patch 7cf737ec305ade9759d13a9fa2f5ef70b6158c45

Author: Enrique D. Bosch <presidev@AT@gmail.com>

Date: Wed Jun 8 00:14:13 CEST 2016

* Add an option (tls_ca_subject) to check the subject of the root certificate, to avoid attacks with leaf certificates generated by compromissed or malicious certificate authorities, this is a key pinning mechanism

+tls_ca_subject=

-namespace eval static { variable tag 1 }

+namespace eval static \

+{

+ variable tag 1

+ variable ccsp 0

+ array set ccsu {}

+}

+

+proc parse_cert_subject { sub } \

+{

+ set cst [ split [ string map { , = / = } $sub ] = ]

+ foreach v $cst { lappend cstp [ string trim $v ] }

+ return $cstp

+}

+

+proc tls_cb { type channel depth cert status error } \

+{

+ variable ::shared::conf

+ variable ::static::ccsu

+ variable ::static::ccsp

+

+ array set ca $cert

+ if { $conf(tls_ca_subject)!="" && $type=="verify" && $ca(subject)==$ca(issuer) } \

+ {

+ array set csu [ parse_cert_subject $ca(subject) ]

+ if !$ccsp \

+ {

+ array set ccsu [ parse_cert_subject $conf(tls_ca_subject) ]

+ set ccsp 1

+ }

+ foreach i [ array names ccsu ] \

+ { if { ![ info exists csu($i) ] || $csu($i)!=$ccsu($i) } { error cert } }

+ }

+}

- -cipher \"$conf(tls_ciphers)\""

+ -cipher \"$conf(tls_ciphers)\" \

+ -command tls_cb"