From a5886b3a81f718817e20be66b14b50c522a91737 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= Date: Mon, 22 Dec 2014 15:11:54 +0100 Subject: [PATCH] [mod_openssl] various fixes, fix error handling - update docs with default options - always set "session_id_context" - load all algorithms - cleanup error handling (abort on fatal errors, not the other way round, log non fatal errors in debug log-level) Change-Id: I2b6028bbe97a237ab94ad00d58c7773d9d3d8830 --- doc/mod_openssl.xml | 4 ++-- src/modules/mod_openssl.c | 10 ++++++---- src/modules/openssl_filter.c | 13 +++++++------ 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/doc/mod_openssl.xml b/doc/mod_openssl.xml index fd59d32..ecb7ab3 100644 --- a/doc/mod_openssl.xml +++ b/doc/mod_openssl.xml @@ -25,7 +25,7 @@ OpenSSL ecdh-curve name - list of OpenSSL options (default: NO_SSLv2, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION) + list of OpenSSL options (default: NO_SSLv2, NO_SSLv3, CIPHER_SERVER_PREFERENCE, NO_COMPRESSION, SINGLE_DH_USE, SINGLE_ECDH_USE) enable client certificate verification (default: false) @@ -61,7 +61,7 @@ "listen" => "0.0.0.0:443", "listen" => "[::]:443", "pemfile" => "/etc/certs/lighttpd.pem", - "options" => ["NO_SSLv3"], + "options" => ["ALL", "NO_TICKET"], ]; } diff --git a/src/modules/mod_openssl.c b/src/modules/mod_openssl.c index f4e6f6c..7e4d0a9 100644 --- a/src/modules/mod_openssl.c +++ b/src/modules/mod_openssl.c @@ -795,11 +795,12 @@ static gboolean openssl_setup(liServer *srv, liPlugin* p, liValue *val, gpointer goto error_free_socket; } + if (SSL_CTX_set_session_id_context(ctx->ssl_ctx, CONST_USTR_LEN("lighttpd")) != 1) { + ERROR(srv, "SSL_CTX_set_session_id_context(): %s", ERR_error_string(ERR_get_error(), NULL)); + goto error_free_socket; + } + if (verify_mode) { - if (SSL_CTX_set_session_id_context(ctx->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) { - ERROR(srv, "SSL_CTX_set_session_id_context(): %s", ERR_error_string(ERR_get_error(), NULL)); - goto error_free_socket; - } SSL_CTX_set_verify(ctx->ssl_ctx, verify_mode, verify_any ? openssl_verify_any_cb : NULL); SSL_CTX_set_verify_depth(ctx->ssl_ctx, verify_depth); } @@ -915,6 +916,7 @@ gboolean mod_openssl_init(liModules *mods, liModule *mod) { SSL_load_error_strings(); SSL_library_init(); + OpenSSL_add_all_algorithms(); if (0 == RAND_status()) { ERROR(mods->main, "SSL: %s", "not enough entropy in the pool"); diff --git a/src/modules/openssl_filter.c b/src/modules/openssl_filter.c index 4f40ef2..e69ac3f 100644 --- a/src/modules/openssl_filter.c +++ b/src/modules/openssl_filter.c @@ -245,6 +245,7 @@ static void do_handle_error(liOpenSSLFilter *f, const char *sslfunc, int r, gboo default: was_fatal = FALSE; + /* get all errors from the error-queue */ while((err = ERR_get_error())) { switch (ERR_GET_REASON(err)) { case SSL_R_SSL_HANDSHAKE_FAILURE: @@ -253,17 +254,17 @@ static void do_handle_error(liOpenSSLFilter *f, const char *sslfunc, int r, gboo case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: case SSL_R_NO_SHARED_CIPHER: case SSL_R_UNKNOWN_PROTOCOL: - /* TODO: if (!con->conf.log_ssl_noise) */ continue; - break; + _DEBUG(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc, + ERR_error_string(err, NULL)); + continue; default: was_fatal = TRUE; + _ERROR(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc, + ERR_error_string(err, NULL)); break; } - /* get all errors from the error-queue */ - _ERROR(f->srv, f->wrk, f->log_context, "%s: %s", sslfunc, - ERR_error_string(err, NULL)); } - if (!was_fatal) f_abort_ssl(f); + if (was_fatal) f_abort_ssl(f); } }