Glenn Strauss
81e4f4c4a7
[TLS] detect expired stapling file at startup ( fixes #3056 )
...
also adjust time_t comparison to (pc_stapling_nextts > cur_ts + 256)
(time_t is expected to be signed integral type, but might be unsigned)
x-ref:
"OCSP Stapling reload seems not to work"
https://redmine.lighttpd.net/issues/3056
2 years ago
Glenn Strauss
0e2a14921e
[multiple] fix coverity warnings
2 years ago
Glenn Strauss
1212f60991
buffer_append_path_len() to join paths
...
use buffer_append_path_len() to join path segments
2 years ago
Glenn Strauss
a360eafc8b
[mod_nss] portability fix
...
check if NSS supports TLSv1.3 ciphers
(very old versions do not, and admins should consider upgrading NSS)
2 years ago
Glenn Strauss
3db556fde3
[mod_nss] update session ticket NSS devel comment
...
Update: NSS developer explains:
"The way that we currently operate is to tie the session key encryption
to the server public key. Which only works if you have an RSA key
configured"
https://bugzilla.mozilla.org/show_bug.cgi?id=1673254
2 years ago
Glenn Strauss
31fc3a0773
[TLS] server.feature-flags "ssl.session-cache"
...
disabled by default, but can be enabled
(session tickets should be preferred)
applies to mod_openssl, mod_wolfssl, mod_nss
session cache is not currently implemented in mod_mbedtls or mod_gnutls
2 years ago
Glenn Strauss
f65b054887
[mod_nss] more nss includes fixes
2 years ago
Glenn Strauss
033209393e
[multiple] test for nss includes
...
some distro packages deploy NSS includes under nss/, others nss3/
(and similar for nspr/ vs nspr4/)
2 years ago
Glenn Strauss
d865d8c330
[TLS] ignore empty "CipherString" in ssl-conf-cmd
...
e.g. ssl.openssl.ssl-conf-cmd = ("CipherString" => "")
2 years ago
Glenn Strauss
a46f519eb2
[multiple] use NSS crypto if no other crypto avail
...
use NSS crypto if no other crypto avail, but NSS crypto is available
"NSS crypto support" is not included in tests/LightyTest.pm:has_crypto()
due to NSS libraries (freebl3) lacking public export for HMAC funcs
2 years ago
Glenn Strauss
874707cd66
[TLS] use fdevent_load_file_bytes() for STEK file
...
remove direct dependency on <unistd.h> from lighttpd TLS modules
2 years ago
Glenn Strauss
16a70b9253
[multiple] TLS modules use chunkqueue_peek_data()
2 years ago
Glenn Strauss
a330746f06
[TLS] error if inherit empty TLS cfg from globals
...
error if $SERVER["socket"] inherits empty TLS config from global scope
and ssl.engine = "enable" in the $SERVER["socket"]
2 years ago
Glenn Strauss
bbcc2f229a
[multiple] allow TLS ALPN "h2" if "server.h2proto"
2 years ago
Glenn Strauss
87428818a1
[mod_nss] func renames for consistency
...
mod_nss was written using mod_mbedtls and mod_gnutls as templates,
but some code was accidentally committed with those other modules'
naming.
3 years ago
Glenn Strauss
33c8cf41db
[multiple] rename connection_reset hook to request
...
rename connection_reset to handle_request_reset
3 years ago
Glenn Strauss
164f7600b7
[multiple] con hooks store ctx in con->plugin_ctx
...
modules with connection level hooks now store ctx in con->plugin_ctx
3 years ago
Glenn Strauss
0ad57da55b
[mod_openssl,mbedtls,gnutls,nss] fdevent_load_file
...
employ fdevent_load_file() to load CRL, X509 cert, and private key files
into memory
3 years ago
Glenn Strauss
e00deb5578
[mod_nss] NSS option for TLS ( fixes #1218 )
...
(experimental)
WARNING: EXPERIMENTAL code sketch; mod_nss is INCOMPLETE and UNTESTED
mod_nss supports most ssl.* config options supported by mod_openssl
x-ref:
"alternate ssl backend"
https://redmine.lighttpd.net/issues/1218
3 years ago
Glenn Strauss