ADDED: New predicate ssl_set_options/3 for tweaking SSL contexts #109
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This predicate is an important building block for setting various SSL
parameters from hooks, such as when using the HTTP Unix daemon. Note
the important design principle: *No destructive modification to
existing contexts!* This is important to guarantee thread safety on
the Prolog level. Logical purity all the way.
Usage examples of this new predicate include:
-) disabling specific protocol versions
-) setting elliptic curves for key exchange
-) enforcing client authentication via certificates
-) etc.
For example, to disable SSLv3, you can add the following definition to
your server:
http:ssl_server_create_hook(SSL0, SSL, _) :-
ssl_set_options(SSL0, SSL, [disable_ssl_methods([sslv3])]).
This is of course only necessary for old versions of OpenSSL, since
SSLv3 is disabled in all versions that are still supported (>= 1.0.2).
The impact on existing code is negligible, since it only affects users
who are already running SWI-Prolog HTTPS servers with SNI, but are
*not* using the convenient HTTP Unix daemon interface for SNI and
instead are using custom HTTP hooks to set up SNI. In all likelihood,
there is currently only one user of this obscure feature (namely I).
In case you are affected too, instead of:
ssl_set_sni_hook(SSL0, Goal, SSL)
please use:
ssl_set_options(SSL0, SSL, [sni_hook(Goal)]).
ssl_set_options/3 is the much more general interface predicate for
tweaking contexts, fully subsuming ssl_set_sni_hook/3 and also other
predicates that would otherwise have to be introduced to set various
SSL parameters.
Many other context parameters were already set directly when parsing the given options, and there was little reason for further indirection because the SSL context is not opaque to begin with. In fact, too many similarly named entities made navigating the code harder than necessary and also quite a bit longer.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ssl_set_options/3is an important building block for tweaking existing contexts in hooks.Note that the existing context is necessary because it may contain certificates and keys that are no longer readable at the time the hook is invoked!
This new feature finally lets us get rid of
ssl_set_sni_hook/3, which is currently only necessary in extremely obscure setups and only complicates the SSL interface. The second commit does this.Please see the respective commit messages for a more detailed description.
Related discussion:
SWI-Prolog/plweb#23
Note that not all parameters can currently be tweaked after creation of the context. Notably, it is currently not documented what OpenSSL does if existing certificates are replaced. Related issue:
openssl/openssl#2147
Please see the documentation of the predicate for which options can be currently tweaked.