(removed two commits ago)
must check selected ALPN after client hello has completed
for case where hctx->conf.ssl_acme_tls_1 is not enabled
or else ALPN "h2" will not be detected
(thx axe34)
Please note that this would not have crashed "x-sendfile-docroot"
were set to restrict the locations of files that can be sent via
X-Sendfile. If users are untrusted, "x-sendfile" should not be
enable without also configuring "x-sendfile-docroot"
x-ref:
"Server Aborted due to Malicious Data sent through CGI Sendfile"
https://redmine.lighttpd.net/issues/3062
mbedtls does not provide a callback for ALPN and expects certificate to
be set in SNI callback (if set), while still in MBEDTLS_SSL_CLIENT_HELLO
state. Waiting until after MBEDTLS_SSL_CLIENT_HELLO would be fine for
using ALPN for "h2", but is too late to set acme-tls/1 challenge cert.
Therefore, parse client hello for ALPN prior to initiating mbedtls
processing of handshake.
recognize and translate a common recommended cipherstring
"EECDH+AESGCM:AES256+EECDH:CHACHA20:!SHA1:!SHA256:!SHA384"
(basically: EECDH+AESGCM:AES256+EECDH:CHACHA20
without CBC ciphers reported as weak by SSLLabs)
tighten struct data_config and config_cond_info
create config key at startup and reuse for debug/trace
separate routine for configparser_parse_condition()
separate routine for configparser_parse_else_condition()
also adjust time_t comparison to (pc_stapling_nextts > cur_ts + 256)
(time_t is expected to be signed integral type, but might be unsigned)
x-ref:
"OCSP Stapling reload seems not to work"
https://redmine.lighttpd.net/issues/3056
(thx Dirk) (reported on FreeBSD)
HTTP/1.1 requests might end up spinning if traffic limits are configured
(connection.kbytes-per-second)
(server.kbytes-per-second)
con->is_readable and con->is_writable might be set to -1 by TLS modules
which encounter SSL_WANT_READ or SSL_WANT_WRITE. Either might occur
during read or write, and so -1 was used to flag this.
However, code which used con->is_readable and con->is_writable now needs
to check for value > 0 rather than treating value as a boolean.
flagged by coverity
final segment of colon (':') separated string was being ignored
in some TLS config strings in mod_gnutls and mod_mbedtls
workaround: add ':' at end of config string (or apply this patch)
