string" default="@SSL_VERIFY@">@SSL_VERIFY@</ssl_verification>
        <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
        <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
            <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
@ -265,7 +266,8 @@
            <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and coolwsd. When empty this defaults to following the ssl.enable setting"></enable>
            <cert_file_path desc="Path to the cert file. When empty this defaults to following the ssl.cert_file_path setting" relative="false"></cert_file_path>
            <key_file_path desc="Path to the key file. When empty this defaults to following the ssl.key_file_path settinge" relative="false"></key_file_path>
-            <ca_file_path desc="Path to the ca file. When empty this defaults to following the ssl.ca_file_path setting. If either are not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
+            <ca_file_path desc="Path to the ca file. When empty this defaults to following the ssl.ca_file_path setting" relative="false"></ca_file_path>
+            <ssl_verification desc="Enable or disable SSL verification for storage. If true SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified. For backwards compatibility if this is empty then the default is false if both storage.ssl.ca_file_path and ssl.ca_file_path are empty, otherwise this defaults to following the ssl.ssl_verification setting"></ssl_verification>
            <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overridden only if absolutely needed."></cipher_list>
        </ssl>
    </storage>
--- a/net/Ssl.cpp
+++ b/net/Ssl.cpp
@ -189,7 +189,8 @@ SslContext::SslContext(const std::string& certFilePath, const std::string& keyFi
            }
        }

-        SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER, nullptr /*&verifyServerCallback*/);
+        const int sslVerifyMode = _verification == ssl::CertificateVerification::Disabled ? SSL_VERIFY_NONE : SSL_VERIFY_PEER;
+        SSL_CTX_set_verify(_ctx, sslVerifyMode, nullptr /*&verifyServerCallback*/);

        SSL_CTX_set_cipher_list(_ctx, cipherList.c_str());
        SSL_CTX_set_verify_depth(_ctx, 9);
--- a/wsd/COOLWSD.cpp
+++ b/wsd/COOLWSD.cpp
@ -2049,6 +2049,7 @@ void COOLWSD::innerInitialize(Application& self)
        { "ssl.sts.max_age", "31536000" },
        { "ssl.key_file_path", COOLWSD_CONFIGDIR "/key.pem" },
        { "ssl.termination", "true" },
+        { "ssl.ssl_verification", SSL_VERIFY },
        { "stop_on_config_change", "false" },
        { "storage.filesystem[@allow]", "false" },
        // "storage.ssl.enable" - deliberately not set; for back-compat
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@ -141,7 +141,11 @@ void StorageBase::initialize()
        sslClientParams.caLocation = COOLWSD::getPathFromConfigWithFallback("storage.ssl.ca_file_path", "ssl.ca_file_path");
        sslClientParams.cipherList = COOLWSD::getPathFromConfigWithFallback("storage.ssl.cipher_list", "ssl.cipher_list");

-        sslClientParams.verificationMode = (sslClientParams.caLocation.empty() ? Poco::Net::Context::VERIFY_NONE : Poco::Net::Context::VERIFY_STRICT);
+        const bool caLocationEmpty = sslClientParams.caLocation.empty();
+        // Fallback to false if caLocation is empty for back compatibility, otherwise inherit from ssl.ssl_verification
+        const bool sslVerification = caLocationEmpty ? false : COOLWSD::getConfigValue<bool>("ssl.ssl_verification", true);
+
+        sslClientParams.verificationMode = !sslVerification ? Poco::Net::Context::VERIFY_NONE : Poco::Net::Context::VERIFY_STRICT;
        sslClientParams.loadDefaultCAs = true;
    }
    else
@ -162,8 +166,9 @@ void StorageBase::initialize()
    ssl::Manager::initializeClientContext(
        sslClientParams.certificateFile, sslClientParams.privateKeyFile, sslClientParams.caLocation,
        sslClientParams.cipherList,
-        sslClientParams.caLocation.empty() ? ssl::CertificateVerification::Disabled
-                                           : ssl::CertificateVerification::Required);
+        sslClientParams.verificationMode == Poco::Net::Context::VERIFY_NONE
+            ? ssl::CertificateVerification::Disabled
+            : ssl::CertificateVerification::Required);
    if (!ssl::Manager::isClientContextInitialized())
        LOG_ERR("Failed to initialize Client SSL.");
    else