Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A touch more cleanup related to [RIAK-1506] #718

Merged
merged 1 commit into from
Mar 13, 2015
Merged

A touch more cleanup related to [RIAK-1506] #718

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 21 additions & 9 deletions src/riak_core_ssl_util.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
%%
%% riak_core: Core Riak Application
%%
%% Copyright (c) 2007-2013 Basho Technologies, Inc. All Rights Reserved.
%% Copyright (c) 2007-2015 Basho Technologies, Inc. All Rights Reserved.
%%
%% This file is provided to you under the Apache License,
%% Version 2.0 (the "License"); you may not use this file
Expand Down Expand Up @@ -172,11 +172,22 @@ load_cert(Cert) ->
Type == 'Certificate', Cipher == 'not_encrypted']
end.

%% Reject another node whose common name is the same as ours unless it's a wildcard
%% Reject another node whose common name is the same as ours unless it's
%% a wildcard. A wildcard is defined ONLY as beginning with '*'.
%%
%% The test ONLY returns 'true' when the strings are identical (disregarding
%% case) AND do not start with the character '*'. All other cases return false,
%% hence the various shortcuts.
invalid_cn_pair([$* | _], _) ->
false;
invalid_cn_pair(LeftCN, RightCN) ->
string:to_lower(LeftCN) == string:to_lower(RightCN).
invalid_cn_pair(_, [$* | _]) ->
false;
invalid_cn_pair(SameCN, SameCN) ->
true;
invalid_cn_pair(LeftCN, RightCN) when length(LeftCN) == length(RightCN) ->
string:to_lower(LeftCN) == string:to_lower(RightCN);
invalid_cn_pair(_, _) ->
false.

%% Custom SSL verification function for checking common names against the
%% whitelist.
Expand All @@ -198,15 +209,16 @@ verify_ssl(Cert, valid_peer, {App, MyCommonName}) ->
"certificate's common name: ~p", [CommonName]),
{fail, duplicate_common_name};
_ ->
case validate_common_name(CommonName,
app_helper:get_env(App, peer_common_name_acl, "*")) of
ACL = app_helper:get_env(App, peer_common_name_acl, "*"),
case validate_common_name(CommonName, ACL) of
{true, Filter} ->
lager:info("SSL connection from ~s granted by ACL ~s",
lager:info("SSL connection from ~s granted by ACL \"~s\"",
[CommonName, Filter]),
{valid, MyCommonName};
false ->
lager:error("SSL connection from ~s denied, no matching ACL",
[CommonName]),
lager:error(
"SSL connection from ~s denied, no matching ACL in ~p",
[CommonName, ACL]),
{fail, no_acl}
end
end.
Expand Down