rpms / dmlite

Clone
Source Code
GIT

Blame dmlite-LCGDM-2959-use-CRL-for-TPC.patch

el5 el6 epel7 epel8 epel8-playground f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   3fb7b15d2060ce5dc2cc7420f1b5db4ae8916aae
  2.   dmlite-LCGDM-2959-use-CRL-for-TPC.patch
Blob History Raw
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/etc/httpd/conf.d/zlcgdm-dav.conf.in b/src/plugins/apache-httpd/etc/httpd/conf.d/zlcgdm-dav.conf.in
Petr Vokac 238799e 
index 8d7d471b..062979ec 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/etc/httpd/conf.d/zlcgdm-dav.conf.in
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/etc/httpd/conf.d/zlcgdm-dav.conf.in
Petr Vokac 238799e 
@@ -175,7 +175,9 @@ DiskDMLite /etc/dmlite-disk.conf
Petr Vokac 238799e 
   # Trusted certificates for TPC connection to remote storage
Petr Vokac 238799e 
   #DiskSSLCACertificatePath /etc/grid-security/certificates
Petr Vokac 238799e 
   #DiskSSLCACertificateFile
Petr Vokac 238799e 
+  #DiskSSLCARevocationPath /etc/grid-security/certificates
Petr Vokac 238799e 
   #DiskSSLCARevocationFile
Petr Vokac 238799e 
+  #DiskSSLCARevocationCheck chain
Petr Vokac 238799e
Petr Vokac 238799e 
   # Terminate slow (stuck) transfers if bytes transferred
Petr Vokac 238799e 
   # in given time window is smaller then configured tresholds
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/client/htext.h b/src/plugins/apache-httpd/src/client/htext.h
Petr Vokac 238799e 
index 1303e77e..fcf33f79 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/client/htext.h
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/client/htext.h
Petr Vokac 238799e 
@@ -44,6 +44,7 @@ typedef enum
Petr Vokac 238799e
Petr Vokac 238799e 
     HTEXTOP_CAPATH, /* CA Path */
Petr Vokac 238799e 
     HTEXTOP_CAFILE, /* CA File */
Petr Vokac 238799e 
+    HTEXTOP_CRLPATH, /* CRL Path */
Petr Vokac 238799e 
     HTEXTOP_CRLFILE, /* CRL File */
Petr Vokac 238799e 
     HTEXTOP_VERIFYPEER, /* Validate (!0) or not (0) the remote certificate */
Petr Vokac 238799e
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/client/htext_api.c b/src/plugins/apache-httpd/src/client/htext_api.c
Petr Vokac 238799e 
index 1c3df75c..09a3fa3f 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/client/htext_api.c
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/client/htext_api.c
Petr Vokac 238799e 
@@ -72,6 +72,7 @@ static option_entry option_definitions[] = {
Petr Vokac 238799e
Petr Vokac 238799e 
     { OT_STRING, (option_value) NULL }, /* HTEXTOP_CAPATH     */
Petr Vokac 238799e 
     { OT_STRING, (option_value) NULL }, /* HTEXTOP_CAFILE     */
Petr Vokac 238799e 
+    { OT_STRING, (option_value) NULL }, /* HTEXTOP_CRLPATH    */
Petr Vokac 238799e 
     { OT_STRING, (option_value) NULL }, /* HTEXTOP_CRLFILE    */
Petr Vokac 238799e 
     { OT_INT, (option_value) 1 }, /* HTEXTOP_VERIFYPEER */
Petr Vokac 238799e
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/client/htext_common.c b/src/plugins/apache-httpd/src/client/htext_common.c
Petr Vokac 238799e 
index 34a28353..4b7c9dc9 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/client/htext_common.c
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/client/htext_common.c
Petr Vokac 238799e 
@@ -21,6 +21,7 @@
Petr Vokac 238799e 
 #define _GNU_SOURCE
Petr Vokac 238799e 
 #include <ctype.h>
Petr Vokac 238799e 
 #include <curl/curl.h>
Petr Vokac 238799e 
+#include <openssl/ssl.h>
Petr Vokac 238799e 
 #include <stdarg.h>
Petr Vokac 238799e 
 #include <stdlib.h>
Petr Vokac 238799e 
 #include <string.h>
Petr Vokac 238799e 
@@ -121,6 +122,32 @@ int htext_error(htext_handle *handle, const char *fmt, ...)
Petr Vokac 238799e 
     return n;
Petr Vokac 238799e 
 }
Petr Vokac 238799e
Petr Vokac 238799e 
+CURLcode htext_sslctx_callback(CURL *curl, void *ssl_ctx, void *pp)
Petr Vokac 238799e 
+{
Petr Vokac 238799e 
+  X509_STORE *store = SSL_CTX_get_cert_store((SSL_CTX*)ssl_ctx);
Petr Vokac 238799e 
+  htext_chunk *partial = (htext_chunk*) pp;
Petr Vokac 238799e 
+  const char *capath = GETSTR(partial->handle, HTEXTOP_CAPATH);
Petr Vokac 238799e 
+  const char *crlpath = GETSTR(partial->handle, HTEXTOP_CRLPATH);
Petr Vokac 238799e 
+
Petr Vokac 238799e 
+  if (!crlpath) return CURLE_OK;
Petr Vokac 238799e 
+
Petr Vokac 238799e 
+  if (!store) {
Petr Vokac 238799e 
+      htext_log(partial->handle, "unable to get SSL storage");
Petr Vokac 238799e 
+      return CURLE_BAD_FUNCTION_ARGUMENT;
Petr Vokac 238799e 
+  }
Petr Vokac 238799e 
+
Petr Vokac 238799e 
+  if (!capath || strcmp(capath, crlpath)) {
Petr Vokac 238799e 
+      if (!X509_STORE_load_locations(store, NULL, crlpath)) {
Petr Vokac 238799e 
+          htext_log(partial->handle, "unable to load X.509 CRL from %s", crlpath);
Petr Vokac 238799e 
+          return CURLE_BAD_FUNCTION_ARGUMENT;
Petr Vokac 238799e 
+      }
Petr Vokac 238799e 
+  }
Petr Vokac 238799e 
+
Petr Vokac 238799e 
+  X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
Petr Vokac 238799e 
+
Petr Vokac 238799e 
+  return CURLE_OK;
Petr Vokac 238799e 
+}
Petr Vokac 238799e 
+
Petr Vokac 238799e 
 size_t htext_header_callback(void *buffer, size_t size, size_t nmemb, void *st)
Petr Vokac 238799e 
 {
Petr Vokac 238799e 
     htext_chunk *partial = (htext_chunk*) st;
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/client/htext_copy.c b/src/plugins/apache-httpd/src/client/htext_copy.c
Petr Vokac 238799e 
index 88c4aacd..36b04f75 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/client/htext_copy.c
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/client/htext_copy.c
Petr Vokac 238799e 
@@ -203,6 +203,9 @@ void *htext_copy_method(void *h)
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_USERAGENT, GETSTR(handle, HTEXTOP_CLIENTID));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CAPATH, GETSTR(handle, HTEXTOP_CAPATH));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CAINFO, GETSTR(handle, HTEXTOP_CAFILE));
Petr Vokac 238799e 
+    // CURL doesn't provide direct interface for "CRLPATH", use openssl context directly
Petr Vokac 238799e 
+    curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, htext_sslctx_callback);
Petr Vokac 238799e 
+    curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, &control);
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CRLFILE, GETSTR(handle, HTEXTOP_CRLFILE));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_SSLCERT,
Petr Vokac 238799e 
             GETSTR(handle, HTEXTOP_USERCERTIFICATE));
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/client/htext_get.c b/src/plugins/apache-httpd/src/client/htext_get.c
Petr Vokac 238799e 
index 0fb49bde..310c773b 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/client/htext_get.c
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/client/htext_get.c
Petr Vokac 238799e 
@@ -51,6 +51,7 @@ static void* htext_get_subthread(void *pp)
Petr Vokac 238799e 
             GETIO(partial->handle)->write);
Petr Vokac 238799e 
     curl_easy_setopt(partial->curl, CURLOPT_WRITEDATA, partial->fd);
Petr Vokac 238799e 
     curl_easy_setopt(partial->curl, CURLOPT_DEBUGDATA, partial);
Petr Vokac 238799e 
+    curl_easy_setopt(partial->curl, CURLOPT_SSL_CTX_DATA, partial);
Petr Vokac 238799e
Petr Vokac 238799e 
     /* Range */
Petr Vokac 238799e 
     if (partial->nchunks > 1) {
Petr Vokac 238799e 
@@ -89,6 +90,8 @@ void *htext_get_method(void *h)
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_USERAGENT, GETSTR(handle, HTEXTOP_CLIENTID));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CAPATH, GETSTR(handle, HTEXTOP_CAPATH));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CAINFO, GETSTR(handle, HTEXTOP_CAFILE));
Petr Vokac 238799e 
+    // CURL doesn't provide direct interface for "CRLPATH", use openssl context directly
Petr Vokac 238799e 
+    curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, htext_sslctx_callback);
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CRLFILE, GETSTR(handle, HTEXTOP_CRLFILE));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_SSLCERT,
Petr Vokac 238799e 
             GETSTR(handle, HTEXTOP_USERCERTIFICATE));
Petr Vokac 238799e 
@@ -136,6 +139,7 @@ void *htext_get_method(void *h)
Petr Vokac 238799e 
         curl_easy_setopt(curl, CURLOPT_HEADERDATA, &head;;
Petr Vokac 238799e 
         curl_easy_setopt(curl, CURLOPT_HTTPHEADER, head.headers);
Petr Vokac 238799e 
         curl_easy_setopt(curl, CURLOPT_DEBUGDATA, &head;;
Petr Vokac 238799e 
+        curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, &head;;
Petr Vokac 238799e
Petr Vokac 238799e 
         handle->status = HTEXTS_WAITING;
Petr Vokac 238799e 
         htext_log(handle, "Asking for the size");
Petr Vokac 238799e 
@@ -152,6 +156,12 @@ void *htext_get_method(void *h)
Petr Vokac 238799e 
             curl_easy_setopt(curl, CURLOPT_URL, head.location);
Petr Vokac 238799e 
         }
Petr Vokac 238799e
Petr Vokac 238799e 
+        /* Explicitly reset pointers to released head data structure */
Petr Vokac 238799e 
+        curl_easy_setopt(curl, CURLOPT_HEADERDATA, NULL);
Petr Vokac 238799e 
+        curl_easy_setopt(curl, CURLOPT_HTTPHEADER, NULL);
Petr Vokac 238799e 
+        curl_easy_setopt(curl, CURLOPT_DEBUGDATA, NULL);
Petr Vokac 238799e 
+        curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, NULL);
Petr Vokac 238799e 
+
Petr Vokac 238799e 
         htext_partial_clean(&head;;
Petr Vokac 238799e 
     }
Petr Vokac 238799e
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/client/htext_private.h b/src/plugins/apache-httpd/src/client/htext_private.h
Petr Vokac 238799e 
index 0a406df7..49c6c60a 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/client/htext_private.h
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/client/htext_private.h
Petr Vokac 238799e 
@@ -187,6 +187,15 @@ int htext_log(htext_handle *handle, const char *fmt, ...);
Petr Vokac 238799e 
  */
Petr Vokac 238799e 
 int htext_error(htext_handle *handle, const char *fmt, ...);
Petr Vokac 238799e
Petr Vokac 238799e 
+/**
Petr Vokac 238799e 
+ * Called by Curl every time a line of the header needs to be processed
Petr Vokac 238799e 
+ * @param curl     The CURL handle calling
Petr Vokac 238799e 
+ * @param ssl_ctx  The SSL library context
Petr Vokac 238799e 
+ * @param pp       A pointer to a htext_partial structure
Petr Vokac 238799e 
+ * @return         Continue with SSL connection or return error
Petr Vokac 238799e 
+ */
Petr Vokac 238799e 
+CURLcode htext_sslctx_callback(CURL *curl, void *ssl_ctx, void *pp);
Petr Vokac 238799e 
+
Petr Vokac 238799e 
 /**
Petr Vokac 238799e 
  * Called by Curl every time a line of the header needs to be processed
Petr Vokac 238799e 
  * @param buffer   Where the data is
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/client/htext_put.c b/src/plugins/apache-httpd/src/client/htext_put.c
Petr Vokac 238799e 
index 0c3e4c1d..a23f0c0e 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/client/htext_put.c
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/client/htext_put.c
Petr Vokac 238799e 
@@ -101,6 +101,7 @@ static void* htext_put_subthread(void *pp)
Petr Vokac 238799e 
     curl_easy_setopt(partial->curl, CURLOPT_READDATA, partial);
Petr Vokac 238799e 
     curl_easy_setopt(partial->curl, CURLOPT_IOCTLDATA, partial);
Petr Vokac 238799e 
     curl_easy_setopt(partial->curl, CURLOPT_DEBUGDATA, partial);
Petr Vokac 238799e 
+    curl_easy_setopt(partial->curl, CURLOPT_SSL_CTX_DATA, partial);
Petr Vokac 238799e
Petr Vokac 238799e 
     /* Range (not for last empty PUT) */
Petr Vokac 238799e 
     if (partial->nchunks > 1 && partial->index >= 0) {
Petr Vokac 238799e 
@@ -154,6 +155,8 @@ void *htext_put_method(void *h)
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_USERAGENT, GETSTR(handle, HTEXTOP_CLIENTID));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CAPATH, GETSTR(handle, HTEXTOP_CAPATH));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CAINFO, GETSTR(handle, HTEXTOP_CAFILE));
Petr Vokac 238799e 
+    // CURL doesn't provide direct interface for "CRLPATH", use openssl context directly
Petr Vokac 238799e 
+    curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, htext_sslctx_callback);
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_CRLFILE, GETSTR(handle, HTEXTOP_CRLFILE));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_SSLCERT, GETSTR(handle, HTEXTOP_USERCERTIFICATE));
Petr Vokac 238799e 
     curl_easy_setopt(curl, CURLOPT_SSLKEY, GETSTR(handle, HTEXTOP_USERPRIVKEY));
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/mod_lcgdm_disk/copy.c b/src/plugins/apache-httpd/src/mod_lcgdm_disk/copy.c
Petr Vokac 238799e 
index dd586da6..f3fd2caa 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/mod_lcgdm_disk/copy.c
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/mod_lcgdm_disk/copy.c
Petr Vokac 238799e 
@@ -465,8 +465,14 @@ static dav_error *dav_disk_generic_copy(const dav_resource* res, const char* upr
Petr Vokac 238799e 
     if (d_conf->capath) {
Petr Vokac 238799e 
         htext_setopt(handle, HTEXTOP_CAPATH, d_conf->capath);
Petr Vokac 238799e 
     }
Petr Vokac 238799e 
-    if (d_conf->crlfile) {
Petr Vokac 238799e 
-        htext_setopt(handle, HTEXTOP_CRLFILE, d_conf->crlfile);
Petr Vokac 238799e 
+    if (d_conf->crlcheck && strcmp("chain", d_conf->crlcheck))
Petr Vokac 238799e 
+    {
Petr Vokac 238799e 
+        if (d_conf->crlpath) {
Petr Vokac 238799e 
+            htext_setopt(handle, HTEXTOP_CRLPATH, d_conf->crlpath);
Petr Vokac 238799e 
+        }
Petr Vokac 238799e 
+        if (d_conf->crlfile) {
Petr Vokac 238799e 
+            htext_setopt(handle, HTEXTOP_CRLFILE, d_conf->crlfile);
Petr Vokac 238799e 
+        }
Petr Vokac 238799e 
     }
Petr Vokac 238799e 
     if (uproxy || d_conf->capath || d_conf->cafile) {
Petr Vokac 238799e 
         htext_setopt(handle, HTEXTOP_VERIFYPEER, 1);
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.c b/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.c
Petr Vokac 238799e 
index 9529fbc8..2b875028 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.c
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.c
Petr Vokac 238799e 
@@ -84,7 +84,9 @@ static void *dav_disk_create_dir_config(apr_pool_t *p, char *dir)
Petr Vokac 238799e 
     conf->proxy_cache = "/var/proxycache";
Petr Vokac 238799e 
     conf->capath = "/etc/grid-security/certificates";
Petr Vokac 238799e 
     conf->cafile = NULL;
Petr Vokac 238799e 
+    conf->crlpath = "/etc/grid-security/certificates";
Petr Vokac 238799e 
     conf->crlfile = NULL;
Petr Vokac 238799e 
+    conf->crlcheck = "chain";
Petr Vokac 238799e 
     conf->low_speed_time = 2*60;
Petr Vokac 238799e 
     conf->low_speed_limit = 10*1024;
Petr Vokac 238799e
Petr Vokac 238799e 
@@ -261,6 +263,23 @@ static const char *dav_disk_cmd_cafile(cmd_parms *cmd, void *config,
Petr Vokac 238799e 
     return NULL ;
Petr Vokac 238799e 
 }
Petr Vokac 238799e
Petr Vokac 238799e 
+/**
Petr Vokac 238799e 
+ * Set CRLPath with revocated certificates for TPC
Petr Vokac 238799e 
+ * @param cmd    Lots of information about the configuration contexts (as pool)
Petr Vokac 238799e 
+ * @param config A pointer to the directory configuration
Petr Vokac 238799e 
+ * @param arg    The CRLPath
Petr Vokac 238799e 
+ * @return       NULL on success. An error string otherwise
Petr Vokac 238799e 
+ */
Petr Vokac 238799e 
+static const char *dav_disk_cmd_crlpath(cmd_parms *cmd, void *config,
Petr Vokac 238799e 
+        const char *arg)
Petr Vokac 238799e 
+{
Petr Vokac 238799e 
+    (void) cmd;
Petr Vokac 238799e 
+
Petr Vokac 238799e 
+    dav_disk_dir_conf *conf = (dav_disk_dir_conf*) config;
Petr Vokac 238799e 
+    conf->crlpath = (!arg || !strlen(arg)) ? NULL : arg;
Petr Vokac 238799e 
+    return NULL ;
Petr Vokac 238799e 
+}
Petr Vokac 238799e 
+
Petr Vokac 238799e 
 /**
Petr Vokac 238799e 
  * Set CRLFile with revocated certificates for TPC
Petr Vokac 238799e 
  * @param cmd    Lots of information about the configuration contexts (as pool)
Petr Vokac 238799e 
@@ -278,6 +297,24 @@ static const char *dav_disk_cmd_crlfile(cmd_parms *cmd, void *config,
Petr Vokac 238799e 
     return NULL ;
Petr Vokac 238799e 
 }
Petr Vokac 238799e
Petr Vokac 238799e 
+/**
Petr Vokac 238799e 
+ * Set CRL validation for revocated certificates used by TPC
Petr Vokac 238799e 
+ * @param cmd    Lots of information about the configuration contexts (as pool)
Petr Vokac 238799e 
+ * @param config A pointer to the directory configuration
Petr Vokac 238799e 
+ * @param arg    The configuration
Petr Vokac 238799e 
+ * @return       NULL on success. An error string otherwise
Petr Vokac 238799e 
+ */
Petr Vokac 238799e 
+static const char *dav_disk_cmd_crlcheck(cmd_parms *cmd, void *config,
Petr Vokac 238799e 
+        const char *arg)
Petr Vokac 238799e 
+{
Petr Vokac 238799e 
+    if (strcmp("none", arg) && strcmp("chain", arg))
Petr Vokac 238799e 
+        return apr_psprintf(cmd->pool, "%s is not a recognised value", arg);
Petr Vokac 238799e 
+
Petr Vokac 238799e 
+    dav_disk_dir_conf *conf = (dav_disk_dir_conf*) config;
Petr Vokac 238799e 
+    conf->crlcheck = arg;
Petr Vokac 238799e 
+    return NULL ;
Petr Vokac 238799e 
+}
Petr Vokac 238799e 
+
Petr Vokac 238799e 
 /** Command list (configuration parameters) */
Petr Vokac 238799e 
 static const command_rec dav_disk_cmds[] = {
Petr Vokac 238799e 
     AP_INIT_TAKE1 ("DiskDMLite", dav_disk_cmd_dmlite, NULL, ACCESS_CONF | RSRC_CONF,
Petr Vokac 238799e 
@@ -294,10 +331,12 @@ static const command_rec dav_disk_cmds[] = {
Petr Vokac 238799e 
             "SSL CA Certificate path ('/path/to/dir' - contains PEM encoded files)"),
Petr Vokac 238799e 
     AP_INIT_TAKE1 ("DiskSSLCACertificateFile", dav_disk_cmd_cafile, NULL, ACCESS_CONF,
Petr Vokac 238799e 
             "SSL CA Certificate file ('/path/to/file' - PEM encoded)"),
Petr Vokac 238799e 
-    //AP_INIT_TAKE1 ("DiskSSLCARevocationPath", dav_disk_cmd_crlpath, NULL, ACCESS_CONF,
Petr Vokac 238799e 
-    //        "SSL CA Certificate Revocation List (CRL) path ('/path/to/dir' - contains PEM encoded files)"),
Petr Vokac 238799e 
+    AP_INIT_TAKE1 ("DiskSSLCARevocationPath", dav_disk_cmd_crlpath, NULL, ACCESS_CONF,
Petr Vokac 238799e 
+            "SSL CA Certificate Revocation List (CRL) path ('/path/to/dir' - contains PEM encoded files)"),
Petr Vokac 238799e 
     AP_INIT_TAKE1 ("DiskSSLCARevocationFile", dav_disk_cmd_crlfile, NULL, ACCESS_CONF,
Petr Vokac 238799e 
             "SSL CA Certificate Revocation List (CRL) file ('/path/to/file' - PEM encoded)"),
Petr Vokac 238799e 
+    AP_INIT_TAKE1 ("DiskSSLCARevocationCheck", dav_disk_cmd_crlcheck, NULL, ACCESS_CONF,
Petr Vokac 238799e 
+            "SSL CA Certificate Revocation List checkging (chain|none)"),
Petr Vokac 238799e 
     AP_INIT_TAKE1 ("DiskLowSpeedTime", ap_set_int_slot,
Petr Vokac 238799e 
             (void *)APR_OFFSETOF(dav_disk_dir_conf, low_speed_time), ACCESS_CONF,
Petr Vokac 238799e 
             "Low speed limit time period in seconds"),
Petr Vokac 238799e 
diff --git a/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.h b/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.h
Petr Vokac 238799e 
index 42164d74..f2bdaf57 100644
Petr Vokac 238799e 
--- a/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.h
Petr Vokac 238799e 
+++ b/src/plugins/apache-httpd/src/mod_lcgdm_disk/mod_lcgdm_disk.h
Petr Vokac 238799e 
@@ -60,7 +60,9 @@ struct dav_disk_dir_conf
Petr Vokac 238799e 
     const char *delegation_service;
Petr Vokac 238799e 
     const char *capath;
Petr Vokac 238799e 
     const char *cafile;
Petr Vokac 238799e 
+    const char *crlpath;
Petr Vokac 238799e 
     const char *crlfile;
Petr Vokac 238799e 
+    const char *crlcheck;
Petr Vokac 238799e 
     int low_speed_time;
Petr Vokac 238799e 
     int low_speed_limit;
Petr Vokac 238799e 
 };
Petr Vokac 238799e 
diff --git a/src/puppet/dmlite/manifests/dav.pp b/src/puppet/dmlite/manifests/dav.pp
Petr Vokac 238799e 
index 0518bbe5..9ff82e08 100644
Petr Vokac 238799e 
--- a/src/puppet/dmlite/manifests/dav.pp
Petr Vokac 238799e 
+++ b/src/puppet/dmlite/manifests/dav.pp
Petr Vokac 238799e 
@@ -16,6 +16,8 @@ class dmlite::dav (
Petr Vokac 238799e 
   Stdlib::Unixpath $ssl_cert = $dmlite::dav::params::ssl_cert,
Petr Vokac 238799e 
   Stdlib::Unixpath $ssl_key = $dmlite::dav::params::ssl_key,
Petr Vokac 238799e 
   Stdlib::Unixpath $ssl_capath = $dmlite::dav::params::ssl_capath,
Petr Vokac 238799e 
+  Stdlib::Unixpath $ssl_tpc_capath = $dmlite::dav::params::ssl_tpc_capath,
Petr Vokac 238799e 
+  Optional[Stdlib::Unixpath] $ssl_tpc_crlpath = $dmlite::dav::params::ssl_tpc_crlpath,
Petr Vokac 238799e 
   String $ssl_options = $dmlite::dav::params::ssl_options,
Petr Vokac 238799e 
   String $log_error = $dmlite::dav::params::log_error,
Petr Vokac 238799e 
   String $log_transfer = $dmlite::dav::params::log_transfer,
Petr Vokac 238799e 
diff --git a/src/puppet/dmlite/manifests/dav/config.pp b/src/puppet/dmlite/manifests/dav/config.pp
Petr Vokac 238799e 
index 1d6eb596..94adea76 100644
Petr Vokac 238799e 
--- a/src/puppet/dmlite/manifests/dav/config.pp
Petr Vokac 238799e 
+++ b/src/puppet/dmlite/manifests/dav/config.pp
Petr Vokac 238799e 
@@ -18,6 +18,8 @@ class dmlite::dav::config (
Petr Vokac 238799e 
   $ssl_options        = $dmlite::dav::ssl_options,
Petr Vokac 238799e 
   $ssl_protocol       = $dmlite::dav::ssl_protocol,
Petr Vokac 238799e 
   $ssl_ciphersuite    = $dmlite::dav::ssl_ciphersuite,
Petr Vokac 238799e 
+  $ssl_tpc_capath     = $dmlite::dav::ssl_tpc_capath,
Petr Vokac 238799e 
+  $ssl_tpc_crlpath    = $dmlite::dav::ssl_tpc_crlpath,
Petr Vokac 238799e 
   $log_error          = $dmlite::dav::log_error,
Petr Vokac 238799e 
   $log_transfer       = $dmlite::dav::log_transfer,
Petr Vokac 238799e 
   $log_level          = $dmlite::dav::log_level,
Petr Vokac 238799e 
diff --git a/src/puppet/dmlite/manifests/dav/params.pp b/src/puppet/dmlite/manifests/dav/params.pp
Petr Vokac 238799e 
index f2dcee6e..15b3c449 100644
Petr Vokac 238799e 
--- a/src/puppet/dmlite/manifests/dav/params.pp
Petr Vokac 238799e 
+++ b/src/puppet/dmlite/manifests/dav/params.pp
Petr Vokac 238799e 
@@ -20,6 +20,8 @@ class dmlite::dav::params (
Petr Vokac 238799e 
   $ssl_protocol       = hiera('dmlite::dav::params::ssl_protocol', 'all -SSLv2 -SSLv3')
Petr Vokac 238799e 
   $ssl_ciphersuite    = hiera('dmlite::dav::params::ssl_ciphersuite', 'RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5:!RC4')
Petr Vokac 238799e 
   $ssl_options        = hiera('dmlite::dav::params::ssl_options','+StdEnvVars')
Petr Vokac 238799e 
+  $ssl_tpc_capath     = hiera('dmlite::dav::params::ssl_tpc_capath', '/etc/grid-security/certificates')
Petr Vokac 238799e 
+  $ssl_tpc_crlpath    = hiera('dmlite::dav::params::ssl_tpc_crlpath', '/etc/grid-security/certificates')
Petr Vokac 238799e 
   $log_error          = hiera('dmlite::dav::params::log_error', 'logs/ssl_error_log')
Petr Vokac 238799e 
   $log_transfer       = hiera('dmlite::dav::params::log_transfer', 'logs/ssl_access_log')
Petr Vokac 238799e 
   $log_level          = hiera('dmlite::dav::params::log_level','warn')
Petr Vokac 238799e 
diff --git a/src/puppet/dmlite/templates/dav/zlcgdm-dav.conf b/src/puppet/dmlite/templates/dav/zlcgdm-dav.conf
Petr Vokac 238799e 
index 65d8e165..64565ccf 100644
Petr Vokac 238799e 
--- a/src/puppet/dmlite/templates/dav/zlcgdm-dav.conf
Petr Vokac 238799e 
+++ b/src/puppet/dmlite/templates/dav/zlcgdm-dav.conf
Petr Vokac 238799e 
@@ -206,14 +206,23 @@ DiskDMLite <%= @dmlite_disk_conf %>
Petr Vokac 238799e 
   # CGI, it allways has to be DocumentRoot/../proxycache
Petr Vokac 238799e 
   DiskProxyCache /var/www/proxycache
Petr Vokac 238799e
Petr Vokac 238799e 
-  <% if @dav_http_port.to_i != 80 or @dav_https_port.to_i != 443 -%>
Petr Vokac 238799e 
+<% if @dav_http_port.to_i != 80 or @dav_https_port.to_i != 443 -%>
Petr Vokac 238799e 
   NSRedirectPort <%= @dav_http_port %> <%= @dav_https_port %>
Petr Vokac 238799e 
-  <% end -%>
Petr Vokac 238799e 
+<% end -%>
Petr Vokac 238799e
Petr Vokac 238799e 
   # Trusted certificates for TPC connection to remote storage
Petr Vokac 238799e 
+<% if @ssl_tpc_capath -%>
Petr Vokac 238799e 
+  DiskSSLCACertificatePath <%= @ssl_tpc_capath %>
Petr Vokac 238799e 
+<% else -%>
Petr Vokac 238799e 
   #DiskSSLCACertificatePath /etc/grid-security/certificates
Petr Vokac 238799e 
-  #DiskSSLCACertificateFile
Petr Vokac 238799e 
-  #DiskSSLCARevocationFile
Petr Vokac 238799e 
+<% end -%>
Petr Vokac 238799e 
+<% if @ssl_tpc_crlpath -%>
Petr Vokac 238799e 
+  DiskSSLCARevocationPath <%= @ssl_tpc_crlpath %>
Petr Vokac 238799e 
+  DiskSSLCARevocationCheck chain
Petr Vokac 238799e 
+<% else -%>
Petr Vokac 238799e 
+  #DiskSSLCARevocationPath /etc/grid-security/certificates
Petr Vokac 238799e 
+  DiskSSLCARevocationCheck none
Petr Vokac 238799e 
+<% end -%>
Petr Vokac 238799e
Petr Vokac 238799e 
   # Terminate slow (stuck) transfers if bytes transferred
Petr Vokac 238799e 
   # in given time window is smaller then configured tresholds
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.