Commit Graph

98 Commits

Author SHA1 Message Date
Glenn Strauss 5bbf0d34ca [mod_openssl] compat with BoringSSL 2020-07-08 22:51:31 -04:00
Glenn Strauss b2b6257c7a [mod_openssl] OCSP stapling (fixes #2469)
Define ssl.stapling-file in lighttpd.conf in same scope as ssl.pemfile

  "OCSP Stapling"
2020-07-08 22:51:31 -04:00
Glenn Strauss 60ddaf26c4 [mod_openssl] basic SSL_CONF_cmd for alt TLS libs
provide *basic* (limited) parsing of ssl.openssl.ssl-conf-cmd
for BoringSSL, LibreSSL, WolfSSL
2020-07-08 22:51:31 -04:00
Glenn Strauss 1ba36fda93 [mod_openssl] move SSL_CTX curve conf to new func 2020-07-08 22:51:31 -04:00
Glenn Strauss 3fbedbced2 [mod_openssl] set SSL_OP_PRIORITIZE_CHACHA
set SSL_OP_PRIORITIZE_CHACHA, if available, when
  ssl.honor-cipher-order = "enable"
2020-07-08 22:51:31 -04:00
Glenn Strauss 7d9052c059 [mod_openssl] compat with WolfSSL 2020-07-08 22:51:31 -04:00
Glenn Strauss b4036938de [mod_openssl] compat with LibreSSL 2020-07-08 22:51:31 -04:00
Glenn Strauss c93ecb32a5 [mod_openssl] disable session cache; prefer ticket
reduce memory usage and overhead

many TLSv1.2 implementations support TLSv1.2 session ticket extension
2020-07-08 22:51:31 -04:00
Glenn Strauss 32a2145f67 [mod_openssl] ssl.stek-file to specify encrypt key
ssl.stek-file to specify session ticket encryption key (STEK)
If ssl.stek-file is specified, it overrides builtin STEK rotation.
STEK file is checked for changes (stat()) once every 64 seconds.

STEK file should be stored in non-persistent storage,
  e.g. /dev/shm/lighttpd/stek-file  (in memory)
with appropriate permissions set to keep stek-file from being
read by other users.  Where possible, systems should also be
configured without swap.

Admin should schedule an independent job to periodically
generate a new STEK up to 3 times during key lifetime
(lighttpd stores up to 3 keys)

format of binary file is:
   4-byte - format version (always 0; for use if format changes)
   4-byte - activation timestamp
   4-byte - expiration timestamp
  16-byte - session ticket key name
  32-byte - session ticket HMAC encrpytion key
  32-byte - session ticket AES encrpytion key

STEK file can be created with a command such as:
  dd if=/dev/random bs=1 count=80 status=none | \
    perl -e 'print pack("iii",0,time()+300,time()+86400),<>' \
    > STEK-file.$$ && mv STEK-file.$$ STEK-file

The above delays activation time by 5 mins (+300 sec) to allow file to
be propagated to other machines.  (admin must handle this independently)
If STEK generation is performed immediately prior to starting lighttpd,
admin should activate keys immediately (without +300).
2020-07-08 22:51:31 -04:00
Glenn Strauss 953fa4ba4d [mod_openssl] rotate session ticket encryption key
server ticket encryption key (STEK) rotation occurs every 28800 seconds
(8 hours) and upon lighttpd server restart.  While lighttpd is running,
(3) encryption keys are preserved, so tickets expire after 1 day.

If using lighttpd with multiple lighttpd workers, then restarting
lighttpd keeps the STEK in sync between lighttpd workers, though
restarting lighttpd three times a day might not be palatable.
Work is in progress to allow admin to supply new encryption keys.
2020-07-08 22:51:31 -04:00
Glenn Strauss 10c65e88f7 [mod_openssl] update default DH params
update default DH params to use RFC 7919 FFDHE2048 2048-bit group
if ssl.dh-file is not specified
2020-07-08 22:51:31 -04:00
Glenn Strauss 27dbac34a8 [mod_openssl] use openssl feature define for ALPN
use #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
rather than checking OPENSSL_VERSION_NUMBER >= 0x10002000 (1.0.2)
2020-07-08 22:51:31 -04:00
Glenn Strauss bdb3040f14 [mod_openssl] use SSL_OP_NO_RENEGOTIATION if avail
use [mod_openssl] SSL_OP_NO_RENEGOTIATION if available
(openssl 1.1.0 and later)
2020-07-08 22:51:31 -04:00
Glenn Strauss 3403382261 [mod_openssl] issue warning for deprecated options 2020-07-08 22:51:31 -04:00
Glenn Strauss d605c83a73 [mod_openssl] enable read-ahead, if set, after SNI
note: not disabling if enabled; extra blocks may already have been read
2020-07-08 22:51:31 -04:00
Glenn Strauss c18f442a63 [multiple] add summaries to top of some modules 2020-07-08 22:51:31 -04:00
Glenn Strauss acff179322 [mod_openssl] set chains from callback in 1.0.2+ (#2842)
mod_openssl leverages cert callback in openssl 1.0.2 and later

server certificate chain
  is now set in the cert callback

verify_store (for client certificate verification) (
  is now set in the cert callback

more carefully load sensitive files and clear temporary storage
  (with openssl 1.1.1 and later)

  "Lighttpd Returns Wrong Cert In Multi-cert Set-up"
2020-07-08 22:51:31 -04:00
Glenn Strauss 01b1f16b3f [mod_openssl] set cert from callback in 1.0.2+ (fixes #2842)
set server certificate from callback in openssl 1.0.2 and later

For existing versions of lighttpd, certificate selection influenced by
ssl.cipher-list which can be used to set server cipher order preference
(along with ssl.honor-cipher-order = "enable", which is the default)

  "Lighttpd Returns Wrong Cert In Multi-cert Set-up"
  "lighttpd uses wrong pem-file"
2020-07-08 22:51:31 -04:00
Glenn Strauss 2a5b7c648a [mod_openssl] rotate session ticket encryption key
server ticket encryption key (STEK) rotation occurs every 86400 seconds
and upon lighttpd server restart.  If using lighttpd with multiple
lighttpd workers, then restarting lighttpd keeps the STEK in sync
between lighttpd workers.
2020-07-08 22:51:31 -04:00
Glenn Strauss 68d626fa9f [mod_openssl] SSL_R_UNEXPECTED_EOF_WHILE_READING
report SSL_R_UNEXPECTED_EOF_WHILE_READING if debug.log-ssl-noise enabled

added in openssl 1.1.1e and reverted in 1.1.1f, but kept in 3.0 branch
2020-07-08 22:51:31 -04:00
Glenn Strauss b33b6f9121 [mod_openssl] do not log ECONNRESET unless debug
do not log ECONNRESET to errorlog unless debug.log-ssl-noise = "enable"
2020-07-08 22:51:31 -04:00
Glenn Strauss ce7840504d [mod_openssl] disable cert vrfy if ALPN acme-tls/1
disable client cert verification if ALPN "acme-tls/1"
2020-07-08 19:54:30 -04:00
Glenn Strauss c752d4696e [multiple] correct misspellings in comments
  "Script for fixing spelling errors with codespell"
2020-07-08 19:54:30 -04:00
Glenn Strauss 7c7f8c467c [multiple] split con, request (very large change)
NB: r->tmp_buf == srv->tmp_buf (pointer is copied for quicker access)

NB: request read and write chunkqueues currently point to connection
    chunkqueues; per-request and per-connection chunkqueues are
    not distinct from one another
      con->read_queue  == r->read_queue
      con->write_queue == r->write_queue

NB: in the future, a separate connection config may be needed for
    connection-level module hooks.  Similarly, might need to have
    per-request chunkqueues separate from per-connection chunkqueues.
    Should probably also have a request_reset() which is distinct from
2020-07-08 19:54:29 -04:00
Glenn Strauss 100dfaa3f3 [core] move plugin_ctx into (request_st *)
NB: in the future, a separate plugin_ctx may be needed for
    connection-level plugins to keep state across multiple requests
2020-07-08 19:54:29 -04:00
Glenn Strauss 8131e4396d [core] move addtl request-specific struct members 2020-07-08 19:54:29 -04:00
Glenn Strauss 1dd58c5ad8 [multiple] con->proto_default_port 2020-07-08 19:54:28 -04:00
Glenn Strauss 034d7d6734 [core] http_request_host_policy w/ http_parseopts
pass http_parseopts arg (instead of con) to http_request_host_policy()
2020-07-08 19:54:28 -04:00
Glenn Strauss ca97505a72 [multiple] store srv->tmp_buf in tb var
rather than using srv->tmp_buf directly in code modifying temp buf (tb)
2020-07-08 19:54:28 -04:00
Glenn Strauss 0ff60d8218 [multiple] rename r to rc rv rd wr to be different
variable rename
2020-07-08 19:54:28 -04:00
Glenn Strauss 03b4c993d2 [multiple] generic config array type checking 2020-07-08 19:54:28 -04:00
Glenn Strauss b5775b9951 [multiple] reduce direct use of srv->errh 2020-07-08 19:54:28 -04:00
Glenn Strauss de73b190a4 [core] read up-to fixed size chunk before fionread 2020-07-08 19:54:28 -04:00
Glenn Strauss f24e6d696a [multiple] plugin_stats array
use global rather than passing around (server *) just for that

li_itostrn() and li_utostrn() return string length
(rather than requiring subsequent strlen() to find length)
2020-07-08 19:54:28 -04:00
Glenn Strauss 50bdb55de8 [multiple] connection hooks no longer get (srv *)
(explicit (server *) not passed; available in con->srv)
2020-07-08 19:54:28 -04:00
Glenn Strauss 010c28949c [multiple] prefer (connection *) to (srv *)
convert all log_error_write() to log_error() and pass (log_error_st *)

use con->errh in preference to srv->errh (even though currently same)

avoid passing (server *) when previously used only for logging (errh)
2020-07-08 19:54:28 -04:00
Glenn Strauss 24680a9142 [core] array_init() arg for initial size 2020-07-08 18:08:52 -04:00
Glenn Strauss b73949e03f [multiple] plugin.c handles common FREE_FUNC code
(simpler for modules; less boilerplate to cut-n-paste)
2020-07-08 18:08:51 -04:00
Glenn Strauss 83633a9f06 [mod_openssl] use config_plugin_values_init() 2020-07-08 18:08:51 -04:00
Glenn Strauss d23071a38f [core] config_get_config_cond_info()
isolate direct use of (data_config *)
2020-07-08 18:08:51 -04:00
Glenn Strauss e2de4e581e [core] const char *name in struct plugin
put void *data (always used) as first member of struct plugin

add int nconfig member to PLUGIN_DATA

calloc() inits p->data to NULL
2020-05-23 17:59:29 -04:00
Glenn Strauss 36f64b26a1 [core] simpler config_check_cond()
optimize for common case where condition has been evaluated for
the request and a cached result exists

(also: begin isolating data_config)
2020-05-23 17:59:29 -04:00
Glenn Strauss c2238256e2 [core] inline array as part of data_array value
(instead of value being (array *))
2020-02-24 11:15:32 -05:00
Glenn Strauss 6eb34ef5ab [core] add const to callers of http_header_*_get()
(The few places where value is modified in-place were not made const)
2020-02-24 11:15:32 -05:00
Glenn Strauss 601c572c39 [core] inline buffer as part of data_string value
(instead of value being (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss 47a758f959 [core] inline buffer key for *_patch_connection()
handle buffer key as part of DATA_UNSET in *_patch_connection()
(instead of key being (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss ad9b7e009b [core] inline buffer as part of DATA_UNSET key
(instead of key being (buffer *))
2020-02-24 11:15:32 -05:00
Glenn Strauss a7a721ab43 [core] treat con->conditional_is_valid as bitfield 2020-02-24 11:15:32 -05:00
Glenn Strauss 83535bbef3 [core] differentiate array_get_* for ro and rw
array_get_element_klen() is now intended for read-only access
array_get_data_unset() is used by config processing for r/w access
array_get_buf_ptr() is used for r/w access to ds->value (string buffer)
2020-02-24 11:15:32 -05:00
Glenn Strauss fa8856757c [mod_openssl] reject invalid ALPN 2020-01-26 00:41:05 -05:00