Add a default certificate when none are found for a host

Signed-off-by: Eloi DEMOLIS <[email protected]>
overphoenix · Oct 27, 2023 · bf026ee · bf026ee
1 parent 72e9d44
commit bf026ee
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 5 deletions.
diff --git a/lib/Cargo.toml b/lib/Cargo.toml
@@ -51,6 +51,7 @@ socket2 = { version = "^0.5.4", features = ["all"] }
 thiserror = "^1.0.49"
 time = "^0.3.29"
 x509-parser = "^0.15.1"
+once_cell = "1.18.0"
 
 sozu-command-lib = { path = "../command", version = "^0.15.10" }
 

diff --git a/lib/src/https.rs b/lib/src/https.rs
@@ -1,7 +1,7 @@
 use std::{
     cell::RefCell,
     collections::{hash_map::Entry, BTreeMap, HashMap},
-    io::{ErrorKind, Read},
+    io::ErrorKind,
     net::{Shutdown, SocketAddr as StdSocketAddr},
     os::unix::{io::AsRawFd, net::UnixStream},
     rc::{Rc, Weak},
@@ -394,7 +394,7 @@ impl ProxySession for HttpsSession {
             return;
         }
 
-        debug!("Closing HTTPS session");
+        trace!("Closing HTTPS session");
         self.metrics.service_stop();
 
         // Restore gauges

diff --git a/lib/src/tcp.rs b/lib/src/tcp.rs
@@ -918,7 +918,7 @@ impl ProxySession for TcpSession {
         }
 
         // TODO: the state should handle the timeouts
-        info!("Closing TCP session");
+        trace!("Closing TCP session");
         self.metrics.service_stop();
 
         // Restore gauges

diff --git a/lib/src/tls.rs b/lib/src/tls.rs
@@ -10,6 +10,7 @@ use std::{
     sync::{Arc, Mutex},
 };
 
+use once_cell::sync::Lazy;
 use rustls::{
     server::{ClientHello, ResolvesServerCert},
     sign::{CertifiedKey, RsaSigningKey},
@@ -25,6 +26,20 @@ use sozu_command::{
 
 use crate::router::trie::{Key, KeyValue, TrieNode};
 
+// -----------------------------------------------------------------------------
+// Default ParsedCertificateAndKey
+
+static DEFAULT_CERTIFICATE: Lazy<ParsedCertificateAndKey> = Lazy::new(|| {
+    let certificate_and_key = CertificateAndKey {
+        certificate: include_str!("../assets/certificate.pem").to_string(),
+        certificate_chain: vec![include_str!("../assets/certificate_chain.pem").to_string()],
+        key: include_str!("../assets/key.pem").to_string(),
+        versions: vec![],
+        names: vec![],
+    };
+    GenericCertificateResolver::parse(&certificate_and_key).unwrap()
+});
+
 // -----------------------------------------------------------------------------
 // CertificateResolver trait
 
@@ -536,8 +551,12 @@ impl ResolvesServerCert for MutexWrappedCertificateResolver {
             }
         }
 
-        error!("could not look up a certificate for server name '{}'", name);
-        None
+        // error!("could not look up a certificate for server name '{}'", name);
+        // This certificate is used for TLS tunneling with another TLS termination endpoint
+        // Note that this is unsafe and you should provide a valid certificate
+        debug!("Default certificate is used for {}", name);
+        incr!("tls.default_cert_used");
+        Self::generate_certified_key(&DEFAULT_CERTIFICATE).map(Arc::new)
     }
 }