[mod_openssl] various fixes, fix error handling

- update docs with default options - always set "session_id_context" - load all algorithms - cleanup error handling (abort on fatal errors, not the other way round, log non fatal errors in debug log-level) Change-Id: I2b6028bbe97a237ab94ad00d58c7773d9d3d8830
8 years ago · a5886b3a81
parent 10305546cb
commit a5886b3a81
3 changed files with 15 additions and 12 deletions
--- a/doc/mod_openssl.xml
+++ b/doc/mod_openssl.xml
@ -25,7 +25,7 @@
 					<short>OpenSSL ecdh-curve name</short>
 				</entry>
 				<entry name="options">
-					<short>list of OpenSSL options (default: NO_SSLv2, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION)</short>
+					<short>list of OpenSSL options (default: NO_SSLv2, NO_SSLv3, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION, SINGLE_DH_USE, SINGLE_ECDH_USE)</short>
 				</entry>
 				<entry name="verify">
 					<short>enable client certificate verification (default: false)</short>
@ -61,7 +61,7 @@
 						"listen" => "0.0.0.0:443",
 						"listen" => "[::]:443",
 						"pemfile" => "/etc/certs/lighttpd.pem",
-						"options" => ["NO_SSLv3"],
+						"options" => ["ALL", "NO_TICKET"],
 					];
 				}
 			</config>
--- a/src/modules/mod_openssl.c
+++ b/src/modules/mod_openssl.c
@ -795,11 +795,12 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer
 		goto error_free_socket;
 	}

+	if (SSL_CTX_set_session_id_context(ctx->ssl_ctx, CONST_USTR_LEN("lighttpd")) != 1) {
+		ERROR(srv, "SSL_CTX_set_session_id_context(): %s", ERR_error_string(ERR_get_error(), NULL));
+		goto error_free_socket;
+	}
+
 	if (verify_mode) {
-		if (SSL_CTX_set_session_id_context(ctx->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
-			ERROR(srv, "SSL_CTX_set_session_id_context(): %s", ERR_error_string(ERR_get_error(), NULL));
-			goto error_free_socket;
-		}
 		SSL_CTX_set_verify(ctx->ssl_ctx, verify_mode, verify_any ? openssl_verify_any_cb : NULL);
 		SSL_CTX_set_verify_depth(ctx->ssl_ctx, verify_depth);
 	}
@ -915,6 +916,7 @@ gboolean mod_openssl_init(liModules *mods, liModule *mod) {

 	SSL_load_error_strings();
 	SSL_library_init();
+	OpenSSL_add_all_algorithms();

 	if (0 == RAND_status()) {
 		ERROR(mods->main, "SSL: %s", "not enough entropy in the pool");
--- a/src/modules/openssl_filter.c
+++ b/src/modules/openssl_filter.c
@ -245,6 +245,7 @@ static void do_handle_error(liOpenSSLFilter *f, const char *sslfunc, int r, gboo
 	default:
 		was_fatal = FALSE;

+		/* get all errors from the error-queue */
 		while((err = ERR_get_error())) {
 			switch (ERR_GET_REASON(err)) {
 			case SSL_R_SSL_HANDSHAKE_FAILURE:
@ -253,17 +254,17 @@ static void do_handle_error(liOpenSSLFilter *f, const char *sslfunc, int r, gboo
 			case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
 			case SSL_R_NO_SHARED_CIPHER:
 			case SSL_R_UNKNOWN_PROTOCOL:
-				/* TODO: if (!con->conf.log_ssl_noise) */ continue;
-				break;
+				_DEBUG(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc,
+					ERR_error_string(err, NULL));
+				continue;
 			default:
 				was_fatal = TRUE;
+				_ERROR(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc,
+					ERR_error_string(err, NULL));
 				break;
 			}
-			/* get all errors from the error-queue */
-			_ERROR(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc,
-				ERR_error_string(err, NULL));
 		}
-		if (!was_fatal) f_abort_ssl(f);
+		if (was_fatal) f_abort_ssl(f);
 	}

 }