TLS server support SNI based certificate selection

[cspiel1]

tls: support multiple TLS server certificates

Multiple certificates combined with private key and host name for the host name
verification can be added with a new function `tls_add_certf()`.

For incoming SIP requests a certificate is selected by SNI in the TLS client
hello before `SSL_accept()` is called.

e.g. use case: incoming OPTIONS from SIP servers for client is alive polling

TODO: maybe in follow up PRs in order to keep this PR small.

• cleanup/combine with

commit 21f36e31522b8d2106e6c1daf64ea0eba626f79c
Author: Christoph Huber <[email protected]>
Date:   Mon Apr 12 09:45:50 2021 +0200

    transp: add and use different client certificates

• The names tls_set_verify_server() and tls_set_verify_client() are not very proper. Maybe we could add a deprecated logging/doxygen and add new functions:
  • tls_conn_enable_verify_peer(struct tls_conn *tc, const char *host) with optional host parameter and
  • tls_trust_all(struct tls *tls)

[alfredh]

is it possible to do the TLS message parsing in OpenSSL instead ?

does it work with TLS 1.2 and TLS 1.3 ?

[cspiel1]

is it possible to do the TLS message parsing in OpenSSL instead ?
does it work with TLS 1.2 and TLS 1.3 ?

I searched in the openssl code for a while and couldn't find an adequate function. Today, we found the API function:
SSL_CTX_set_client_hello_cb()

I try to learn from the apache source code how they do cert selection via SNI. I set this PR to draft so far.

[cspiel1]

Apache copied code from openssl/test/helpers/handshake.c for parsing the SNI from the client hello.

The last commit in this PR also uses SSL_CTX_set_client_hello_cb() and SSL_client_hello_get0_ext() to do most of the parsing.

I guess it works only for TLS 1.3 because in man page of SSL_client_hello_isv2 there is:
"The SSLv2 format has substantial differences from the normal SSLv3 format, including using three bytes per cipher suite, and not allowing extensions."

Note: I have to test this before we can proceed.

[alfredh]

https://stackoverflow.com/questions/5113333/how-to-implement-server-name-indication-sni

it would be nice to implement this without any manual parsing of packets.

we support TLS v1.2 and v1.3
SSLv2/3 is deprecated.

[cspiel1]

Thanks for this hint Alfred!
Currently we have some release pressure. I'll try to rewrite this PR as soon as possible.

[alfredh]

are these used ?

[alfredh]

struct pl is designed for operating on strings.

for this it is probably better to use mbuf

[alfredh]

check for OOM

please add a test to retest with SNI

[alfredh]

I would prefer handlers to be static.

[cspiel1]

Okay.

The perfect name for a function in tls.c that turns on SSL_VERIFY_PEER for a TLS client and sets a verify handler would be: void tls_set_verify_client(tls)

But there is already a function with this name that does the opposite. It's sets the handler verify_trust_all. :-(

[alfredh]

perhaps move to separate PR ?

[cspiel1]

Thanks! First I try to rewrite this like you already mentioned: #596 (comment)

[cspiel1]

Separated: #613

[cspiel1]

TODO: Test the change to the SSL_CTX_set_tlsext_servername_callback.

[alfredh]

I would like to suggest the following:

1. Create a new patch this in re
2. Create a matching test in retest

The test can be a back-to-back test with a TLS connection
from Client to Server, that is using SNI.

If you want you can close this PR and make a new one.

[cspiel1]

New PR is not necessary. I re-based and squashed the commits.

Now I'll start to work on the retest.

[alfredh]

some general comments:

• use const char * instead of struct pl in the public API
• in for loops, move declaration of i into for loop
• in all openssl Free functions, check if they can handle a NULL pointer
• in all places where openssl return error, call ERR_clear_error()
• global symbols in the tls module should have prefix: tls_
• move sni.h into tls.h
• add doxygen comment to public functions

[alfredh]

move these 2 lines up, so that include re_* is grouped

[alfredh]

BIO_new_file is called twice, is it needed ?

Can you use the same BIO for cert and private key ?

[cspiel1]

I already read about BIO_reset(). But can't remember the result. I will test it when I have the retest.

[cspiel1]

• in all openssl Free functions, check if they can handle a NULL pointer

Yes they have.

• ASN1 free functions --> checked in the source code
• X509_free and EVP_PKEY_free --> checked in man page
• sk_X509_pop_free --> checked in the code

• in all places where openssl return error, call ERR_clear_error()

Okay, I'll put it in the "out:" section like it is done in other function in the tls module. It doesn't hurt if it called too often.

• global symbols in the tls module should have prefix: tls_

I move some functions from tls.c to sni.c and add tls_verify_handler() to the private API tls.h.

• add doxygen comment to public functions

My understanding is that public functions are in re_tls.h. I think it would also be good to add doxygen for the new tls.h functions.

[alfredh]

should SNI be enabled by default, also for clients ?

[cspiel1]

We can enable it in first call of tls_add_certf().

[alfredh]

is this line needed ?

[cspiel1]

Yes. See #596 (comment)!

These steps are done in tls_add_certf():

• first read certificate
• read potentially following CAs
• reset the BIO and read the key anywhere in the file