Context Navigation

Back to Ticket #386

Ticket #386: lighttpd_1.4.x_r2024_tls_server_name_indication.patch

File lighttpd_1.4.x_r2024_tls_server_name_indication.patch, 10.1 kB (added by phc, 11 months ago)
TLS server name indication support (lighttpd 1.4.x-svn)

lighttpd-1.4.x/src/configfile-glue.c


272	272	default:
273	273	break;
274	274	}
	275	#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
	276	} else if (!buffer_is_empty(con->tlsext_server_name)) {
	277	l = con->tlsext_server_name;
	278	#endif
275	279	} else {
276	280	l = srv->empty_string;
277	281	}

lighttpd-1.4.x/src/base.h


31	31	#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
32	32	# define USE_OPENSSL
33	33	# include <openssl/ssl.h>
	34	# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
	35	# define OPENSSL_NO_TLSEXT
	36	# endif
34	37	#endif
35	38
36	39	#ifdef HAVE_FAM_H
…	…
415	418	#ifdef USE_OPENSSL
416	419	SSL *ssl;
417	420	buffer *ssl_error_want_reuse_buffer;
	421	#ifndef OPENSSL_NO_TLSEXT
	422	buffer *tlsext_server_name;
418	423	#endif
	424	#endif
419	425	/* etag handling */
420	426	etag_flags_t etag_flags;
421	427

lighttpd-1.4.x/src/connections.c


663	663	CLEAN(server_name);
664	664	CLEAN(error_handler);
665	665	CLEAN(dst_addr_buf);
	666	#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
	667	CLEAN(tlsext_server_name);
	668	#endif
666	669
667	670	#undef CLEAN
668	671	con->write_queue = chunkqueue_init();
…	…
727	730	CLEAN(server_name);
728	731	CLEAN(error_handler);
729	732	CLEAN(dst_addr_buf);
	733	#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
	734	CLEAN(tlsext_server_name);
	735	#endif
730	736	#undef CLEAN
731	737	free(con->plugin_ctx);
732	738	free(con->cond_cache);
…	…
1340	1346	return NULL;
1341	1347	}
1342	1348
	1349	#ifndef OPENSSL_NO_TLSEXT
	1350	SSL_set_app_data(con->ssl, con);
	1351	#endif
1343	1352	SSL_set_accept_state(con->ssl);
1344	1353	con->conf.is_ssl=1;
1345	1354

lighttpd-1.4.x/src/network.c


62	62	return HANDLER_GO_ON;
63	63	}
64	64
	65	#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
	66	int network_ssl_servername_callback(SSL ssl, int al, server *srv) {
	67	const char *servername;
	68	connection con = (connection ) SSL_get_app_data(ssl);
	69
	70	buffer_copy_string(con->uri.scheme, "https");
	71
	72	if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
	73	log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
	74	"failed to get TLS server name");
	75	return SSL_TLSEXT_ERR_NOACK;
	76	}
	77	buffer_copy_string(con->tlsext_server_name, servername);
	78	buffer_to_lower(con->tlsext_server_name);
	79
	80	config_patch_connection(srv, con, COMP_SERVER_SOCKET);
	81	config_patch_connection(srv, con, COMP_HTTP_SCHEME);
	82	config_patch_connection(srv, con, COMP_HTTP_HOST);
	83
	84	if (NULL == con->conf.ssl_ctx) {
	85	log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
	86	"null SSL_CTX for TLS server name", con->tlsext_server_name);
	87	return SSL_TLSEXT_ERR_ALERT_FATAL;
	88	}
	89
	90	/* switch to new SSL_CTX in reaction to a client's server_name extension */
	91	if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
	92	log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
	93	"failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
	94	return SSL_TLSEXT_ERR_ALERT_FATAL;
	95	}
	96
	97	return SSL_TLSEXT_ERR_OK;
	98	}
	99	#endif
	100
65	101	int network_server_init(server srv, buffer host_token, specific_config *s) {
66	102	int val;
67	103	socklen_t addr_len;
…	…
312	348
313	349	if (s->is_ssl) {
314	350	#ifdef USE_OPENSSL
315		if (srv->ssl_is_init == 0) {
316		SSL_load_error_strings();
317		SSL_library_init();
318		srv->ssl_is_init = 1;
319
320		if (0 == RAND_status()) {
321		log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
322		"not enough entropy in the pool");
323		return -1;
324		}
325		}
326
327		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
328		log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
329		ERR_error_string(ERR_get_error(), NULL));
330		return -1;
331		}
332
333		if (!s->ssl_use_sslv2) {
334		/* disable SSLv2 */
335		if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
336		log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
337		ERR_error_string(ERR_get_error(), NULL));
338		return -1;
339		}
340		}
341
342		if (!buffer_is_empty(s->ssl_cipher_list)) {
343		/* Disable support for low encryption ciphers */
344		if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
345		log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
346		ERR_error_string(ERR_get_error(), NULL));
347		return -1;
348		}
349		}
350
351		if (buffer_is_empty(s->ssl_pemfile)) {
	351	if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
352	352	log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
353	353	return -1;
354	354	}
355
356		~~if (!buffer_is_empty(s->ssl_ca_file)) {~~
357		~~if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {~~
358		~~log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",~~
359		~~ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);~~
360		~~return -1;~~
361		}
362		}
363
364		~~if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {~~
365		~~log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",~~
366		~~ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);~~
367		~~return -1;~~
368		}
369
370		~~if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {~~
371		~~log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",~~
372		~~ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);~~
373		~~return -1;~~
374		}
375
376		~~if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {~~
377		~~log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",~~
378		~~"Private key does not match the certificate public key, reason:",~~
379		~~ERR_error_string(ERR_get_error(), NULL),~~
380		~~s->ssl_pemfile);~~
381		~~return -1;~~
382		}
383		~~SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);~~
384		~~SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) \| SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);~~
385
386		~~srv_socket->ssl_ctx = s->ssl_ctx;~~
387	355	#else
388	356
389	357	buffer_free(srv_socket->srv_token);
…	…
491	459	{ NETWORK_BACKEND_UNSET, NULL }
492	460	};
493	461
	462	#ifdef USE_OPENSSL
	463	/* load SSL certificates */
	464	for (i = 0; i < srv->config_context->used; i++) {
	465	data_config dc = (data_config )srv->config_context->data[i];
	466	specific_config *s = srv->config_storage[i];
	467
	468	if (buffer_is_empty(s->ssl_pemfile)) continue;
	469
	470	#ifdef OPENSSL_NO_TLSEXT
	471	if (COMP_HTTP_HOST == dc->comp) {
	472	log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
	473	"can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
	474	return -1;
	475	}
	476	#endif
	477
	478	if (srv->ssl_is_init == 0) {
	479	SSL_load_error_strings();
	480	SSL_library_init();
	481	srv->ssl_is_init = 1;
	482
	483	if (0 == RAND_status()) {
	484	log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
	485	"not enough entropy in the pool");
	486	return -1;
	487	}
	488	}
	489
	490	if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
	491	log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
	492	ERR_error_string(ERR_get_error(), NULL));
	493	return -1;
	494	}
	495
	496	if (!s->ssl_use_sslv2) {
	497	/* disable SSLv2 */
	498	if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
	499	log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
	500	ERR_error_string(ERR_get_error(), NULL));
	501	return -1;
	502	}
	503	}
	504
	505	if (!buffer_is_empty(s->ssl_cipher_list)) {
	506	/* Disable support for low encryption ciphers */
	507	if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
	508	log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
	509	ERR_error_string(ERR_get_error(), NULL));
	510	return -1;
	511	}
	512	}
	513
	514	if (!buffer_is_empty(s->ssl_ca_file)) {
	515	if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
	516	log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
	517	ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
	518	return -1;
	519	}
	520	}
	521
	522	if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
	523	log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
	524	ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
	525	return -1;
	526	}
	527
	528	if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
	529	log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
	530	ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
	531	return -1;
	532	}
	533
	534	if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
	535	log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
	536	"Private key does not match the certificate public key, reason:",
	537	ERR_error_string(ERR_get_error(), NULL),
	538	s->ssl_pemfile);
	539	return -1;
	540	}
	541	SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
	542	SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) \| SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
	543
	544	#ifndef OPENSSL_NO_TLSEXT
	545	if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) \|\|
	546	!SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
	547	log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
	548	"failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
	549	return -1;
	550	}
	551	#endif
	552	}
	553	#endif
	554
494	555	b = buffer_init();
495	556
496	557	buffer_copy_string_buffer(b, srv->srvconf.bindhost);

lighttpd-1.4.x/src/configfile.c


285	285	PATCH(is_ssl);
286	286
287	287	PATCH(ssl_pemfile);
	288	PATCH(ssl_ctx);
288	289	PATCH(ssl_ca_file);
289	290	PATCH(ssl_cipher_list);
290	291	PATCH(ssl_use_sslv2);
…	…
343	344	PATCH(etag_use_size);
344	345	} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
345	346	PATCH(ssl_pemfile);
	347	PATCH(ssl_ctx);
346	348	} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
347	349	PATCH(ssl_ca_file);
348	350	} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {

Download in other formats:

Original Format