summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Colberg <peter@colberg.org>2009-10-14 13:39:59 +0000
committerStefan B├╝hler <stbuehler@web.de>2009-10-14 13:39:59 +0000
commit8b6dae41398cc76f35425259c6c0fe58f7d3a09b (patch)
treed7f58036c5f61c868af42958603e0a29e6cddc01
parent83145e8ba6b768f94eb42b236f7ccd3909085946 (diff)
downloadlighttpd1.4-8b6dae41398cc76f35425259c6c0fe58f7d3a09b.tar.gz
lighttpd1.4-8b6dae41398cc76f35425259c6c0fe58f7d3a09b.zip
Add TLS servername indication (SNI) support (fixes #386, thx Peter Colberg <peter@colberg.org>)
* This patch may "break" some configs, if they do stupid things. Like setting ssl.pemfile to a not existing file in a "non-socket/non-ssl" block. Fix them! :) From: Peter Colberg <peter@colberg.org> git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2648 152afb58-edef-0310-8abb-c4023f1b3aa9
-rw-r--r--NEWS1
-rw-r--r--src/base.h6
-rw-r--r--src/configfile-glue.c4
-rw-r--r--src/configfile.c2
-rw-r--r--src/connections.c9
-rw-r--r--src/network.c202
-rw-r--r--tests/bug-06.conf2
-rw-r--r--tests/bug-12.conf2
-rw-r--r--tests/fastcgi-10.conf2
-rw-r--r--tests/fastcgi-13.conf2
-rw-r--r--tests/fastcgi-auth.conf2
-rw-r--r--tests/fastcgi-responder.conf2
-rw-r--r--tests/lighttpd.conf2
-rw-r--r--tests/proxy.conf2
14 files changed, 163 insertions, 77 deletions
diff --git a/NEWS b/NEWS
index 592a9890..8e372b54 100644
--- a/NEWS
+++ b/NEWS
@@ -54,6 +54,7 @@ NEWS
* Add some iterators for mod_magnet (fixes #1307)
* Fix close_timeout_ts trigger (should finally fix lingering close)
* mod_rewrite: add url.rewrite-[repeat-]if-not-file to rewrite if file doesn't exist or is not a regular file (fixes #985, thx lucas aerbeydt)
+ * Add TLS servername indication (SNI) support (fixes #386, thx Peter Colberg <peter@colberg.org>)
- 1.4.23 - 2009-06-19
* Added some extra warning options in cmake and fix the resulting warnings (unused/static functions)
diff --git a/src/base.h b/src/base.h
index b6abf8bb..fe15b399 100644
--- a/src/base.h
+++ b/src/base.h
@@ -33,6 +33,9 @@
#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
# define USE_OPENSSL
# include <openssl/ssl.h>
+# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
+# define OPENSSL_NO_TLSEXT
+# endif
#endif
#ifdef HAVE_FAM_H
@@ -424,6 +427,9 @@ typedef struct {
#ifdef USE_OPENSSL
SSL *ssl;
buffer *ssl_error_want_reuse_buffer;
+# ifndef OPENSSL_NO_TLSEXT
+ buffer *tlsext_server_name;
+# endif
#endif
/* etag handling */
etag_flags_t etag_flags;
diff --git a/src/configfile-glue.c b/src/configfile-glue.c
index 2904f711..782eb815 100644
--- a/src/configfile-glue.c
+++ b/src/configfile-glue.c
@@ -318,6 +318,10 @@ static cond_result_t config_check_cond_nocache(server *srv, connection *con, dat
default:
break;
}
+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
+ } else if (!buffer_is_empty(con->tlsext_server_name)) {
+ l = con->tlsext_server_name;
+#endif
} else {
l = srv->empty_string;
}
diff --git a/src/configfile.c b/src/configfile.c
index 360b642d..14c37f39 100644
--- a/src/configfile.c
+++ b/src/configfile.c
@@ -297,6 +297,7 @@ int config_setup_connection(server *srv, connection *con) {
PATCH(is_ssl);
PATCH(ssl_pemfile);
+ PATCH(ssl_ctx);
PATCH(ssl_ca_file);
PATCH(ssl_cipher_list);
PATCH(ssl_use_sslv2);
@@ -352,6 +353,7 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
PATCH(etag_use_size);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
PATCH(ssl_pemfile);
+ PATCH(ssl_ctx);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
PATCH(ssl_ca_file);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
diff --git a/src/connections.c b/src/connections.c
index 6b765cf1..daec12a6 100644
--- a/src/connections.c
+++ b/src/connections.c
@@ -667,6 +667,9 @@ connection *connection_init(server *srv) {
CLEAN(server_name);
CLEAN(error_handler);
CLEAN(dst_addr_buf);
+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
+ CLEAN(tlsext_server_name);
+#endif
#undef CLEAN
con->write_queue = chunkqueue_init();
@@ -731,6 +734,9 @@ void connections_free(server *srv) {
CLEAN(server_name);
CLEAN(error_handler);
CLEAN(dst_addr_buf);
+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
+ CLEAN(tlsext_server_name);
+#endif
#undef CLEAN
free(con->plugin_ctx);
free(con->cond_cache);
@@ -1343,6 +1349,9 @@ connection *connection_accept(server *srv, server_socket *srv_socket) {
return NULL;
}
+#ifndef OPENSSL_NO_TLSEXT
+ SSL_set_app_data(con->ssl, con);
+#endif
SSL_set_accept_state(con->ssl);
con->conf.is_ssl=1;
diff --git a/src/network.c b/src/network.c
index 5b49a749..a7a71584 100644
--- a/src/network.c
+++ b/src/network.c
@@ -62,6 +62,45 @@ static handler_t network_server_handle_fdevent(void *s, void *context, int reven
return HANDLER_GO_ON;
}
+#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
+int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
+ const char *servername;
+ connection *con = (connection *) SSL_get_app_data(ssl);
+
+ buffer_copy_string(con->uri.scheme, "https");
+
+ if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ "failed to get TLS server name");
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+ buffer_copy_string(con->tlsext_server_name, servername);
+ buffer_to_lower(con->tlsext_server_name);
+
+ config_cond_cache_reset(srv, con);
+ config_setup_connection(srv, con);
+
+ config_patch_connection(srv, con, COMP_SERVER_SOCKET);
+ config_patch_connection(srv, con, COMP_HTTP_SCHEME);
+ config_patch_connection(srv, con, COMP_HTTP_HOST);
+
+ if (NULL == con->conf.ssl_ctx) {
+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+ "null SSL_CTX for TLS server name", con->tlsext_server_name);
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
+ /* switch to new SSL_CTX in reaction to a client's server_name extension */
+ if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+ "failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
+ return SSL_TLSEXT_ERR_OK;
+}
+#endif
+
static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
int val;
socklen_t addr_len;
@@ -312,78 +351,10 @@ static int network_server_init(server *srv, buffer *host_token, specific_config
if (s->is_ssl) {
#ifdef USE_OPENSSL
- if (srv->ssl_is_init == 0) {
- SSL_load_error_strings();
- SSL_library_init();
- srv->ssl_is_init = 1;
-
- if (0 == RAND_status()) {
- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
- "not enough entropy in the pool");
- goto error_free_socket;
- }
- }
-
- if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
- ERR_error_string(ERR_get_error(), NULL));
- goto error_free_socket;
- }
-
- if (!s->ssl_use_sslv2) {
- /* disable SSLv2 */
- if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
- ERR_error_string(ERR_get_error(), NULL));
- goto error_free_socket;
- }
- }
-
- if (!buffer_is_empty(s->ssl_cipher_list)) {
- /* Disable support for low encryption ciphers */
- if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
- log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
- ERR_error_string(ERR_get_error(), NULL));
- goto error_free_socket;
- }
- }
-
- if (buffer_is_empty(s->ssl_pemfile)) {
+ if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
goto error_free_socket;
}
-
- if (!buffer_is_empty(s->ssl_ca_file)) {
- if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
- ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
- goto error_free_socket;
- }
- }
-
- if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
- goto error_free_socket;
- }
-
- if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
- log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
- ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
- goto error_free_socket;
- }
-
- if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
- log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
- "Private key does not match the certificate public key, reason:",
- ERR_error_string(ERR_get_error(), NULL),
- s->ssl_pemfile);
- goto error_free_socket;
- }
- SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
- SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-
- srv_socket->ssl_ctx = s->ssl_ctx;
#else
buffer_free(srv_socket->srv_token);
@@ -510,6 +481,99 @@ int network_init(server *srv) {
{ NETWORK_BACKEND_UNSET, NULL }
};
+#ifdef USE_OPENSSL
+ /* load SSL certificates */
+ for (i = 0; i < srv->config_context->used; i++) {
+ data_config *dc = (data_config *)srv->config_context->data[i];
+ specific_config *s = srv->config_storage[i];
+
+ if (buffer_is_empty(s->ssl_pemfile)) continue;
+
+#ifdef OPENSSL_NO_TLSEXT
+ if (COMP_HTTP_HOST == dc->comp) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
+ return -1;
+ }
+#endif
+
+ if (srv->ssl_is_init == 0) {
+ SSL_load_error_strings();
+ SSL_library_init();
+ srv->ssl_is_init = 1;
+
+ if (0 == RAND_status()) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ "not enough entropy in the pool");
+ return -1;
+ }
+ }
+
+ if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+
+ if (!s->ssl_use_sslv2) {
+ /* disable SSLv2 */
+ if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+ }
+
+ if (!buffer_is_empty(s->ssl_cipher_list)) {
+ /* Disable support for low encryption ciphers */
+ if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+ }
+
+ if (!buffer_is_empty(s->ssl_ca_file)) {
+ if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
+ return -1;
+ }
+ }
+
+ if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
+ return -1;
+ }
+
+ if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
+ log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
+ return -1;
+ }
+
+ if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
+ log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
+ "Private key does not match the certificate public key, reason:",
+ ERR_error_string(ERR_get_error(), NULL),
+ s->ssl_pemfile);
+ return -1;
+ }
+ SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
+ SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+
+# ifndef OPENSSL_NO_TLSEXT
+ if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
+ !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
+ return -1;
+ }
+# endif
+ }
+#endif
+
b = buffer_init();
buffer_copy_string_buffer(b, srv->srvconf.bindhost);
diff --git a/tests/bug-06.conf b/tests/bug-06.conf
index 34db0e0f..8835535e 100644
--- a/tests/bug-06.conf
+++ b/tests/bug-06.conf
@@ -103,7 +103,7 @@ cgi.assign = ( ".pl" => "/usr/bin/perl",
ssl.engine = "disable"
-ssl.pemfile = "server.pem"
+# ssl.pemfile = "server.pem"
auth.backend = "plain"
auth.backend.plain.userfile = env.SRCDIR + "/tmp/lighttpd/lighttpd.user"
diff --git a/tests/bug-12.conf b/tests/bug-12.conf
index b23ae53d..61cba0e6 100644
--- a/tests/bug-12.conf
+++ b/tests/bug-12.conf
@@ -105,7 +105,7 @@ cgi.assign = ( ".pl" => "/usr/bin/perl",
ssl.engine = "disable"
-ssl.pemfile = "server.pem"
+# ssl.pemfile = "server.pem"
auth.backend = "plain"
auth.backend.plain.userfile = env.SRCDIR + "/tmp/lighttpd/lighttpd.user"
diff --git a/tests/fastcgi-10.conf b/tests/fastcgi-10.conf
index 087c17d4..1fa50fbe 100644
--- a/tests/fastcgi-10.conf
+++ b/tests/fastcgi-10.conf
@@ -82,7 +82,7 @@ cgi.assign = ( ".pl" => "/usr/bin/perl",
ssl.engine = "disable"
-ssl.pemfile = "server.pem"
+# ssl.pemfile = "server.pem"
auth.backend = "plain"
auth.backend.plain.userfile = env.SRCDIR + "/tmp/lighttpd/lighttpd.user"
diff --git a/tests/fastcgi-13.conf b/tests/fastcgi-13.conf
index 19d0b856..499a7f55 100644
--- a/tests/fastcgi-13.conf
+++ b/tests/fastcgi-13.conf
@@ -99,7 +99,7 @@ cgi.assign = ( ".pl" => "/usr/bin/perl",
ssl.engine = "disable"
-ssl.pemfile = "server.pem"
+# ssl.pemfile = "server.pem"
auth.backend = "plain"
auth.backend.plain.userfile = env.SRCDIR + "/tmp/lighttpd/lighttpd.user"
diff --git a/tests/fastcgi-auth.conf b/tests/fastcgi-auth.conf
index cac14535..47a9268d 100644
--- a/tests/fastcgi-auth.conf
+++ b/tests/fastcgi-auth.conf
@@ -104,7 +104,7 @@ cgi.assign = ( ".pl" => "/usr/bin/perl",
ssl.engine = "disable"
-ssl.pemfile = "server.pem"
+# ssl.pemfile = "server.pem"
auth.backend = "plain"
auth.backend.plain.userfile = env.SRCDIR + "/tmp/lighttpd/lighttpd.user"
diff --git a/tests/fastcgi-responder.conf b/tests/fastcgi-responder.conf
index 91553423..0f6c1dc8 100644
--- a/tests/fastcgi-responder.conf
+++ b/tests/fastcgi-responder.conf
@@ -106,7 +106,7 @@ cgi.assign = ( ".pl" => "/usr/bin/perl",
ssl.engine = "disable"
-ssl.pemfile = "server.pem"
+# ssl.pemfile = "server.pem"
auth.backend = "plain"
auth.backend.plain.userfile = env.SRCDIR + "/tmp/lighttpd/lighttpd.user"
diff --git a/tests/lighttpd.conf b/tests/lighttpd.conf
index 4fe516d2..2202100f 100644
--- a/tests/lighttpd.conf
+++ b/tests/lighttpd.conf
@@ -96,7 +96,7 @@ userdir.include-user = ( "jan" )
userdir.path = "/"
ssl.engine = "disable"
-ssl.pemfile = "server.pem"
+# ssl.pemfile = "server.pem"
$HTTP["host"] == "auth-htpasswd.example.org" {
auth.backend = "htpasswd"
diff --git a/tests/proxy.conf b/tests/proxy.conf
index e130d4a6..2e959acc 100644
--- a/tests/proxy.conf
+++ b/tests/proxy.conf
@@ -85,7 +85,7 @@ userdir.include-user = ( "jan" )
userdir.path = "/"
ssl.engine = "disable"
-ssl.pemfile = "server.pem"
+# ssl.pemfile = "server.pem"
auth.backend = "plain"
auth.backend.plain.userfile = env.SRCDIR + "/tmp/lighttpd/lighttpd.user"