Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ADDED: New predicate ssl_set_options/3 for tweaking SSL contexts #109

Merged
merged 3 commits into from
Jul 3, 2017
Merged

ADDED: New predicate ssl_set_options/3 for tweaking SSL contexts #109

merged 3 commits into from
Jul 3, 2017

Conversation

triska
Copy link
Member

@triska triska commented Jul 2, 2017

ssl_set_options/3 is an important building block for tweaking existing contexts in hooks.

Note that the existing context is necessary because it may contain certificates and keys that are no longer readable at the time the hook is invoked!

This new feature finally lets us get rid of ssl_set_sni_hook/3, which is currently only necessary in extremely obscure setups and only complicates the SSL interface. The second commit does this.

Please see the respective commit messages for a more detailed description.

Related discussion:

SWI-Prolog/plweb#23

Note that not all parameters can currently be tweaked after creation of the context. Notably, it is currently not documented what OpenSSL does if existing certificates are replaced. Related issue:

openssl/openssl#2147

Please see the documentation of the predicate for which options can be currently tweaked.

triska added 3 commits July 2, 2017 21:48
This predicate is an important building block for setting various SSL
parameters from hooks, such as when using the HTTP Unix daemon.  Note
the important design principle: *No destructive modification to
existing contexts!* This is important to guarantee thread safety on
the Prolog level. Logical purity all the way.

Usage examples of this new predicate include:

  -) disabling specific protocol versions
  -) setting elliptic curves for key exchange
  -) enforcing client authentication via certificates
  -) etc.

For example, to disable SSLv3, you can add the following definition to
your server:

    http:ssl_server_create_hook(SSL0, SSL, _) :-
        ssl_set_options(SSL0, SSL, [disable_ssl_methods([sslv3])]).

This is of course only necessary for old versions of OpenSSL, since
SSLv3 is disabled in all versions that are still supported (>= 1.0.2).
The impact on existing code is negligible, since it only affects users
who are already running SWI-Prolog HTTPS servers with SNI, but are
*not* using the convenient HTTP Unix daemon interface for SNI and
instead are using custom HTTP hooks to set up SNI. In all likelihood,
there is currently only one user of this obscure feature (namely I).

In case you are affected too, instead of:

    ssl_set_sni_hook(SSL0, Goal, SSL)

please use:

    ssl_set_options(SSL0, SSL, [sni_hook(Goal)]).

ssl_set_options/3 is the much more general interface predicate for
tweaking contexts, fully subsuming ssl_set_sni_hook/3 and also other
predicates that would otherwise have to be introduced to set various
SSL parameters.
Many other context parameters were already set directly when parsing
the given options, and there was little reason for further indirection
because the SSL context is not opaque to begin with.

In fact, too many similarly named entities made navigating the code
harder than necessary and also quite a bit longer.
@JanWielemaker JanWielemaker merged commit e070ba0 into SWI-Prolog:master Jul 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants