diff options
| author | Stefan Bühler <stbuehler@web.de> | 2013-08-30 13:14:50 +0000 |
|---|---|---|
| committer | Stefan Bühler <stbuehler@web.de> | 2013-08-30 13:14:50 +0000 |
| commit | 93fd9ea7a43db9223d4d2d17b8549cf17d769735 (patch) | |
| tree | 97f1d21fefc0857f24b693e589bc1450aa88c450 /src | |
| parent | 6d4d2118c3302f2feffc242abfa75bfa5608e7d2 (diff) | |
| download | lighttpd-git-93fd9ea7a43db9223d4d2d17b8549cf17d769735.tar.gz | |
[ssl] add option ssl.empty-fragments, defaulting to disabled (fixes #2492)
if ssl.empty-fragments is set to enabled, but the openssl version used
to compile lighttpd doesn't support empty fragments, a warning is
displayed (it might still work).
From: Stefan Bühler <stbuehler@web.de>
git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2891 152afb58-edef-0310-8abb-c4023f1b3aa9
Diffstat (limited to 'src')
| -rw-r--r-- | src/base.h | 1 | ||||
| -rw-r--r-- | src/configfile.c | 6 | ||||
| -rw-r--r-- | src/network.c | 10 |
3 files changed, 17 insertions, 0 deletions
@@ -278,6 +278,7 @@ typedef struct { buffer *ssl_dh_file; buffer *ssl_ec_curve; unsigned short ssl_honor_cipher_order; /* determine SSL cipher in server-preferred order, not client-order */ + unsigned short ssl_empty_fragments; /* whether to not set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */ unsigned short ssl_use_sslv2; unsigned short ssl_use_sslv3; unsigned short ssl_verifyclient; diff --git a/src/configfile.c b/src/configfile.c index 15cc6e44..b4d672d8 100644 --- a/src/configfile.c +++ b/src/configfile.c @@ -107,6 +107,7 @@ static int config_insert(server *srv) { { "ssl.ec-curve", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 64 */ { "ssl.disable-client-renegotiation", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER },/* 65 */ { "ssl.honor-cipher-order", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 66 */ + { "ssl.empty-fragments", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 67 */ { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, { "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, @@ -179,6 +180,7 @@ static int config_insert(server *srv) { s->use_xattr = 0; s->ssl_enabled = 0; s->ssl_honor_cipher_order = 1; + s->ssl_empty_fragments = 0; s->ssl_use_sslv2 = 0; s->ssl_use_sslv3 = 1; s->use_ipv6 = 0; @@ -250,6 +252,7 @@ static int config_insert(server *srv) { cv[63].destination = s->ssl_dh_file; cv[64].destination = s->ssl_ec_curve; cv[66].destination = &(s->ssl_honor_cipher_order); + cv[67].destination = &(s->ssl_empty_fragments); cv[49].destination = &(s->etag_use_inode); cv[50].destination = &(s->etag_use_mtime); @@ -343,6 +346,7 @@ int config_setup_connection(server *srv, connection *con) { PATCH(ssl_dh_file); PATCH(ssl_ec_curve); PATCH(ssl_honor_cipher_order); + PATCH(ssl_empty_fragments); PATCH(ssl_use_sslv2); PATCH(ssl_use_sslv3); PATCH(etag_use_inode); @@ -411,6 +415,8 @@ int config_patch_connection(server *srv, connection *con, comp_key_t comp) { PATCH(ssl_ca_file); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.honor-cipher-order"))) { PATCH(ssl_honor_cipher_order); + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) { + PATCH(ssl_empty_fragments); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { PATCH(ssl_use_sslv2); } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) { diff --git a/src/network.c b/src/network.c index e368a524..395dfae9 100644 --- a/src/network.c +++ b/src/network.c @@ -613,6 +613,16 @@ int network_init(server *srv) { return -1; } + if (s->ssl_empty_fragments) { +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#else + ssloptions &= ~0x00000800L; /* hardcode constant */ + log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:", + "'insert empty fragments' not supported by the openssl version used to compile lighttpd with"); +#endif + } + SSL_CTX_set_options(s->ssl_ctx, ssloptions); SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); |