62
63
return HANDLER_GO_ON;
65
int network_server_init(server *srv, buffer *host_token, specific_config *s) {
66
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
67
static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
68
const char *servername;
69
connection *con = (connection *) SSL_get_app_data(ssl);
72
buffer_copy_string(con->uri.scheme, "https");
74
if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
76
/* this "error" just means the client didn't support it */
77
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
78
"failed to get TLS server name");
80
return SSL_TLSEXT_ERR_NOACK;
82
buffer_copy_string(con->tlsext_server_name, servername);
83
buffer_to_lower(con->tlsext_server_name);
85
config_cond_cache_reset(srv, con);
86
config_setup_connection(srv, con);
88
config_patch_connection(srv, con, COMP_SERVER_SOCKET);
89
config_patch_connection(srv, con, COMP_HTTP_SCHEME);
90
config_patch_connection(srv, con, COMP_HTTP_HOST);
92
if (NULL == con->conf.ssl_ctx) {
93
/* ssl_ctx <=> pemfile was set <=> ssl_ctx got patched: so this should never happen */
94
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
95
"null SSL_CTX for TLS server name", con->tlsext_server_name);
96
return SSL_TLSEXT_ERR_ALERT_FATAL;
99
/* switch to new SSL_CTX in reaction to a client's server_name extension */
100
if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
101
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
102
"failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
103
return SSL_TLSEXT_ERR_ALERT_FATAL;
106
return SSL_TLSEXT_ERR_OK;
110
static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
67
112
socklen_t addr_len;
68
113
server_socket *srv_socket;
167
209
srv_socket->addr.plain.sa_family = AF_INET;
168
210
if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
169
211
log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
212
goto error_free_socket;
217
/* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
218
fcntl(srv_socket->fd, F_SETFD, FD_CLOEXEC);
175
222
srv->cur_fds = srv_socket->fd;
178
225
if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
179
226
log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt failed:", strerror(errno));
227
goto error_free_socket;
183
230
switch(srv_socket->addr.plain.sa_family) {
302
347
host, port, strerror(errno));
350
goto error_free_socket;
308
353
if (-1 == listen(srv_socket->fd, 128 * 8)) {
309
354
log_error_write(srv, __FILE__, __LINE__, "ss", "listen failed: ", strerror(errno));
355
goto error_free_socket;
314
359
#ifdef USE_OPENSSL
315
if (srv->ssl_is_init == 0) {
316
SSL_load_error_strings();
318
srv->ssl_is_init = 1;
320
if (0 == RAND_status()) {
321
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
322
"not enough entropy in the pool");
327
if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
328
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
329
ERR_error_string(ERR_get_error(), NULL));
333
if (!s->ssl_use_sslv2) {
335
if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
336
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
337
ERR_error_string(ERR_get_error(), NULL));
342
if (!buffer_is_empty(s->ssl_cipher_list)) {
343
/* Disable support for low encryption ciphers */
344
if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
345
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
346
ERR_error_string(ERR_get_error(), NULL));
351
if (buffer_is_empty(s->ssl_pemfile)) {
360
if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
352
361
log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
356
if (!buffer_is_empty(s->ssl_ca_file)) {
357
if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
358
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
359
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
364
if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
365
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
366
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
370
if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
371
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
372
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
376
if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
377
log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
378
"Private key does not match the certificate public key, reason:",
379
ERR_error_string(ERR_get_error(), NULL),
383
SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
384
SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
386
srv_socket->ssl_ctx = s->ssl_ctx;
362
goto error_free_socket;
389
366
buffer_free(srv_socket->srv_token);
394
371
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
395
372
"ssl requested but openssl support is not compiled in");
374
goto error_free_socket;
376
#ifdef TCP_DEFER_ACCEPT
377
} else if (s->defer_accept) {
378
int v = s->defer_accept;
379
if (-1 == setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &v, sizeof(v))) {
380
log_error_write(srv, __FILE__, __LINE__, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno));
400
384
#ifdef SO_ACCEPTFILTER
402
* FreeBSD accf_http filter
385
/* FreeBSD accf_http filter */
386
struct accept_filter_arg afa;
405
387
memset(&afa, 0, sizeof(afa));
406
388
strcpy(afa.af_name, "httpready");
407
389
if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)) < 0) {
491
487
{ NETWORK_BACKEND_UNSET, NULL }
491
/* load SSL certificates */
492
for (i = 0; i < srv->config_context->used; i++) {
493
specific_config *s = srv->config_storage[i];
495
if (buffer_is_empty(s->ssl_pemfile)) continue;
497
#ifdef OPENSSL_NO_TLSEXT
499
data_config *dc = (data_config *)srv->config_context->data[i];
500
if (COMP_HTTP_HOST == dc->comp) {
501
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
502
"can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
508
if (srv->ssl_is_init == 0) {
509
SSL_load_error_strings();
511
srv->ssl_is_init = 1;
513
if (0 == RAND_status()) {
514
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
515
"not enough entropy in the pool");
520
if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
521
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
522
ERR_error_string(ERR_get_error(), NULL));
526
if (!s->ssl_use_sslv2) {
528
if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
529
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
530
ERR_error_string(ERR_get_error(), NULL));
535
if (!buffer_is_empty(s->ssl_cipher_list)) {
536
/* Disable support for low encryption ciphers */
537
if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
538
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
539
ERR_error_string(ERR_get_error(), NULL));
544
if (!buffer_is_empty(s->ssl_ca_file)) {
545
if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
546
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
547
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
550
if (s->ssl_verifyclient) {
551
STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
553
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
554
ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
556
if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
557
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
558
ERR_error_string(ERR_get_error(), NULL));
561
SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
564
SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
567
SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
569
} else if (s->ssl_verifyclient) {
571
srv, __FILE__, __LINE__, "s",
572
"SSL: You specified ssl.verifyclient.activate but no ca_file"
576
if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
577
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
578
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
582
if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
583
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
584
ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
588
if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
589
log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
590
"Private key does not match the certificate public key, reason:",
591
ERR_error_string(ERR_get_error(), NULL),
595
SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
596
SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
598
# ifndef OPENSSL_NO_TLSEXT
599
if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
600
!SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
601
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
602
"failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
494
609
b = buffer_init();
496
611
buffer_copy_string_buffer(b, srv->srvconf.bindhost);