Commit Graph

15 Commits (e29f7d57389f687b9e22399252ad398b5d7316de)

Author SHA1 Message Date
Glenn Strauss 21081c7b72 [mod_openssl] fix compile with openssl 1.1.0
fix compile with openssl 1.1.0
remove stray tabs from prior commit

(thx gazoo74)
6 years ago
Gaël PORTAY 04d510af20 [mod_openssl] ignore client verification error if not enforced
ignore client verification error if not enforced
  e.g. *not* ssl.verifyclient.enforce = "enable"

github: closes #83

x-ref:
  "ignore client verification error if not enforced"
  https://github.com/lighttpd/lighttpd1.4/pull/83
6 years ago
Glenn Strauss 0399609ac2 [mod_openssl] ssl.ca-dn-file (fixes #2694)
(original patch by mackyle)

The ssl.ca-dn-file option provides independent control of
the "certificate_authorities" field (see RFC 5246 section
7.4.4 Certificate Request) separate from the actual list
of trusted certificate authorities used for client
certificate verification.

It may be necessary to send a hint that includes the DN
of a non-root client CA in order to receive the correct
certificate from the client, but such a non-root CA really
does not belong in the trusted client root CA list.

Signed-off-by: Kyle J. McKay mackyle@gmail.com

github: closes #64

x-ref:
  "add support for ssl.cadn-file"
  https://redmine.lighttpd.net/issues/2694
  https://github.com/lighttpd/lighttpd1.4/pull/64
6 years ago
Gaël PORTAY e422ac128a [mod_openssl] ssl.ca-crl-file for CRL (fixes #2319)
(original patch by binbrain, and updated by flynn)

github: closes #82

x-ref:
  "Support CRLs for client certificate verification"
  https://redmine.lighttpd.net/issues/2319
  https://github.com/lighttpd/lighttpd1.4/pull/82
6 years ago
Glenn Strauss 86bb8be2c8 [core] perf: skip redundant strlen() if len known
performance: skip redundant strlen() if length is already known

introduce array_get_element_klen() to take key and klen params
6 years ago
Glenn Strauss a434a3fab0 [mod_openssl] free local_send_buffer at exit 6 years ago
Glenn Strauss 78cc72726d [mod_extforward] support HAProxy "PROXY" protocol (fixes #2804)
experimental support to receive requests via HAProxy "PROXY" protocol

x-ref:
  "The PROXY protocol - Versions 1 & 2"
  http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
  "support (HAProxy) PROXY protocol for receiving requests"
  https://redmine.lighttpd.net/issues/2804
6 years ago
Glenn Strauss e33ec75999 [core] save connection-level proto in con->proto
The per-request scheme starts with con->proto (e.g. "http")
and can later be changed per-request by mod_extforward or mod_magnet
6 years ago
Glenn Strauss 1485cb401b [core] fix crash if invalid config file (fixes #2798)
If lighttpd.conf is invalid, some modules may not have initialized their
per-context config structures, but will have their free-functions
called, which should not be run on uninitialized per-context configs.

x-ref:
  "Segfault with simple-vhost.debug = "enable""
  https://redmine.lighttpd.net/issues/2798
6 years ago
Glenn Strauss 82501d24f2 [mod_openssl] inherit ssl.* from global scope
inherit ssl.* from global scope if $SERVER["socket"] contains
ssl.engine = "enable" and no other ssl.* settings

(In earlier versions of lighttpd, specifying ssl.engine = "enable"
 without specifying ssl.pemfile was a configuration error, so this
 change should not break any pre-existing and previously working
 configs)

x-ref:
  https://github.com/pfsense/FreeBSD-ports/pull/284
6 years ago
Glenn Strauss acc37c1cbc [mod_openssl] use TLS SNI to set host-based certs
and then allow HTTP Host header to set con->uri.authority

remove con->tlsext_server_name
6 years ago
Glenn Strauss 20946a8b92 [mod_openssl] allow ssl.verifyclient on url paths (fixes #2245)
re-patch mod_openssl config within the request so that per-request
settings can be applied, such as activating client cert verification
for specific URL paths.

(This can be used in conjunction with auth.backend = "extern"
 to require auth to occur)

x-ref:
  "SSL : authenticate only clients for a particular URL"
  https://redmine.lighttpd.net/issues/2245
6 years ago
Glenn Strauss 8960633dc7 [mod_openssl] move openssl config into mod_openssl
move openssl data structures and config parsing into mod_openssl
6 years ago
Glenn Strauss bdbea2aea8 [mod_openssl] move openssl code into mod_openssl
large code move, but minimal changes made to code (besides whitespace),
so that code builds

next: need to isolate openssl data structures and config parsing
6 years ago
Glenn Strauss cb9ebe9fa6 [mod_openssl] new module (preliminary layout) 6 years ago