Commit Graph

33 Commits

Author SHA1 Message Date
Glenn Strauss 7a7f4f987a [mod_openssl] no renegotiation in TLS 1.3 (fixes #2912)
  "OpenSSL 1.1.1: renegotiation initiated by client, killing connection"
2018-10-06 05:07:28 -04:00
Glenn Strauss 3dd3cde902 [core] abstraction layer for HTTP header manip
convert existing calls to manip request/response headers
convert existing calls to manip environment array (often header-related)
2018-09-23 18:01:58 -04:00
Glenn Strauss a7c27c9f99 [core] code reuse with array_insert_key_value()
code reuse with array_insert_key_value() and related array manipulation
2018-09-16 05:18:05 -04:00
Glenn Strauss 76b9b1fa46 [mod_openssl] elliptic curve auto selection (fixes #2833)
elliptic curve auto selection where available
openssl v1.0.2 - SSL_CTX_set_ecdh_auto()
openssl v1.1.0 - ECDH support always enabled

  "Using X25519 Key exchange"

  "SSL_CTX_set_ecdh_auto is undefined for newer openssl's"
  It has been removed from OpenSSL 1.1.0.
  Here is the relevant CHANGES entry:
  *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
     always enabled now.  If you want to disable the support you should
     exclude it using the list of supported ciphers. This also means
     that the "-no_ecdhe" option has been removed from s_server.
     [Kurt Roeckx]
2018-01-06 20:15:09 -05:00
Glenn Strauss f90ccdef51 [mod_openssl] minor code cleanup; reduce var scope
('git show -u -b -w <commit-sha>' to see minimal changes)
2018-01-06 19:05:26 -05:00
Glenn Strauss 06d108855d [mod_openssl] quiet trace from TCP probes (#2784)
  "huge amount of "SSL: -1 5 0 Success" messages"
2017-11-06 21:39:00 -05:00
Glenn Strauss c09acbeb8a [mod_openssl] ssl.openssl.ssl-conf-cmd (fixes #2758)
(similar to Apache mod_ssl SSLOpenSSLConfCmd directive)


This new directive is for use with OpenSSL only, and is not currently
available in LibreSSL.

lighttpd takes "file commands" not "command line commands" as
openssl SSL_CONF_cmd() appears to permit only one mode at a time.

lighttpd processes this directive after all other ssl.* directives
have been applied for the $SERVER["socket"] scope.

  "Option to disable TLS session tickets"
  "Allow to selectively disable TLS 1.0, 1.1 and 1.2 versions"

github: closes #84
2017-11-04 21:45:33 -04:00
Glenn Strauss 1a22ca87f9 [mod_openssl] allow specifying server cert chain (fixes #2692)
  "allow setting explicit SSL server certificate chain"

github: closes #62
2017-11-04 17:01:32 -04:00
Glenn Strauss 35ecd4dd9d [mod_openssl] more pedantic check of return values
more pedantic check of return values for openssl interfaces

(and minor adjustment of whitespace)

2017-11-04 17:01:01 -04:00
Glenn Strauss bfef0907bd [mod_openssl] error if ssl.engine in wrong section (fixes #2837)
error if ssl.engine in wrong section of config.
ssl.engine is valid only in global scope or $SERVER["socket"] condition

  "HTTPS requests timeout when cert not set for socket"
2017-11-03 23:02:08 -04:00
Glenn Strauss 77bdaa3a93 [mod_openssl]"disable" by default
set = "disable" by default (modifies commit f4e1357d)

Given various reports from users of embedded systems, the default is
being changed to do the sane thing for these systems.  This is the
right setting on slow embedded systems for which decoding SSL input
is slower than receiving that input over the network.

On the other hand, for faster systems, = "enable" is
recommended for a slight performance gain and should be explicitly set
in the global or $SERVER["socket"] configuration blocks in lighttpd.conf

  "https POST requests buffered in RAM since v1.4.41?"
2017-10-19 08:51:20 -04:00
Glenn Strauss 0ff8904a72 [mod_openssl] remove erroneous SSL_set_shutdown()
remove erroneous call to SSL_set_shutdown()
(historical from commit:3888c103)
(erroneous since lighttpd 1.4.40 moved to bidirectional input/output)

  "wstunnel sample config"
2017-10-16 02:10:36 -04:00
Glenn Strauss 7661587f01 [mod_openssl] copy data for larger SSL packets
copy small mem chunks into single large buffer before SSL_write()
to reduce number times write() called underneath SSL_write() and
potentially reduce number of packets generated if socket TCP_NODELAY
2017-10-15 22:07:00 -04:00
Glenn Strauss f4e1357df5 [mod_openssl]"disable" for stream
set default = "disable" for streaming when = 1 or 2 is set in the global scope

It is still recommended that embedded and other low-memory systems
explicitly set = "disable" in the global scope
(regardless of setting)

On the other hand, for systems which enable
to non-zero value, and for which sufficient memory is available, then = "enable" is recommended and should be explicitly set
in the global or $SERVER["socket"] configuration blocks in lighttpd.conf

  "https POST requests buffered in RAM since v1.4.41?"
2017-09-10 18:52:41 -04:00
Glenn Strauss b50aa2df51 quell compiler warnings for -Wimplicit-fallthrough 2017-07-23 19:02:31 -04:00
Glenn Strauss 9fd39690be [mod_openssl] adjust use of is used to send list of valid CA DNs to client for client
cert verification.  If is not specified, then the CAs in are used.

client certs are validated against the set of certs from both and, but issuer of cert provided by
client must be in if is specified.

(certs should not need to be in to both and

(thx m4t)
2017-06-13 08:55:38 -04:00
Glenn Strauss 8af9e71ccc [core] allow earlier plugin init for SSL/TLS
If lighttpd is started privileged, then SSL/TLS modules need to be
initialized prior to chroot (optional) and prior to dropping privileges
in order to be able to read sensitive files such as private certificates

(thx m4t)
2017-05-21 21:31:05 -04:00
Glenn Strauss fb87ae8604 [mod_openssl] safer_X509_NAME_oneline() (fixes #2693)
provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.

The manpage for X509_NAME_oneline() says:

    The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.

    The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

github: closes #63, closes #83

2017-05-21 00:32:52 -04:00
Glenn Strauss 21081c7b72 [mod_openssl] fix compile with openssl 1.1.0
fix compile with openssl 1.1.0
remove stray tabs from prior commit

(thx gazoo74)
2017-05-17 00:44:55 -04:00
Gaël PORTAY 04d510af20 [mod_openssl] ignore client verification error if not enforced
ignore client verification error if not enforced
  e.g. *not* ssl.verifyclient.enforce = "enable"

github: closes #83

  "ignore client verification error if not enforced"
2017-05-16 22:25:00 -04:00
Glenn Strauss 0399609ac2 [mod_openssl] (fixes #2694)
(original patch by mackyle)

The option provides independent control of
the "certificate_authorities" field (see RFC 5246 section
7.4.4 Certificate Request) separate from the actual list
of trusted certificate authorities used for client
certificate verification.

It may be necessary to send a hint that includes the DN
of a non-root client CA in order to receive the correct
certificate from the client, but such a non-root CA really
does not belong in the trusted client root CA list.

Signed-off-by: Kyle J. McKay

github: closes #64

  "add support for ssl.cadn-file"
2017-05-15 23:12:36 -04:00
Gaël PORTAY e422ac128a [mod_openssl] for CRL (fixes #2319)
(original patch by binbrain, and updated by flynn)

github: closes #82

  "Support CRLs for client certificate verification"
2017-05-15 22:02:33 -04:00
Glenn Strauss 86bb8be2c8 [core] perf: skip redundant strlen() if len known
performance: skip redundant strlen() if length is already known

introduce array_get_element_klen() to take key and klen params
2017-05-15 22:02:33 -04:00
Glenn Strauss a434a3fab0 [mod_openssl] free local_send_buffer at exit 2017-04-15 03:42:28 -04:00
Glenn Strauss 78cc72726d [mod_extforward] support HAProxy "PROXY" protocol (fixes #2804)
experimental support to receive requests via HAProxy "PROXY" protocol

  "The PROXY protocol - Versions 1 & 2"
  "support (HAProxy) PROXY protocol for receiving requests"
2017-04-07 02:31:13 -04:00
Glenn Strauss e33ec75999 [core] save connection-level proto in con->proto
The per-request scheme starts with con->proto (e.g. "http")
and can later be changed per-request by mod_extforward or mod_magnet
2017-04-06 00:22:42 -04:00
Glenn Strauss 1485cb401b [core] fix crash if invalid config file (fixes #2798)
If lighttpd.conf is invalid, some modules may not have initialized their
per-context config structures, but will have their free-functions
called, which should not be run on uninitialized per-context configs.

  "Segfault with simple-vhost.debug = "enable""
2017-03-13 19:30:09 -04:00
Glenn Strauss 82501d24f2 [mod_openssl] inherit ssl.* from global scope
inherit ssl.* from global scope if $SERVER["socket"] contains
ssl.engine = "enable" and no other ssl.* settings

(In earlier versions of lighttpd, specifying ssl.engine = "enable"
 without specifying ssl.pemfile was a configuration error, so this
 change should not break any pre-existing and previously working

2017-02-02 08:48:29 -05:00
Glenn Strauss acc37c1cbc [mod_openssl] use TLS SNI to set host-based certs
and then allow HTTP Host header to set con->uri.authority

remove con->tlsext_server_name
2017-01-31 14:36:15 -05:00
Glenn Strauss 20946a8b92 [mod_openssl] allow ssl.verifyclient on url paths (fixes #2245)
re-patch mod_openssl config within the request so that per-request
settings can be applied, such as activating client cert verification
for specific URL paths.

(This can be used in conjunction with auth.backend = "extern"
 to require auth to occur)

  "SSL : authenticate only clients for a particular URL"
2017-01-31 14:36:14 -05:00
Glenn Strauss 8960633dc7 [mod_openssl] move openssl config into mod_openssl
move openssl data structures and config parsing into mod_openssl
2017-01-31 14:36:10 -05:00
Glenn Strauss bdbea2aea8 [mod_openssl] move openssl code into mod_openssl
large code move, but minimal changes made to code (besides whitespace),
so that code builds

next: need to isolate openssl data structures and config parsing
2017-01-14 01:06:16 -05:00
Glenn Strauss cb9ebe9fa6 [mod_openssl] new module (preliminary layout) 2017-01-14 01:06:16 -05:00