diff options
| author | Glenn Strauss <gstrauss@gluelogic.com> | 2023-04-23 09:04:05 -0400 |
|---|---|---|
| committer | Glenn Strauss <gstrauss@gluelogic.com> | 2023-05-03 23:11:35 -0400 |
| commit | a5c170e3419869318d07c9f389090297ea3a101f (patch) | |
| tree | 4c2c4a05f3c89f4caaf14abea07db8d85c052374 | |
| parent | 01da9c088c9b64f0dca0b00dfd87ec3f9001f3f5 (diff) | |
| download | lighttpd-git-a5c170e3419869318d07c9f389090297ea3a101f.tar.gz | |
[TLS] $SERVER["socket"] inherit global ssl.engine
$SERVER["socket"] inherits ssl.engine = "enable" from global scope
fixes issue of TLS-enabled socket, but missing config,
if ssl.engine = "enable" in global scope
and $SERVER["socket"] does not contain ssl.engine = "enable"
e.g. default TLS-enabled, and explicitly disabled on specific sockets
server.port = 443
ssl.engine = "enable"
ssl.pemfile = ...
ssl.privkey = ...
$SERVER["socket"] == ":80" { ssl.engine = "disable" }
$SERVER["socket"] == "[::]:80" { ssl.engine = "disable" }
$SERVER["socket"] == " :443" { }
$SERVER["socket"] == "[::]:443" { }
| -rw-r--r-- | src/mod_gnutls.c | 3 | ||||
| -rw-r--r-- | src/mod_mbedtls.c | 1 | ||||
| -rw-r--r-- | src/mod_nss.c | 3 | ||||
| -rw-r--r-- | src/mod_openssl.c | 27 | ||||
| -rw-r--r-- | src/mod_wolfssl.c | 3 |
5 files changed, 33 insertions, 4 deletions
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c index d091243a..6f430aaa 100644 --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c @@ -2605,7 +2605,8 @@ CONNECTION_FUNC(mod_gnutls_handle_con_accept) con->plugin_ctx[p->id] = hctx; buffer_blank(&r->uri.authority); - plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx; + plugin_ssl_ctx *s = p->ssl_ctxs + srv_sock->sidx; + if (NULL == s->priority_cache) s = p->ssl_ctxs; /*(inherit from global)*/ hctx->ssl_session_ticket = s->ssl_session_ticket; int flags = GNUTLS_SERVER | GNUTLS_NO_SIGNAL | GNUTLS_NONBLOCK; /* ??? add feature: GNUTLS_ENABLE_EARLY_START ??? */ diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c index 8da81fce..0f429e50 100644 --- a/src/mod_mbedtls.c +++ b/src/mod_mbedtls.c @@ -2333,6 +2333,7 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_accept) buffer_blank(&r->uri.authority); hctx->ssl_ctx = p->ssl_ctxs[srv_sock->sidx].ssl_ctx; + if (NULL == hctx->ssl_ctx) hctx->ssl_ctx = p->ssl_ctxs[0].ssl_ctx; mbedtls_ssl_init(&hctx->ssl); int rc = mbedtls_ssl_setup(&hctx->ssl, hctx->ssl_ctx); if (0 == rc) { diff --git a/src/mod_nss.c b/src/mod_nss.c index 1d800706..735289ca 100644 --- a/src/mod_nss.c +++ b/src/mod_nss.c @@ -2308,7 +2308,8 @@ CONNECTION_FUNC(mod_nss_handle_con_accept) con->plugin_ctx[p->id] = hctx; buffer_blank(&r->uri.authority); - plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx; + plugin_ssl_ctx *s = p->ssl_ctxs + srv_sock->sidx; + if (NULL == s->model) s = p->ssl_ctxs; /*(inherit from global scope)*/ hctx->ssl_session_ticket = s->ssl_session_ticket; con->network_read = connection_read_cq_ssl; diff --git a/src/mod_openssl.c b/src/mod_openssl.c index 46a86d49..a587a74a 100644 --- a/src/mod_openssl.c +++ b/src/mod_openssl.c @@ -2694,6 +2694,30 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p) #endif free(srvplug.cvlist); + + #if 0 /*(alt: inherit from global scope in mod_openssl_handle_con_accept()*/ + if (defaults.ssl_enabled) { + #if 0 /* used == 0; priv_defaults hook is called before network_init() */ + for (uint32_t i = 0; i < srv->srv_sockets.used; ++i) { + if (!srv->srv_sockets.ptr[i]->is_ssl) continue; + plugin_ssl_ctx *s = p->ssl_ctxs + srv->srv_sockets.ptr[i]->sidx; + if (!s->ssl_ctx)/*(no ssl.* directives; inherit from global scope)*/ + *s = *p->ssl_ctxs;/*(copy struct of ssl_ctx from global scope)*/ + } + #endif + for (uint32_t i = 1; i < srv->config_context->used; ++i) { + config_cond_info cfginfo; + config_get_config_cond_info(&cfginfo, (uint32_t)i); + if (cfginfo.comp != COMP_SERVER_SOCKET) continue; + plugin_ssl_ctx * const s = p->ssl_ctxs + i; + if (!s->ssl_ctx) + *s = *p->ssl_ctxs;/*(copy struct of ssl_ctx from global scope)*/ + /* note: copied even when ssl.engine = "disabled", + * even though config will not be used when disabled */ + } + } + #endif + return rc; } @@ -3318,7 +3342,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_accept) con->plugin_ctx[p->id] = hctx; buffer_blank(&r->uri.authority); - plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx; + plugin_ssl_ctx *s = p->ssl_ctxs + srv_sock->sidx; + if (NULL == s->ssl_ctx) s = p->ssl_ctxs; /*(inherit from global scope)*/ hctx->ssl = SSL_new(s->ssl_ctx); if (NULL != hctx->ssl && SSL_set_app_data(hctx->ssl, hctx) diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c index 2459396d..3a26cce9 100644 --- a/src/mod_wolfssl.c +++ b/src/mod_wolfssl.c @@ -3005,7 +3005,8 @@ CONNECTION_FUNC(mod_openssl_handle_con_accept) con->plugin_ctx[p->id] = hctx; buffer_blank(&r->uri.authority); - plugin_ssl_ctx * const s = p->ssl_ctxs + srv_sock->sidx; + plugin_ssl_ctx *s = p->ssl_ctxs + srv_sock->sidx; + if (NULL == s->ssl_ctx) s = p->ssl_ctxs; /*(inherit from global scope)*/ hctx->ssl = SSL_new(s->ssl_ctx); if (NULL != hctx->ssl && SSL_set_app_data(hctx->ssl, hctx) |