Browse Source

[mod_openssl] various fixes, fix error handling

- update docs with default options
- always set "session_id_context"
- load all algorithms
- cleanup error handling (abort on fatal errors, not the other way
  round, log non fatal errors in debug log-level)

Change-Id: I2b6028bbe97a237ab94ad00d58c7773d9d3d8830
personal/stbuehler/wip
Stefan Bühler 7 years ago
parent
commit
a5886b3a81
  1. 4
      doc/mod_openssl.xml
  2. 10
      src/modules/mod_openssl.c
  3. 13
      src/modules/openssl_filter.c

4
doc/mod_openssl.xml

@ -25,7 +25,7 @@
<short>OpenSSL ecdh-curve name</short>
</entry>
<entry name="options">
<short>list of OpenSSL options (default: NO_SSLv2, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION)</short>
<short>list of OpenSSL options (default: NO_SSLv2, NO_SSLv3, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION, SINGLE_DH_USE, SINGLE_ECDH_USE)</short>
</entry>
<entry name="verify">
<short>enable client certificate verification (default: false)</short>
@ -61,7 +61,7 @@
"listen" => "0.0.0.0:443",
"listen" => "[::]:443",
"pemfile" => "/etc/certs/lighttpd.pem",
"options" => ["NO_SSLv3"],
"options" => ["ALL", "NO_TICKET"],
];
}
</config>

10
src/modules/mod_openssl.c

@ -795,11 +795,12 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
goto error_free_socket;
}
if (SSL_CTX_set_session_id_context(ctx->ssl_ctx, CONST_USTR_LEN("lighttpd")) != 1) {
ERROR(srv, "SSL_CTX_set_session_id_context(): %s", ERR_error_string(ERR_get_error(), NULL));
goto error_free_socket;
}
if (verify_mode) {
if (SSL_CTX_set_session_id_context(ctx->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
ERROR(srv, "SSL_CTX_set_session_id_context(): %s", ERR_error_string(ERR_get_error(), NULL));
goto error_free_socket;
}
SSL_CTX_set_verify(ctx->ssl_ctx, verify_mode, verify_any ? openssl_verify_any_cb : NULL);
SSL_CTX_set_verify_depth(ctx->ssl_ctx, verify_depth);
}
@ -915,6 +916,7 @@ gboolean mod_openssl_init(liModules *mods, liModule *mod) {
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
if (0 == RAND_status()) {
ERROR(mods->main, "SSL: %s", "not enough entropy in the pool");

13
src/modules/openssl_filter.c

@ -245,6 +245,7 @@ static void do_handle_error(liOpenSSLFilter *f, const char *sslfunc, int r, gboo
default:
was_fatal = FALSE;
/* get all errors from the error-queue */
while((err = ERR_get_error())) {
switch (ERR_GET_REASON(err)) {
case SSL_R_SSL_HANDSHAKE_FAILURE:
@ -253,17 +254,17 @@ static void do_handle_error(liOpenSSLFilter *f, const char *sslfunc, int r, gboo
case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
case SSL_R_NO_SHARED_CIPHER:
case SSL_R_UNKNOWN_PROTOCOL:
/* TODO: if (!con->conf.log_ssl_noise) */ continue;
break;
_DEBUG(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc,
ERR_error_string(err, NULL));
continue;
default:
was_fatal = TRUE;
_ERROR(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc,
ERR_error_string(err, NULL));
break;
}
/* get all errors from the error-queue */
_ERROR(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc,
ERR_error_string(err, NULL));
}
if (!was_fatal) f_abort_ssl(f);
if (was_fatal) f_abort_ssl(f);
}
}

Loading…
Cancel
Save