Change authmode default to Required on client

This commit is contained in:
Manuel Pégourié-Gonnard 2015-03-27 17:52:25 +01:00
parent 606df8c199
commit fa44f20b9f
6 changed files with 33 additions and 26 deletions

View File

@ -41,6 +41,7 @@ Default behavior changes
default ciphersuite list returned by ssl_list_ciphersuites() default ciphersuite list returned by ssl_list_ciphersuites()
* Support for receiving SSLv2 ClientHello is now disabled by default at * Support for receiving SSLv2 ClientHello is now disabled by default at
compile time. compile time.
* The default authmode for SSL/TLS clients is now REQUIRED.
Changes Changes
* Remove test program o_p_test, the script compat.sh does more. * Remove test program o_p_test, the script compat.sh does more.

View File

@ -1156,8 +1156,9 @@ int ssl_set_transport( ssl_context *ssl, int transport );
* \param ssl SSL context * \param ssl SSL context
* \param authmode can be: * \param authmode can be:
* *
* SSL_VERIFY_NONE: peer certificate is not checked (default), * SSL_VERIFY_NONE: peer certificate is not checked
* this is insecure and SHOULD be avoided. * (default on server)
* (insecure on client)
* *
* SSL_VERIFY_OPTIONAL: peer certificate is checked, however the * SSL_VERIFY_OPTIONAL: peer certificate is checked, however the
* handshake continues even if verification failed; * handshake continues even if verification failed;

View File

@ -5195,7 +5195,10 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint )
#if defined(POLARSSL_SSL_SESSION_TICKETS) && \ #if defined(POLARSSL_SSL_SESSION_TICKETS) && \
defined(POLARSSL_SSL_CLI_C) defined(POLARSSL_SSL_CLI_C)
if( endpoint == SSL_IS_CLIENT ) if( endpoint == SSL_IS_CLIENT )
{
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED; ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
ssl->authmode = SSL_VERIFY_REQUIRED;
}
#endif #endif
#if defined(POLARSSL_SSL_TRUNCATED_HMAC) #if defined(POLARSSL_SSL_TRUNCATED_HMAC)

View File

@ -86,7 +86,7 @@
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1 #define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1 #define DFL_MAX_VERSION -1
#define DFL_ARC4 -1 #define DFL_ARC4 -1
#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED #define DFL_AUTH_MODE -1
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1 #define DFL_TRUNC_HMAC -1
#define DFL_RECSPLIT -1 #define DFL_RECSPLIT -1
@ -229,7 +229,7 @@
"\n" \ "\n" \
USAGE_DTLS \ USAGE_DTLS \
"\n" \ "\n" \
" auth_mode=%%s default: \"required\"\n" \ " auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \ " options: none, optional, required\n" \
USAGE_IO \ USAGE_IO \
"\n" \ "\n" \
@ -249,7 +249,7 @@
USAGE_ETM \ USAGE_ETM \
USAGE_RECSPLIT \ USAGE_RECSPLIT \
"\n" \ "\n" \
" arc4=%%d default: (library default)\n" \ " arc4=%%d default: (library default: 0)\n" \
" min_version=%%s default: \"\" (ssl3)\n" \ " min_version=%%s default: \"\" (ssl3)\n" \
" max_version=%%s default: \"\" (tls1_2)\n" \ " max_version=%%s default: \"\" (tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \ " force_version=%%s default: \"\" (none)\n" \
@ -1074,6 +1074,7 @@ int main( int argc, char *argv[] )
#endif #endif
ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
if( opt.auth_mode != DFL_AUTH_MODE )
ssl_set_authmode( &ssl, opt.auth_mode ); ssl_set_authmode( &ssl, opt.auth_mode );
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_PROTO_DTLS)

View File

@ -102,7 +102,7 @@
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1 #define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1 #define DFL_MAX_VERSION -1
#define DFL_ARC4 -1 #define DFL_ARC4 -1
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL #define DFL_AUTH_MODE -1
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1 #define DFL_TRUNC_HMAC -1
#define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED #define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED
@ -296,7 +296,7 @@
USAGE_ANTI_REPLAY \ USAGE_ANTI_REPLAY \
USAGE_BADMAC_LIMIT \ USAGE_BADMAC_LIMIT \
"\n" \ "\n" \
" auth_mode=%%s default: \"optional\"\n" \ " auth_mode=%%s default: (library default: required)\n" \
" options: none, optional, required\n" \ " options: none, optional, required\n" \
USAGE_IO \ USAGE_IO \
USAGE_SNI \ USAGE_SNI \
@ -315,7 +315,7 @@
USAGE_EMS \ USAGE_EMS \
USAGE_ETM \ USAGE_ETM \
"\n" \ "\n" \
" arc4=%%d default: (library default)\n" \ " arc4=%%d default: (library default: 0)\n" \
" min_version=%%s default: \"ssl3\"\n" \ " min_version=%%s default: \"ssl3\"\n" \
" max_version=%%s default: \"tls1_2\"\n" \ " max_version=%%s default: \"tls1_2\"\n" \
" force_version=%%s default: \"\" (none)\n" \ " force_version=%%s default: \"\" (none)\n" \
@ -1524,6 +1524,7 @@ int main( int argc, char *argv[] )
} }
ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_endpoint( &ssl, SSL_IS_SERVER );
if( opt.auth_mode != DFL_AUTH_MODE )
ssl_set_authmode( &ssl, opt.auth_mode ); ssl_set_authmode( &ssl, opt.auth_mode );
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_PROTO_DTLS)

View File

@ -1164,7 +1164,7 @@ run_test "Max fragment length: DTLS client, larger message" \
# Tests for renegotiation # Tests for renegotiation
run_test "Renegotiation: none, for reference" \ run_test "Renegotiation: none, for reference" \
"$P_SRV debug_level=3 exchanges=2" \ "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2" \ "$P_CLI debug_level=3 exchanges=2" \
0 \ 0 \
-C "client hello, adding renegotiation extension" \ -C "client hello, adding renegotiation extension" \
@ -1177,7 +1177,7 @@ run_test "Renegotiation: none, for reference" \
-S "write hello request" -S "write hello request"
run_test "Renegotiation: client-initiated" \ run_test "Renegotiation: client-initiated" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
@ -1190,7 +1190,7 @@ run_test "Renegotiation: client-initiated" \
-S "write hello request" -S "write hello request"
run_test "Renegotiation: server-initiated" \ run_test "Renegotiation: server-initiated" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
@ -1203,7 +1203,7 @@ run_test "Renegotiation: server-initiated" \
-s "write hello request" -s "write hello request"
run_test "Renegotiation: double" \ run_test "Renegotiation: double" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
@ -1216,7 +1216,7 @@ run_test "Renegotiation: double" \
-s "write hello request" -s "write hello request"
run_test "Renegotiation: client-initiated, server-rejected" \ run_test "Renegotiation: client-initiated, server-rejected" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=0" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1 \ 1 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
@ -1231,7 +1231,7 @@ run_test "Renegotiation: client-initiated, server-rejected" \
-c "failed" -c "failed"
run_test "Renegotiation: server-initiated, client-rejected, default" \ run_test "Renegotiation: server-initiated, client-rejected, default" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
0 \ 0 \
-C "client hello, adding renegotiation extension" \ -C "client hello, adding renegotiation extension" \
@ -1247,7 +1247,7 @@ run_test "Renegotiation: server-initiated, client-rejected, default" \
run_test "Renegotiation: server-initiated, client-rejected, not enforced" \ run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
renego_delay=-1" \ renego_delay=-1 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
0 \ 0 \
-C "client hello, adding renegotiation extension" \ -C "client hello, adding renegotiation extension" \
@ -1264,7 +1264,7 @@ run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
# delay 2 for 1 alert record + 1 application data record # delay 2 for 1 alert record + 1 application data record
run_test "Renegotiation: server-initiated, client-rejected, delay 2" \ run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
renego_delay=2" \ renego_delay=2 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
0 \ 0 \
-C "client hello, adding renegotiation extension" \ -C "client hello, adding renegotiation extension" \
@ -1280,7 +1280,7 @@ run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
run_test "Renegotiation: server-initiated, client-rejected, delay 0" \ run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
renego_delay=0" \ renego_delay=0 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
0 \ 0 \
-C "client hello, adding renegotiation extension" \ -C "client hello, adding renegotiation extension" \
@ -1295,7 +1295,7 @@ run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
renego_delay=0" \ renego_delay=0 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
@ -1310,7 +1310,7 @@ run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
-S "failed" -S "failed"
run_test "Renegotiation: periodic, just below period" \ run_test "Renegotiation: periodic, just below period" \
"$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
0 \ 0 \
-C "client hello, adding renegotiation extension" \ -C "client hello, adding renegotiation extension" \
@ -1327,7 +1327,7 @@ run_test "Renegotiation: periodic, just below period" \
# one extra exchange to be able to complete renego # one extra exchange to be able to complete renego
run_test "Renegotiation: periodic, just above period" \ run_test "Renegotiation: periodic, just above period" \
"$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
@ -1343,7 +1343,7 @@ run_test "Renegotiation: periodic, just above period" \
-S "failed" -S "failed"
run_test "Renegotiation: periodic, two times period" \ run_test "Renegotiation: periodic, two times period" \
"$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=7 renegotiation=1" \ "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
@ -1359,7 +1359,7 @@ run_test "Renegotiation: periodic, two times period" \
-S "failed" -S "failed"
run_test "Renegotiation: periodic, above period, disabled" \ run_test "Renegotiation: periodic, above period, disabled" \
"$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
"$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
0 \ 0 \
-C "client hello, adding renegotiation extension" \ -C "client hello, adding renegotiation extension" \
@ -1375,7 +1375,7 @@ run_test "Renegotiation: periodic, above period, disabled" \
-S "failed" -S "failed"
run_test "Renegotiation: nbio, client-initiated" \ run_test "Renegotiation: nbio, client-initiated" \
"$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1" \ "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
"$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
@ -1388,7 +1388,7 @@ run_test "Renegotiation: nbio, client-initiated" \
-S "write hello request" -S "write hello request"
run_test "Renegotiation: nbio, server-initiated" \ run_test "Renegotiation: nbio, server-initiated" \
"$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
"$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \