Browse Source

[ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)

if ssl.empty-fragments is set to enabled, but the openssl version used
  to compile lighttpd doesn't support empty fragments, a warning is
  displayed (it might still work).

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2891 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.33
Stefan Bühler 8 years ago
parent
commit
93fd9ea7a4
  1. 1
      NEWS
  2. 1
      src/base.h
  3. 6
      src/configfile.c
  4. 10
      src/network.c

1
NEWS

@ -25,6 +25,7 @@ NEWS
* [network] use constants available at compile time for maximum number of chunks for writev instead of calling sysconf (fixes #2470)
* [ssl] Fix $HTTP["scheme"] conditional, could be "http" for ssl connections if the ssl $SERVER["socket"] conditional was nested (fixes #2501)
* [ssl] accept ssl renegotiations if they are not disabled (fixes #2491)
* [ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)
- 1.4.32 - 2012-11-21
* Code cleanup with clang/sparse (fixes #2437, thx kibi)

1
src/base.h

@ -278,6 +278,7 @@ typedef struct {
buffer *ssl_dh_file;
buffer *ssl_ec_curve;
unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */
unsigned short ssl_empty_fragments; /* whether to not set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
unsigned short ssl_use_sslv2;
unsigned short ssl_use_sslv3;
unsigned short ssl_verifyclient;

6
src/configfile.c

@ -107,6 +107,7 @@ static int config_insert(server *srv) {
{ "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */
{ "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */
{ "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */
{ "ssl.empty-fragments", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 67 */
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
@ -179,6 +180,7 @@ static int config_insert(server *srv) {
s->use_xattr = 0;
s->ssl_enabled = 0;
s->ssl_honor_cipher_order = 1;
s->ssl_empty_fragments = 0;
s->ssl_use_sslv2 = 0;
s->ssl_use_sslv3 = 1;
s->use_ipv6 = 0;
@ -250,6 +252,7 @@ static int config_insert(server *srv) {
cv[63].destination = s->ssl_dh_file;
cv[64].destination = s->ssl_ec_curve;
cv[66].destination = &(s->ssl_honor_cipher_order);
cv[67].destination = &(s->ssl_empty_fragments);
cv[49].destination = &(s->etag_use_inode);
cv[50].destination = &(s->etag_use_mtime);
@ -343,6 +346,7 @@ int config_setup_connection(server *srv, connection *con) {
PATCH(ssl_dh_file);
PATCH(ssl_ec_curve);
PATCH(ssl_honor_cipher_order);
PATCH(ssl_empty_fragments);
PATCH(ssl_use_sslv2);
PATCH(ssl_use_sslv3);
PATCH(etag_use_inode);
@ -411,6 +415,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) {
PATCH(ssl_ca_file);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) {
PATCH(ssl_honor_cipher_order);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) {
PATCH(ssl_empty_fragments);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
PATCH(ssl_use_sslv2);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {

10
src/network.c

@ -613,6 +613,16 @@ int network_init(server *srv) {
return -1;
}
if (s->ssl_empty_fragments) {
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#else
ssloptions &= ~0x00000800L; /* hardcode constant */
log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:",
"'insert empty fragments' not supported by the openssl version used to compile lighttpd with");
#endif
}
SSL_CTX_set_options(s->ssl_ctx, ssloptions);
SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback);

Loading…
Cancel
Save