|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/etc/httpd/conf.d/zlcgdm-dav.conf.in b/src/plugins/apache-httpd/etc/httpd/conf.d/zlcgdm-dav.conf.in
|
|
Petr Vokac |
238799e |
index 8d7d471b..062979ec 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/etc/httpd/conf.d/zlcgdm-dav.conf.in
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/etc/httpd/conf.d/zlcgdm-dav.conf.in
|
|
Petr Vokac |
238799e |
@@ -175,7 +175,9 @@ DiskDMLite /etc/dmlite-disk.conf
|
|
Petr Vokac |
238799e |
# Trusted certificates for TPC connection to remote storage
|
|
Petr Vokac |
238799e |
#DiskSSLCACertificatePath /etc/grid-security/certificates
|
|
Petr Vokac |
238799e |
#DiskSSLCACertificateFile
|
|
Petr Vokac |
238799e |
+ #DiskSSLCARevocationPath /etc/grid-security/certificates
|
|
Petr Vokac |
238799e |
#DiskSSLCARevocationFile
|
|
Petr Vokac |
238799e |
+ #DiskSSLCARevocationCheck chain
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
# Terminate slow (stuck) transfers if bytes transferred
|
|
Petr Vokac |
238799e |
# in given time window is smaller then configured tresholds
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/client/htext.h b/src/plugins/apache-httpd/src/client/htext.h
|
|
Petr Vokac |
238799e |
index 1303e77e..fcf33f79 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/client/htext.h
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/client/htext.h
|
|
Petr Vokac |
238799e |
@@ -44,6 +44,7 @@ typedef enum
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
HTEXTOP_CAPATH, /* CA Path */
|
|
Petr Vokac |
238799e |
HTEXTOP_CAFILE, /* CA File */
|
|
Petr Vokac |
238799e |
+ HTEXTOP_CRLPATH, /* CRL Path */
|
|
Petr Vokac |
238799e |
HTEXTOP_CRLFILE, /* CRL File */
|
|
Petr Vokac |
238799e |
HTEXTOP_VERIFYPEER, /* Validate (!0) or not (0) the remote certificate */
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/client/htext_api.c b/src/plugins/apache-httpd/src/client/htext_api.c
|
|
Petr Vokac |
238799e |
index 1c3df75c..09a3fa3f 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/client/htext_api.c
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/client/htext_api.c
|
|
Petr Vokac |
238799e |
@@ -72,6 +72,7 @@ static option_entry option_definitions[] = {
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
{ OT_STRING, (option_value) NULL }, /* HTEXTOP_CAPATH */
|
|
Petr Vokac |
238799e |
{ OT_STRING, (option_value) NULL }, /* HTEXTOP_CAFILE */
|
|
Petr Vokac |
238799e |
+ { OT_STRING, (option_value) NULL }, /* HTEXTOP_CRLPATH */
|
|
Petr Vokac |
238799e |
{ OT_STRING, (option_value) NULL }, /* HTEXTOP_CRLFILE */
|
|
Petr Vokac |
238799e |
{ OT_INT, (option_value) 1 }, /* HTEXTOP_VERIFYPEER */
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/client/htext_common.c b/src/plugins/apache-httpd/src/client/htext_common.c
|
|
Petr Vokac |
238799e |
index 34a28353..4b7c9dc9 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/client/htext_common.c
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/client/htext_common.c
|
|
Petr Vokac |
238799e |
@@ -21,6 +21,7 @@
|
|
Petr Vokac |
238799e |
#define _GNU_SOURCE
|
|
Petr Vokac |
238799e |
#include <ctype.h>
|
|
Petr Vokac |
238799e |
#include <curl/curl.h>
|
|
Petr Vokac |
238799e |
+#include <openssl/ssl.h>
|
|
Petr Vokac |
238799e |
#include <stdarg.h>
|
|
Petr Vokac |
238799e |
#include <stdlib.h>
|
|
Petr Vokac |
238799e |
#include <string.h>
|
|
Petr Vokac |
238799e |
@@ -121,6 +122,32 @@ int htext_error(htext_handle *handle, const char *fmt, ...)
|
|
Petr Vokac |
238799e |
return n;
|
|
Petr Vokac |
238799e |
}
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
+CURLcode htext_sslctx_callback(CURL *curl, void *ssl_ctx, void *pp)
|
|
Petr Vokac |
238799e |
+{
|
|
Petr Vokac |
238799e |
+ X509_STORE *store = SSL_CTX_get_cert_store((SSL_CTX*)ssl_ctx);
|
|
Petr Vokac |
238799e |
+ htext_chunk *partial = (htext_chunk*) pp;
|
|
Petr Vokac |
238799e |
+ const char *capath = GETSTR(partial->handle, HTEXTOP_CAPATH);
|
|
Petr Vokac |
238799e |
+ const char *crlpath = GETSTR(partial->handle, HTEXTOP_CRLPATH);
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
+ if (!crlpath) return CURLE_OK;
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
+ if (!store) {
|
|
Petr Vokac |
238799e |
+ htext_log(partial->handle, "unable to get SSL storage");
|
|
Petr Vokac |
238799e |
+ return CURLE_BAD_FUNCTION_ARGUMENT;
|
|
Petr Vokac |
238799e |
+ }
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
+ if (!capath || strcmp(capath, crlpath)) {
|
|
Petr Vokac |
238799e |
+ if (!X509_STORE_load_locations(store, NULL, crlpath)) {
|
|
Petr Vokac |
238799e |
+ htext_log(partial->handle, "unable to load X.509 CRL from %s", crlpath);
|
|
Petr Vokac |
238799e |
+ return CURLE_BAD_FUNCTION_ARGUMENT;
|
|
Petr Vokac |
238799e |
+ }
|
|
Petr Vokac |
238799e |
+ }
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
+ return CURLE_OK;
|
|
Petr Vokac |
238799e |
+}
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
size_t htext_header_callback(void *buffer, size_t size, size_t nmemb, void *st)
|
|
Petr Vokac |
238799e |
{
|
|
Petr Vokac |
238799e |
htext_chunk *partial = (htext_chunk*) st;
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/client/htext_copy.c b/src/plugins/apache-httpd/src/client/htext_copy.c
|
|
Petr Vokac |
238799e |
index 88c4aacd..36b04f75 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/client/htext_copy.c
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/client/htext_copy.c
|
|
Petr Vokac |
238799e |
@@ -203,6 +203,9 @@ void *htext_copy_method(void *h)
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_USERAGENT, GETSTR(handle, HTEXTOP_CLIENTID));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CAPATH, GETSTR(handle, HTEXTOP_CAPATH));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CAINFO, GETSTR(handle, HTEXTOP_CAFILE));
|
|
Petr Vokac |
238799e |
+ // CURL doesn't provide direct interface for "CRLPATH", use openssl context directly
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, htext_sslctx_callback);
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, &control);
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CRLFILE, GETSTR(handle, HTEXTOP_CRLFILE));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_SSLCERT,
|
|
Petr Vokac |
238799e |
GETSTR(handle, HTEXTOP_USERCERTIFICATE));
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/client/htext_get.c b/src/plugins/apache-httpd/src/client/htext_get.c
|
|
Petr Vokac |
238799e |
index 0fb49bde..310c773b 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/client/htext_get.c
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/client/htext_get.c
|
|
Petr Vokac |
238799e |
@@ -51,6 +51,7 @@ static void* htext_get_subthread(void *pp)
|
|
Petr Vokac |
238799e |
GETIO(partial->handle)->write);
|
|
Petr Vokac |
238799e |
curl_easy_setopt(partial->curl, CURLOPT_WRITEDATA, partial->fd);
|
|
Petr Vokac |
238799e |
curl_easy_setopt(partial->curl, CURLOPT_DEBUGDATA, partial);
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(partial->curl, CURLOPT_SSL_CTX_DATA, partial);
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
/* Range */
|
|
Petr Vokac |
238799e |
if (partial->nchunks > 1) {
|
|
Petr Vokac |
238799e |
@@ -89,6 +90,8 @@ void *htext_get_method(void *h)
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_USERAGENT, GETSTR(handle, HTEXTOP_CLIENTID));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CAPATH, GETSTR(handle, HTEXTOP_CAPATH));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CAINFO, GETSTR(handle, HTEXTOP_CAFILE));
|
|
Petr Vokac |
238799e |
+ // CURL doesn't provide direct interface for "CRLPATH", use openssl context directly
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, htext_sslctx_callback);
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CRLFILE, GETSTR(handle, HTEXTOP_CRLFILE));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_SSLCERT,
|
|
Petr Vokac |
238799e |
GETSTR(handle, HTEXTOP_USERCERTIFICATE));
|
|
Petr Vokac |
238799e |
@@ -136,6 +139,7 @@ void *htext_get_method(void *h)
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_HEADERDATA, &head;;
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, head.headers);
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_DEBUGDATA, &head;;
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, &head;;
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
handle->status = HTEXTS_WAITING;
|
|
Petr Vokac |
238799e |
htext_log(handle, "Asking for the size");
|
|
Petr Vokac |
238799e |
@@ -152,6 +156,12 @@ void *htext_get_method(void *h)
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_URL, head.location);
|
|
Petr Vokac |
238799e |
}
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
+ /* Explicitly reset pointers to released head data structure */
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_HEADERDATA, NULL);
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_HTTPHEADER, NULL);
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_DEBUGDATA, NULL);
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
htext_partial_clean(&head;;
|
|
Petr Vokac |
238799e |
}
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/client/htext_private.h b/src/plugins/apache-httpd/src/client/htext_private.h
|
|
Petr Vokac |
238799e |
index 0a406df7..49c6c60a 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/client/htext_private.h
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/client/htext_private.h
|
|
Petr Vokac |
238799e |
@@ -187,6 +187,15 @@ int htext_log(htext_handle *handle, const char *fmt, ...);
|
|
Petr Vokac |
238799e |
*/
|
|
Petr Vokac |
238799e |
int htext_error(htext_handle *handle, const char *fmt, ...);
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
+/**
|
|
Petr Vokac |
238799e |
+ * Called by Curl every time a line of the header needs to be processed
|
|
Petr Vokac |
238799e |
+ * @param curl The CURL handle calling
|
|
Petr Vokac |
238799e |
+ * @param ssl_ctx The SSL library context
|
|
Petr Vokac |
238799e |
+ * @param pp A pointer to a htext_partial structure
|
|
Petr Vokac |
238799e |
+ * @return Continue with SSL connection or return error
|
|
Petr Vokac |
238799e |
+ */
|
|
Petr Vokac |
238799e |
+CURLcode htext_sslctx_callback(CURL *curl, void *ssl_ctx, void *pp);
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
/**
|
|
Petr Vokac |
238799e |
* Called by Curl every time a line of the header needs to be processed
|
|
Petr Vokac |
238799e |
* @param buffer Where the data is
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/client/htext_put.c b/src/plugins/apache-httpd/src/client/htext_put.c
|
|
Petr Vokac |
238799e |
index 0c3e4c1d..a23f0c0e 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/client/htext_put.c
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/client/htext_put.c
|
|
Petr Vokac |
238799e |
@@ -101,6 +101,7 @@ static void* htext_put_subthread(void *pp)
|
|
Petr Vokac |
238799e |
curl_easy_setopt(partial->curl, CURLOPT_READDATA, partial);
|
|
Petr Vokac |
238799e |
curl_easy_setopt(partial->curl, CURLOPT_IOCTLDATA, partial);
|
|
Petr Vokac |
238799e |
curl_easy_setopt(partial->curl, CURLOPT_DEBUGDATA, partial);
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(partial->curl, CURLOPT_SSL_CTX_DATA, partial);
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
/* Range (not for last empty PUT) */
|
|
Petr Vokac |
238799e |
if (partial->nchunks > 1 && partial->index >= 0) {
|
|
Petr Vokac |
238799e |
@@ -154,6 +155,8 @@ void *htext_put_method(void *h)
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_USERAGENT, GETSTR(handle, HTEXTOP_CLIENTID));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CAPATH, GETSTR(handle, HTEXTOP_CAPATH));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CAINFO, GETSTR(handle, HTEXTOP_CAFILE));
|
|
Petr Vokac |
238799e |
+ // CURL doesn't provide direct interface for "CRLPATH", use openssl context directly
|
|
Petr Vokac |
238799e |
+ curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, htext_sslctx_callback);
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_CRLFILE, GETSTR(handle, HTEXTOP_CRLFILE));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_SSLCERT, GETSTR(handle, HTEXTOP_USERCERTIFICATE));
|
|
Petr Vokac |
238799e |
curl_easy_setopt(curl, CURLOPT_SSLKEY, GETSTR(handle, HTEXTOP_USERPRIVKEY));
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/mod_lcgdm_disk/copy.c b/src/plugins/apache-httpd/src/mod_lcgdm_disk/copy.c
|
|
Petr Vokac |
238799e |
index dd586da6..f3fd2caa 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/mod_lcgdm_disk/copy.c
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/mod_lcgdm_disk/copy.c
|
|
Petr Vokac |
238799e |
@@ -465,8 +465,14 @@ static dav_error *dav_disk_generic_copy(const dav_resource* res, const char* upr
|
|
Petr Vokac |
238799e |
if (d_conf->capath) {
|
|
Petr Vokac |
238799e |
htext_setopt(handle, HTEXTOP_CAPATH, d_conf->capath);
|
|
Petr Vokac |
238799e |
}
|
|
Petr Vokac |
238799e |
- if (d_conf->crlfile) {
|
|
Petr Vokac |
238799e |
- htext_setopt(handle, HTEXTOP_CRLFILE, d_conf->crlfile);
|
|
Petr Vokac |
238799e |
+ if (d_conf->crlcheck && strcmp("chain", d_conf->crlcheck))
|
|
Petr Vokac |
238799e |
+ {
|
|
Petr Vokac |
238799e |
+ if (d_conf->crlpath) {
|
|
Petr Vokac |
238799e |
+ htext_setopt(handle, HTEXTOP_CRLPATH, d_conf->crlpath);
|
|
Petr Vokac |
238799e |
+ }
|
|
Petr Vokac |
238799e |
+ if (d_conf->crlfile) {
|
|
Petr Vokac |
238799e |
+ htext_setopt(handle, HTEXTOP_CRLFILE, d_conf->crlfile);
|
|
Petr Vokac |
238799e |
+ }
|
|
Petr Vokac |
238799e |
}
|
|
Petr Vokac |
238799e |
if (uproxy || d_conf->capath || d_conf->cafile) {
|
|
Petr Vokac |
238799e |
htext_setopt(handle, HTEXTOP_VERIFYPEER, 1);
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.c b/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.c
|
|
Petr Vokac |
238799e |
index 9529fbc8..2b875028 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.c
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.c
|
|
Petr Vokac |
238799e |
@@ -84,7 +84,9 @@ static void *dav_disk_create_dir_config(apr_pool_t *p, char *dir)
|
|
Petr Vokac |
238799e |
conf->proxy_cache = "/var/proxycache";
|
|
Petr Vokac |
238799e |
conf->capath = "/etc/grid-security/certificates";
|
|
Petr Vokac |
238799e |
conf->cafile = NULL;
|
|
Petr Vokac |
238799e |
+ conf->crlpath = "/etc/grid-security/certificates";
|
|
Petr Vokac |
238799e |
conf->crlfile = NULL;
|
|
Petr Vokac |
238799e |
+ conf->crlcheck = "chain";
|
|
Petr Vokac |
238799e |
conf->low_speed_time = 2*60;
|
|
Petr Vokac |
238799e |
conf->low_speed_limit = 10*1024;
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
@@ -261,6 +263,23 @@ static const char *dav_disk_cmd_cafile(cmd_parms *cmd, void *config,
|
|
Petr Vokac |
238799e |
return NULL ;
|
|
Petr Vokac |
238799e |
}
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
+/**
|
|
Petr Vokac |
238799e |
+ * Set CRLPath with revocated certificates for TPC
|
|
Petr Vokac |
238799e |
+ * @param cmd Lots of information about the configuration contexts (as pool)
|
|
Petr Vokac |
238799e |
+ * @param config A pointer to the directory configuration
|
|
Petr Vokac |
238799e |
+ * @param arg The CRLPath
|
|
Petr Vokac |
238799e |
+ * @return NULL on success. An error string otherwise
|
|
Petr Vokac |
238799e |
+ */
|
|
Petr Vokac |
238799e |
+static const char *dav_disk_cmd_crlpath(cmd_parms *cmd, void *config,
|
|
Petr Vokac |
238799e |
+ const char *arg)
|
|
Petr Vokac |
238799e |
+{
|
|
Petr Vokac |
238799e |
+ (void) cmd;
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
+ dav_disk_dir_conf *conf = (dav_disk_dir_conf*) config;
|
|
Petr Vokac |
238799e |
+ conf->crlpath = (!arg || !strlen(arg)) ? NULL : arg;
|
|
Petr Vokac |
238799e |
+ return NULL ;
|
|
Petr Vokac |
238799e |
+}
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
/**
|
|
Petr Vokac |
238799e |
* Set CRLFile with revocated certificates for TPC
|
|
Petr Vokac |
238799e |
* @param cmd Lots of information about the configuration contexts (as pool)
|
|
Petr Vokac |
238799e |
@@ -278,6 +297,24 @@ static const char *dav_disk_cmd_crlfile(cmd_parms *cmd, void *config,
|
|
Petr Vokac |
238799e |
return NULL ;
|
|
Petr Vokac |
238799e |
}
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
+/**
|
|
Petr Vokac |
238799e |
+ * Set CRL validation for revocated certificates used by TPC
|
|
Petr Vokac |
238799e |
+ * @param cmd Lots of information about the configuration contexts (as pool)
|
|
Petr Vokac |
238799e |
+ * @param config A pointer to the directory configuration
|
|
Petr Vokac |
238799e |
+ * @param arg The configuration
|
|
Petr Vokac |
238799e |
+ * @return NULL on success. An error string otherwise
|
|
Petr Vokac |
238799e |
+ */
|
|
Petr Vokac |
238799e |
+static const char *dav_disk_cmd_crlcheck(cmd_parms *cmd, void *config,
|
|
Petr Vokac |
238799e |
+ const char *arg)
|
|
Petr Vokac |
238799e |
+{
|
|
Petr Vokac |
238799e |
+ if (strcmp("none", arg) && strcmp("chain", arg))
|
|
Petr Vokac |
238799e |
+ return apr_psprintf(cmd->pool, "%s is not a recognised value", arg);
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
+ dav_disk_dir_conf *conf = (dav_disk_dir_conf*) config;
|
|
Petr Vokac |
238799e |
+ conf->crlcheck = arg;
|
|
Petr Vokac |
238799e |
+ return NULL ;
|
|
Petr Vokac |
238799e |
+}
|
|
Petr Vokac |
238799e |
+
|
|
Petr Vokac |
238799e |
/** Command list (configuration parameters) */
|
|
Petr Vokac |
238799e |
static const command_rec dav_disk_cmds[] = {
|
|
Petr Vokac |
238799e |
AP_INIT_TAKE1 ("DiskDMLite", dav_disk_cmd_dmlite, NULL, ACCESS_CONF | RSRC_CONF,
|
|
Petr Vokac |
238799e |
@@ -294,10 +331,12 @@ static const command_rec dav_disk_cmds[] = {
|
|
Petr Vokac |
238799e |
"SSL CA Certificate path ('/path/to/dir' - contains PEM encoded files)"),
|
|
Petr Vokac |
238799e |
AP_INIT_TAKE1 ("DiskSSLCACertificateFile", dav_disk_cmd_cafile, NULL, ACCESS_CONF,
|
|
Petr Vokac |
238799e |
"SSL CA Certificate file ('/path/to/file' - PEM encoded)"),
|
|
Petr Vokac |
238799e |
- //AP_INIT_TAKE1 ("DiskSSLCARevocationPath", dav_disk_cmd_crlpath, NULL, ACCESS_CONF,
|
|
Petr Vokac |
238799e |
- // "SSL CA Certificate Revocation List (CRL) path ('/path/to/dir' - contains PEM encoded files)"),
|
|
Petr Vokac |
238799e |
+ AP_INIT_TAKE1 ("DiskSSLCARevocationPath", dav_disk_cmd_crlpath, NULL, ACCESS_CONF,
|
|
Petr Vokac |
238799e |
+ "SSL CA Certificate Revocation List (CRL) path ('/path/to/dir' - contains PEM encoded files)"),
|
|
Petr Vokac |
238799e |
AP_INIT_TAKE1 ("DiskSSLCARevocationFile", dav_disk_cmd_crlfile, NULL, ACCESS_CONF,
|
|
Petr Vokac |
238799e |
"SSL CA Certificate Revocation List (CRL) file ('/path/to/file' - PEM encoded)"),
|
|
Petr Vokac |
238799e |
+ AP_INIT_TAKE1 ("DiskSSLCARevocationCheck", dav_disk_cmd_crlcheck, NULL, ACCESS_CONF,
|
|
Petr Vokac |
238799e |
+ "SSL CA Certificate Revocation List checkging (chain|none)"),
|
|
Petr Vokac |
238799e |
AP_INIT_TAKE1 ("DiskLowSpeedTime", ap_set_int_slot,
|
|
Petr Vokac |
238799e |
(void *)APR_OFFSETOF(dav_disk_dir_conf, low_speed_time), ACCESS_CONF,
|
|
Petr Vokac |
238799e |
"Low speed limit time period in seconds"),
|
|
Petr Vokac |
238799e |
diff --git a/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.h b/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.h
|
|
Petr Vokac |
238799e |
index 42164d74..f2bdaf57 100644
|
|
Petr Vokac |
238799e |
--- a/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.h
|
|
Petr Vokac |
238799e |
+++ b/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.h
|
|
Petr Vokac |
238799e |
@@ -60,7 +60,9 @@ struct dav_disk_dir_conf
|
|
Petr Vokac |
238799e |
const char *delegation_service;
|
|
Petr Vokac |
238799e |
const char *capath;
|
|
Petr Vokac |
238799e |
const char *cafile;
|
|
Petr Vokac |
238799e |
+ const char *crlpath;
|
|
Petr Vokac |
238799e |
const char *crlfile;
|
|
Petr Vokac |
238799e |
+ const char *crlcheck;
|
|
Petr Vokac |
238799e |
int low_speed_time;
|
|
Petr Vokac |
238799e |
int low_speed_limit;
|
|
Petr Vokac |
238799e |
};
|
|
Petr Vokac |
238799e |
diff --git a/src/puppet/dmlite/manifests/dav.pp b/src/puppet/dmlite/manifests/dav.pp
|
|
Petr Vokac |
238799e |
index 0518bbe5..9ff82e08 100644
|
|
Petr Vokac |
238799e |
--- a/src/puppet/dmlite/manifests/dav.pp
|
|
Petr Vokac |
238799e |
+++ b/src/puppet/dmlite/manifests/dav.pp
|
|
Petr Vokac |
238799e |
@@ -16,6 +16,8 @@ class dmlite::dav (
|
|
Petr Vokac |
238799e |
Stdlib::Unixpath $ssl_cert = $dmlite::dav::params::ssl_cert,
|
|
Petr Vokac |
238799e |
Stdlib::Unixpath $ssl_key = $dmlite::dav::params::ssl_key,
|
|
Petr Vokac |
238799e |
Stdlib::Unixpath $ssl_capath = $dmlite::dav::params::ssl_capath,
|
|
Petr Vokac |
238799e |
+ Stdlib::Unixpath $ssl_tpc_capath = $dmlite::dav::params::ssl_tpc_capath,
|
|
Petr Vokac |
238799e |
+ Optional[Stdlib::Unixpath] $ssl_tpc_crlpath = $dmlite::dav::params::ssl_tpc_crlpath,
|
|
Petr Vokac |
238799e |
String $ssl_options = $dmlite::dav::params::ssl_options,
|
|
Petr Vokac |
238799e |
String $log_error = $dmlite::dav::params::log_error,
|
|
Petr Vokac |
238799e |
String $log_transfer = $dmlite::dav::params::log_transfer,
|
|
Petr Vokac |
238799e |
diff --git a/src/puppet/dmlite/manifests/dav/config.pp b/src/puppet/dmlite/manifests/dav/config.pp
|
|
Petr Vokac |
238799e |
index 1d6eb596..94adea76 100644
|
|
Petr Vokac |
238799e |
--- a/src/puppet/dmlite/manifests/dav/config.pp
|
|
Petr Vokac |
238799e |
+++ b/src/puppet/dmlite/manifests/dav/config.pp
|
|
Petr Vokac |
238799e |
@@ -18,6 +18,8 @@ class dmlite::dav::config (
|
|
Petr Vokac |
238799e |
$ssl_options = $dmlite::dav::ssl_options,
|
|
Petr Vokac |
238799e |
$ssl_protocol = $dmlite::dav::ssl_protocol,
|
|
Petr Vokac |
238799e |
$ssl_ciphersuite = $dmlite::dav::ssl_ciphersuite,
|
|
Petr Vokac |
238799e |
+ $ssl_tpc_capath = $dmlite::dav::ssl_tpc_capath,
|
|
Petr Vokac |
238799e |
+ $ssl_tpc_crlpath = $dmlite::dav::ssl_tpc_crlpath,
|
|
Petr Vokac |
238799e |
$log_error = $dmlite::dav::log_error,
|
|
Petr Vokac |
238799e |
$log_transfer = $dmlite::dav::log_transfer,
|
|
Petr Vokac |
238799e |
$log_level = $dmlite::dav::log_level,
|
|
Petr Vokac |
238799e |
diff --git a/src/puppet/dmlite/manifests/dav/params.pp b/src/puppet/dmlite/manifests/dav/params.pp
|
|
Petr Vokac |
238799e |
index f2dcee6e..15b3c449 100644
|
|
Petr Vokac |
238799e |
--- a/src/puppet/dmlite/manifests/dav/params.pp
|
|
Petr Vokac |
238799e |
+++ b/src/puppet/dmlite/manifests/dav/params.pp
|
|
Petr Vokac |
238799e |
@@ -20,6 +20,8 @@ class dmlite::dav::params (
|
|
Petr Vokac |
238799e |
$ssl_protocol = hiera('dmlite::dav::params::ssl_protocol', 'all -SSLv2 -SSLv3')
|
|
Petr Vokac |
238799e |
$ssl_ciphersuite = hiera('dmlite::dav::params::ssl_ciphersuite', 'RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5:!RC4')
|
|
Petr Vokac |
238799e |
$ssl_options = hiera('dmlite::dav::params::ssl_options','+StdEnvVars')
|
|
Petr Vokac |
238799e |
+ $ssl_tpc_capath = hiera('dmlite::dav::params::ssl_tpc_capath', '/etc/grid-security/certificates')
|
|
Petr Vokac |
238799e |
+ $ssl_tpc_crlpath = hiera('dmlite::dav::params::ssl_tpc_crlpath', '/etc/grid-security/certificates')
|
|
Petr Vokac |
238799e |
$log_error = hiera('dmlite::dav::params::log_error', 'logs/ssl_error_log')
|
|
Petr Vokac |
238799e |
$log_transfer = hiera('dmlite::dav::params::log_transfer', 'logs/ssl_access_log')
|
|
Petr Vokac |
238799e |
$log_level = hiera('dmlite::dav::params::log_level','warn')
|
|
Petr Vokac |
238799e |
diff --git a/src/puppet/dmlite/templates/dav/zlcgdm-dav.conf b/src/puppet/dmlite/templates/dav/zlcgdm-dav.conf
|
|
Petr Vokac |
238799e |
index 65d8e165..64565ccf 100644
|
|
Petr Vokac |
238799e |
--- a/src/puppet/dmlite/templates/dav/zlcgdm-dav.conf
|
|
Petr Vokac |
238799e |
+++ b/src/puppet/dmlite/templates/dav/zlcgdm-dav.conf
|
|
Petr Vokac |
238799e |
@@ -206,14 +206,23 @@ DiskDMLite <%= @dmlite_disk_conf %>
|
|
Petr Vokac |
238799e |
# CGI, it allways has to be DocumentRoot/../proxycache
|
|
Petr Vokac |
238799e |
DiskProxyCache /var/www/proxycache
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
- <% if @dav_http_port.to_i != 80 or @dav_https_port.to_i != 443 -%>
|
|
Petr Vokac |
238799e |
+<% if @dav_http_port.to_i != 80 or @dav_https_port.to_i != 443 -%>
|
|
Petr Vokac |
238799e |
NSRedirectPort <%= @dav_http_port %> <%= @dav_https_port %>
|
|
Petr Vokac |
238799e |
- <% end -%>
|
|
Petr Vokac |
238799e |
+<% end -%>
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
# Trusted certificates for TPC connection to remote storage
|
|
Petr Vokac |
238799e |
+<% if @ssl_tpc_capath -%>
|
|
Petr Vokac |
238799e |
+ DiskSSLCACertificatePath <%= @ssl_tpc_capath %>
|
|
Petr Vokac |
238799e |
+<% else -%>
|
|
Petr Vokac |
238799e |
#DiskSSLCACertificatePath /etc/grid-security/certificates
|
|
Petr Vokac |
238799e |
- #DiskSSLCACertificateFile
|
|
Petr Vokac |
238799e |
- #DiskSSLCARevocationFile
|
|
Petr Vokac |
238799e |
+<% end -%>
|
|
Petr Vokac |
238799e |
+<% if @ssl_tpc_crlpath -%>
|
|
Petr Vokac |
238799e |
+ DiskSSLCARevocationPath <%= @ssl_tpc_crlpath %>
|
|
Petr Vokac |
238799e |
+ DiskSSLCARevocationCheck chain
|
|
Petr Vokac |
238799e |
+<% else -%>
|
|
Petr Vokac |
238799e |
+ #DiskSSLCARevocationPath /etc/grid-security/certificates
|
|
Petr Vokac |
238799e |
+ DiskSSLCARevocationCheck none
|
|
Petr Vokac |
238799e |
+<% end -%>
|
|
Petr Vokac |
238799e |
|
|
Petr Vokac |
238799e |
# Terminate slow (stuck) transfers if bytes transferred
|
|
Petr Vokac |
238799e |
# in given time window is smaller then configured tresholds
|