Navigation

Changeset 1155:d00b5914351e in freeDiameter for libfdcore/p_ce.c


Ignore:
Timestamp:
May 28, 2013, 1:11:27 PM (11 years ago)
Author:
Sebastien Decugis <sdecugis@freediameter.net>
Branch:
default
Phase:
public
Message:

Allow running freeDiameter without TLS credentials if the following conditions are verified:

  • The Secure Diameter port is disabled (SecPort? = 0;)
  • The old TLS mechanism is not used (TLS_old_method; not defined)

Note that in this context only connections to peers explicitely authorized for 'No_TLS' are
permitted.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • libfdcore/p_ce.c

    r1127 r1155  
    596596        if (!fd_cnx_getTLS(cnx)) {
    597597                isi_none = peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE; /* we add it even if the peer does not use the old mechanism, it is impossible to distinguish */
    598                 isi_tls  = peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD;
     598
     599                if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD) {
     600                        if (fd_g_config->cnf_sec_data.tls_disabled) {
     601                                LOG_N("TLS disabled locally, so Inband-Security-Id (TLS) not included for peer %s", peer->p_hdr.info.pi_diamid);
     602                        } else {
     603                                isi_tls  = 1;
     604                        }
     605                }
    599606        }
    600607       
     
    771778                        TRACE_DEBUG(INFO, "No TLS protection negotiated with peer '%s'.", peer->p_hdr.info.pi_diamid);
    772779                        CHECK_FCT( fd_cnx_start_clear(peer->p_cnxctx, 1) );
     780                       
     781                } else if (fd_g_config->cnf_sec_data.tls_disabled) {
     782                        LOG_E("Clear connection with remote peer '%s' is not (explicitly) allowed, and TLS is disabled. Giving up...", peer->p_hdr.info.pi_diamid);
     783                        fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, peer, "TLS is disabled and peer is not configured for IPsec", NULL);
     784                        goto cleanup;
     785                       
    773786                } else {
    774                        
    775787                        fd_psm_change_state(peer, STATE_OPEN_HANDSHAKE);
    776788                        CHECK_FCT_DO( fd_cnx_handshake(peer->p_cnxctx, GNUTLS_CLIENT, peer->p_hdr.info.config.pic_priority, NULL),
     
    900912                                        /* We have allowed IPsec */
    901913                                        isi = PI_SEC_NONE;
     914                                } else if (fd_g_config->cnf_sec_data.tls_disabled) {
     915                                        /* We can agree on TLS */
     916                                        TRACE_DEBUG(INFO, "Remote peer is not allowed for IPsec and TLS is disabled.");;
    902917                                } else if (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD) {
    903918                                        /* We can agree on TLS */
Note: See TracChangeset for help on using the changeset viewer.