Beruflich Dokumente
Kultur Dokumente
The word RDN stands for relative distinguished name. For example, the
DN cn=Root CA, ou=CA Group, o=Foo Ltd, l=Bar, st=Foobar State, c=US
becomes /C=US/ST=Foobar State/L=Bar/O=Foo Ltd/OU=CA Group/CN=Root
CA/
Warning
The format and representation of certificate names may change in future releases.
www.balasys.hu 13
Certificate is optional, if
SSL_VERIFY_OPTIONAL_UNTRUSTED
certificates are accepted
Certificate is optional, b
SSL_VERIFY_OPTIONAL_TRUSTED
certificates signed by a t
Certificate is required, o
SSL_VERIFY_REQUIRED_TRUSTED
CA are accepted.
Table 3.2. Certificate verification settings
The ssl.server_check_subject can be used to compare the domain name
provided in the Subject field of the server certificate to application level
information about the server. Currently it can compare the Subject field to
the domain name of the HTTP request in HTTPS communication. If the
ssl.server_check_subject is set to TRUE and ssl.server_verify_type is
SSL_VERIFY_REQUIRED_UNTRUSTED or
SSL_VERIFY_REQUIRED_TRUSTED, the HTTP proxy using the SSL
framework will deny access to the page and return an error if the Subject
field does not match the domain name of the URL.
Name Value
The OpenSSL implementation of the SSL protocol (used by Zorp) has an important feature regarding
method selection: it allows automatical fallbacks if one side does not support the selected method. That
means that even if SSL_METHOD_SSLv3 is specified, the communication might fall back to SSLv2 if one
of the communicating parties does not support v3. To explicitly deny a protocol, set the appropriate
ssl.client_disable_proto_* or ssl.server_disable_proto_* attribute to TRUE. In Zorp SSLv2 is disabled by
default.
www.balasys.hu
14
The default set of ciphers can be set by using the following predefined
variables.
Name Value
Cipher specifications as defined above are sorted by key length, the cipher
providing the best key length will be the most preferred.
In Zorp 6, the following proxies support STARTTLS: Ftp proxy (to start FTPS sessions), Smtp proxy.
Name Value
Name Value
Disable encryption between Zorp and the
SSL_NONE
peer.
www.balasys.hu 15
Keybrigding certificates
Name Value
Forward STARTTLS re
SSL_FORWARD_STARTTLS
only in the Ftp and Smtp
Table 3.6. Server connection security type.
class FtpsProxy(FtpProxy):
def config(self):
FtpProxy.config(self)
self.max_password_length=64
EncryptionPolicy(name="ForwardSTARTTLS",
encryption=ForwardStartTLSEncryption(client_verify=ClientCertificateVerifier(),
client_ssl_options=ClientSSLOptions(), server_verify=ServerCertificateVerifier(),
server_ssl_options=ServerSSLOptions(),
client_certificate_generator=DynamicCertificate(private_key=PrivateKey.fromFile(key_file_path="/etc/key.d/ZMS_Engi
ne/key.pem"),
trusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-trusted-ca-cert.pem",
private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-trusted-ca-cert.pem")),
untrusted_ca=Certificate.fromFile(certificate_file_path="/etc/ca.d/certs/my-untrusted-ca-cert.pem",
private_key=PrivateKey.fromFile("/etc/ca.d/keys/my-untrusted-ca-cert.pem")))))
def demo() :
Service(name='demo/MyFTPSService', router=TransparentRouter(),
chainer=ConnectChainer(), proxy_class=FtpsProxy, max_instances=0, max_sessions=0,
keepalive=Z_KEEPALIVE_NONE, encryption_policy="ForwardSTARTTLS")
Rule(rule_id=2,
proto=6,
service='demo/MyFTPSService'
)
3.2.7. Keybrigding certificates
Keybridging is a method to let the client see a copy of the server's
certificate (or vice versa), allowing it to inspect it and decide about its
trustworthiness. Because of proxying the SSL/TLS connection, the client is
not able to inspect the certificate of the server directly, therefore Zorp
generates a certificate based on the server's certificate on-the-fly. This
generated certificate is presented to the client.
Steps:
Step 1.