--- loncom/lonssl.pm 2017/02/28 05:42:06 1.15 +++ loncom/lonssl.pm 2018/07/29 03:03:36 1.16 @@ -1,5 +1,5 @@ # -# $Id: lonssl.pm,v 1.15 2017/02/28 05:42:06 raeburn Exp $ +# $Id: lonssl.pm,v 1.16 2018/07/29 03:03:36 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -116,6 +116,7 @@ sub SetFdBlocking { # issued to this host. # KeyFile string Full pathname to the host's private # key file for the certificate. +# peer string lonHostID of remote LON-CAPA server # Returns # - Reference to an SSL socket on success # - undef on failure. Reason for failure can be interrogated from @@ -127,10 +128,11 @@ sub PromoteClientSocket { my ($PlaintextSocket, $CACert, $MyCert, - $KeyFile) = @_; + $KeyFile, + $peer) = @_; - Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert\n"); + Debug("Client promotion using key: $KeyFile, Cert: $MyCert, CA: $CACert, Remote Host: $peer\n"); # To create the ssl socket we need to duplicate the existing # socket. Otherwise closing the ssl socket will close the plaintext socket @@ -146,9 +148,11 @@ sub PromoteClientSocket { # mode of SSL_VERIFY_NONE should be explicitly set for client, if # verification is not to be used, and SSL_verify_mode is not set. # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which - # prevents connections to lond. - # Set SSL_verify_mode to Net::SSLeay::VERIFY_NONE() instead of to - # SSL_VERIFY_NONE for compatibility with IO::Socket::SSL rev. 1.01 + # prevents an SSL connection to lond unless SSL_verifycn_name is set + # to the lonHostID of the remote host, (and the remote certificate has + # the remote lonHostID as CN, and has been signed by the LON-CAPA CA. + # Set SSL_verify_mode to Net::SSLeay::VERIFY_PEER() instead of to + # SSL_VERIFY_PEER for compatibility with IO::Socket::SSL rev. 1.01 # used by CentOS/RHEL/Scientific Linux 5). my $client = IO::Socket::SSL->new_from_fd($dupfno, @@ -156,7 +160,8 @@ sub PromoteClientSocket { SSL_key_file => $KeyFile, SSL_cert_file => $MyCert, SSL_ca_file => $CACert, - SSL_verify_mode => Net::SSLeay::VERIFY_NONE()); + SSL_verifycn_name => $peer, + SSL_verify_mode => Net::SSLeay::VERIFY_PEER()); if(!$client) { $lasterror = IO::Socket::SSL::errstr(); @@ -168,7 +173,7 @@ sub PromoteClientSocket { #---------------------------------------------------------------------- # Name PromoteServerSocket # Description Given an ordinary IO::Socket::INET Creates an SSL socket -# for a server that is connected to the same client.l +# for a server that is connected to the same client. # Parameters Name Type Description # Socket IO::Socket::INET Original ordinary socket. # CACert string Full path name to the certificate @@ -177,6 +182,7 @@ sub PromoteClientSocket { # issued to this host. # KeyFile string Full pathname to the host's private # key file for the certificate. +# peer string lonHostID of remote LON-CAPA client # Returns # - Reference to an SSL socket on success # - undef on failure. Reason for failure can be interrogated from @@ -188,7 +194,8 @@ sub PromoteServerSocket { my ($PlaintextSocket, $CACert, $MyCert, - $KeyFile) = @_; + $KeyFile, + $peer) = @_; @@ -209,7 +216,9 @@ sub PromoteServerSocket { SSL_use_cert => 1, SSL_key_file => $KeyFile, SSL_cert_file => $MyCert, - SSL_ca_file => $CACert); + SSL_ca_file => $CACert, + SSL_verifycn_name => $peer, + SSL_verify_mode => Net::SSLeay::VERIFY_PEER()); if(!$client) { $lasterror = IO::Socket::SSL::errstr(); return undef;