-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This patch enhances libStorage security: * If discovered in '$LIBSTORAGE_PATHS_TLS' the following files are automatically loaded: * `libstorage.crt` * `libstorage.key` * `cacerts` * If `$LIBSTORAGE_PATHS_ETC/known_hosts` exists it is automatically loaded unless the property `libstorage.tls.knownHosts` is explicitly defined. This is the system's `known_hosts` file. * If `$HOME/.libstorage/known_hosts` exists it is automatically used when TLS security is set to verify peer certificates. This is the user's `known_hosts` file. * The above `known_hosts` files are line-delimited with each line following the format: 'HOST ALGORITHM FINGERPRINT' * When matching a remote host's known host information the peer's host (derived from the certificate's Subject.CommonName) is also taken into account. Thus if a host is marked as trusted but later provides a different certificate during TLS negotiation the connection will fail. This is identical to SSH's known host logic. * The property `libstorage.tls.verifyPeers` is introduced. It's a boolean flag that indicates TLS connections should be verified against a known list of peer certificate fingerprints in the system's and user's `known_hosts` files. Enabling this property also sets `libstorage.tls.insecure` to `true`. The connection will be encrypted, but the certificate verification is disabled and deferred to the peer verification. * The property `libstorage.tls` can now be set to a simple string value of `verifyPeers` to indicate TLS connections should be verified against the system's and user's `known_hosts` files.
- Loading branch information
Showing
16 changed files
with
961 additions
and
205 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
libstorage-server sha256 52:C7:5D:00:1B:E7:33:66:14:3C:47:07:77:59:9C:94:F1:EA:76:00:41:B1:9D:71:0B:80:05:1F:F7:2D:6B:69 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.