Changeset 1890

Timestamp:

08/21/08 13:12:27 (3 months ago)

Author:

alo

Message:

--

Files:

• cherokee/trunk/ChangeLog (modified) (1 diff)
• cherokee/trunk/cherokee/downloader.c (modified) (2 diffs)
• cherokee/trunk/cherokee/socket.c (modified) (8 diffs)
• cherokee/trunk/cherokee/socket.h (modified) (1 diff)
• cherokee/trunk/cherokee/virtual_server.c (modified) (5 diffs)

cherokee/trunk/ChangeLog

@@ +1 @@
+2008-08-21  Alvaro Lopez Ortega  <alvaro@alobbs.com>
+
+        * cherokee/virtual_server.c, cherokee/socket.c, cherokee/socket.h,
+        cherokee/downloader.c: Adds TLS SNI support to the OpenSSL
+        backend.
+
-2008-08-20  Alvaro Lopez Ortega  <alvaro@alobbs.com>
-

cherokee/trunk/cherokee/downloader.c

@@ -205 +205 @@
-        if (ret != ret_ok) {
-
-
+o
-                 */
-                ret = cherokee_socket_gethostbyname (sock, host);
@@ -222 +222 @@
-         */
-        if (protocol == https) {
-
+, host
-                if (ret != ret_ok) return ret;
-        }

cherokee/trunk/cherokee/socket.c

@@ -423 +423 @@
-        }
-
+#ifndef OPENSSL_NO_TLSEXT 
+        SSL_set_app_data (socket->session, socket);
+#endif
+
-        /* Set the SSL context cache
-         */
@@ -1776 +1780 @@
-
-ret_t 
-
+, cherokee_buffer_t *host
-{
-#ifdef HAVE_TLS
@@ -1821 +1825 @@
-                 (re == GNUTLS_E_INTERRUPTED));
-
+        UNUSED (host);
+
-# elif defined (HAVE_OPENSSL)
+        char *error;
-
-        socket->is_tls = TLS;
@@ -1829 +1836 @@
-        socket->ssl_ctx = SSL_CTX_new (SSLv23_client_method());
-        if (socket->ssl_ctx == NULL) {
-                char *error;
-
-                OPENSSL_LAST_ERROR(error);
-                PRINT_ERROR ("ERROR: OpenSSL: Unable to create a new SSL context: %s\n", error);
@@ -1846 +1851 @@
-        socket->session = SSL_new (socket->ssl_ctx);
-        if (socket->session == NULL) {
-                char *error;
-
-                OPENSSL_LAST_ERROR(error);
-                PRINT_ERROR ("ERROR: OpenSSL: Unable to create a new SSL connection "
@@ -1858 +1861 @@
-        re = SSL_set_fd (socket->session, socket->socket);
-        if (re != 1) {
-                char *error;
-
-                OPENSSL_LAST_ERROR(error);
-                PRINT_ERROR ("ERROR: OpenSSL: Can not set fd(%d): %s\n", socket->socket, error);
@@ -1867 +1868 @@
-        SSL_set_connect_state (socket->session); 
-
+#ifndef OPENSSL_NO_TLSEXT 
+        re = SSL_set_tlsext_host_name (socket->session, host->buf);
+        if (re <= 0) {
+                OPENSSL_LAST_ERROR(error);
+                PRINT_ERROR ("ERROR: OpenSSL: Could set SNI server name: %s\n", error);
+                return ret_error;
+        }
+#endif
+
-        re = SSL_connect (socket->session);
-        if (re <= 0) {
-                char *error;
-
-                OPENSSL_LAST_ERROR(error);
-                PRINT_ERROR ("ERROR: OpenSSL: Can not connect: %s\n", error);
@@ -1878 +1886 @@
-# endif
-#else 
+        UNUSED (host);
-        UNUSED (socket);
-#endif

cherokee/trunk/cherokee/socket.h

@@ -186 +186 @@
-
-ret_t cherokee_socket_init_tls          (cherokee_socket_t *socket, cherokee_virtual_server_t *vserver);
-
+, cherokee_buffer_t *host
-
-ret_t cherokee_socket_close             (cherokee_socket_t *socket);

cherokee/trunk/cherokee/virtual_server.c

@@ -220 +220 @@
-
-
+#ifndef OPENSSL_NO_TLSEXT 
+static int
+openssl_sni_servername_cb (SSL *ssl, int *ad, void *arg)
+{
+        ret_t                      ret;
+        const char                *servername;
+        cherokee_socket_t         *socket;
+        cherokee_buffer_t          tmp;
+        SSL_CTX                   *ctx;
+        cherokee_server_t         *srv       = SRV(arg);
+        cherokee_virtual_server_t *vsrv      = NULL;
+
+        /* Get the pointer to the socket 
+         */
+        socket = SSL_get_app_data (ssl); 
+        if (unlikely (socket == NULL)) {
+                PRINT_ERROR ("Could not get the socket struct: %p\n", ssl);
+                return SSL_TLSEXT_ERR_ALERT_FATAL; 
+        }
+
+        /* Read the SNI server name
+         */
+        servername = SSL_get_servername (ssl, TLSEXT_NAMETYPE_host_name);
+        if (servername == NULL) {
+                TRACE (ENTRIES, "No SNI: Did not provide a server name%s", "\n");
+                return SSL_TLSEXT_ERR_NOACK;
+        }
+
+        TRACE (ENTRIES, "SNI: Switching to servername='%s'\n", servername);
+
+        /* Try to match the name
+         */
+        cherokee_buffer_fake (&tmp, servername, strlen(servername));
+        ret = cherokee_server_get_vserver (srv, &tmp, &vsrv);
+        if ((ret != ret_ok) || (vsrv == NULL)) {
+                PRINT_ERROR ("Servername did not match: '%s'\n", servername);
+                return SSL_TLSEXT_ERR_NOACK; 
+        }
+
+        TRACE (ENTRIES, "SNI: Setting new TLS context. Virtual host='%s'\n",
+               vsrv->name.buf);
+
+        /* Set the new SSL context
+         */
+        ctx = SSL_set_SSL_CTX (ssl, vsrv->context);
+        if (ctx != vsrv->context) {
+                PRINT_ERROR ("Could change the SSL context: servername='%s'\n", servername);
+        }
+
+        return SSL_TLSEXT_ERR_OK; 
+}
+#endif 
+
+
-ret_t 
-cherokee_virtual_server_init_tls (cherokee_virtual_server_t *vsrv)
-{
-#ifdef HAVE_TLS
-
+
+
-
-        /* Check if all of them are empty
@@ -275 +330 @@
-        gnutls_anon_set_server_dh_params (vsrv->credentials, vsrv->dh_params);
-        gnutls_certificate_set_rsa_export_params (vsrv->credentials, vsrv->rsa_params);
+
+        UNUSED(error);
-# endif
-
@@ -290 +347 @@
-        rc = SSL_CTX_use_certificate_file (vsrv->context, vsrv->server_cert.buf, SSL_FILETYPE_PEM);
-        if (rc < 0) {
-                char *error;
-
-                OPENSSL_LAST_ERROR(error);
-                PRINT_ERROR("ERROR: OpenSSL: Can not use certificate file '%s':  %s\n", 
@@ -302 +357 @@
-        rc = SSL_CTX_use_PrivateKey_file (vsrv->context, vsrv->server_key.buf, SSL_FILETYPE_PEM);
-        if (rc < 0) {
-                char *error;
-
-                OPENSSL_LAST_ERROR(error);
-                PRINT_ERROR("ERROR: OpenSSL: Can not use private key file '%s': %s\n", 
@@ -315 +368 @@
-        if (rc != 1) {
-                PRINT_ERROR_S("ERROR: OpenSSL: Private key does not match the certificate public key\n");
+                return ret_error;
+        }
+
+        /* Enable SNI
+         */
+        rc = SSL_CTX_set_tlsext_servername_callback (vsrv->context, openssl_sni_servername_cb);
+        if (rc < 0) {
+                OPENSSL_LAST_ERROR(error);
+                PRINT_ERROR ("Could activate TLS SNI for '%s': %s\n", vsrv->name.buf, error);
+                return ret_error;
+        }
+
+        rc = SSL_CTX_set_tlsext_servername_arg (vsrv->context, VSERVER_SRV(vsrv));
+        if (rc < 0) {
+                OPENSSL_LAST_ERROR(error);
+                PRINT_ERROR ("Could activate TLS SNI for '%s': %s\n", vsrv->name.buf, error);
-                return ret_error;
-        }