← Back to branch summary

~ubuntu-branches/ubuntu/maverick/lighttpd/maverick

« back to all changes in this revision

Viewing changes to src/network.c

  • Committer: Bazaar Package Importer
  • Author(s): Andres Rodriguez
  • Date: 2010-03-27 15:53:32 UTC
  • mfrom: (6.1.8 sid)
  • Revision ID: james.westby@ubuntu.com-20100327155332-fmp9cpnys8skidbq
Tags: 1.4.26-1.1ubuntu1
https://launchpad.net/bugs/407722
https://launchpad.net/bugs/521659
https://launchpad.net/bugs/523682
* Merge from debian unstable (LP: #407722).  Remaining changes:
  - debian/control: libgamin-dev rather than libfam-dev to fix startup 
    warning.
  - debian/init.d: clean environment; Check syntax during start/reload
    restart/force-reload.
  - debian/index.html: s/Debian/Ubuntu/g branding on the default page.
  - Added a UFW profile set: 
    + debian/lighttpd.dirs: added etc/ufw/applications.d
    + debian/rules: install the ufw profile.
    + debian/control: Suggests on ufw.
  - Add lighttpd-dev package:
    + debian/control: Added lighttpd-dev package; Build-depends on 
      automake, libtool
    + debian/lighttpd-dev.install: Added.
* debian/control: debhelper Build-depends bumped to (>= 7.0.50) for 
  overrides in rules file.
* debian/rules: 
  - Add override_dh_installinit to set "defaults 91 09" to not start 
    before apache2 but in the same runlevel with the same priority.
* debian/patches/build-dev-package.patch: Updated
* Also closes: (LP: #521659, LP: #523682)

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/network.c
 
1
#include "network.h"
 
2
#include "fdevent.h"
 
3
#include "log.h"
 
4
#include "connections.h"
 
5
#include "plugin.h"
 
6
#include "joblist.h"
 
7
#include "configfile.h"
 
8
 
 
9
#include "network_backends.h"
 
10
#include "sys-mmap.h"
 
11
#include "sys-socket.h"
 
12
 
1
13
#include <sys/types.h>
2
14
#include <sys/stat.h>
3
15
#include <sys/time.h>
9
21
#include <stdlib.h>
10
22
#include <assert.h>
11
23
 
12
 
#include "network.h"
13
 
#include "fdevent.h"
14
 
#include "log.h"
15
 
#include "connections.h"
16
 
#include "plugin.h"
17
 
#include "joblist.h"
18
 
 
19
 
#include "network_backends.h"
20
 
#include "sys-mmap.h"
21
 
#include "sys-socket.h"
22
 
 
23
24
#ifdef USE_OPENSSL
24
25
# include <openssl/ssl.h>
25
26
# include <openssl/err.h>
26
27
# include <openssl/rand.h>
27
28
#endif
28
29
 
29
 
handler_t network_server_handle_fdevent(void *s, void *context, int revents) {
 
30
static handler_t network_server_handle_fdevent(void *s, void *context, int revents) {
30
31
        server     *srv = (server *)s;
31
32
        server_socket *srv_socket = (server_socket *)context;
32
33
        connection *con;
62
63
        return HANDLER_GO_ON;
63
64
}
64
65
 
65
 
int network_server_init(server *srv, buffer *host_token, specific_config *s) {
 
66
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
 
67
static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
 
68
        const char *servername;
 
69
        connection *con = (connection *) SSL_get_app_data(ssl);
 
70
        UNUSED(al);
 
71
 
 
72
        buffer_copy_string(con->uri.scheme, "https");
 
73
 
 
74
        if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
 
75
#if 0
 
76
                /* this "error" just means the client didn't support it */
 
77
                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 
78
                                "failed to get TLS server name");
 
79
#endif
 
80
                return SSL_TLSEXT_ERR_NOACK;
 
81
        }
 
82
        buffer_copy_string(con->tlsext_server_name, servername);
 
83
        buffer_to_lower(con->tlsext_server_name);
 
84
 
 
85
        config_cond_cache_reset(srv, con);
 
86
        config_setup_connection(srv, con);
 
87
 
 
88
        config_patch_connection(srv, con, COMP_SERVER_SOCKET);
 
89
        config_patch_connection(srv, con, COMP_HTTP_SCHEME);
 
90
        config_patch_connection(srv, con, COMP_HTTP_HOST);
 
91
 
 
92
        if (NULL == con->conf.ssl_ctx) {
 
93
                /* ssl_ctx <=> pemfile was set <=> ssl_ctx got patched: so this should never happen */
 
94
                log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 
95
                        "null SSL_CTX for TLS server name", con->tlsext_server_name);
 
96
                return SSL_TLSEXT_ERR_ALERT_FATAL;
 
97
        }
 
98
 
 
99
        /* switch to new SSL_CTX in reaction to a client's server_name extension */
 
100
        if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
 
101
                log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 
102
                        "failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
 
103
                return SSL_TLSEXT_ERR_ALERT_FATAL;
 
104
        }
 
105
 
 
106
        return SSL_TLSEXT_ERR_OK;
 
107
}
 
108
#endif
 
109
 
 
110
static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
66
111
        int val;
67
112
        socklen_t addr_len;
68
113
        server_socket *srv_socket;
73
118
        int is_unix_domain_socket = 0;
74
119
        int fd;
75
120
 
76
 
#ifdef SO_ACCEPTFILTER
77
 
        struct accept_filter_arg afa;
78
 
#endif
79
 
 
80
121
#ifdef __WIN32
81
122
        WORD wVersionRequested;
82
123
        WSADATA wsaData;
94
135
 
95
136
        srv_socket = calloc(1, sizeof(*srv_socket));
96
137
        srv_socket->fd = -1;
 
138
        srv_socket->fde_ndx = -1;
97
139
 
98
140
        srv_socket->srv_token = buffer_init();
99
141
        buffer_copy_string_buffer(srv_socket->srv_token, host_token);
107
149
        if (NULL == (sp = strrchr(b->ptr, ':'))) {
108
150
                log_error_write(srv, __FILE__, __LINE__, "sb", "value of $SERVER[\"socket\"] has to be \"ip:port\".", b);
109
151
 
110
 
                return -1;
 
152
                goto error_free_socket;
111
153
        }
112
154
 
113
155
        host = b->ptr;
130
172
        } else if (port == 0 || port > 65535) {
131
173
                log_error_write(srv, __FILE__, __LINE__, "sd", "port out of range:", port);
132
174
 
133
 
                return -1;
 
175
                goto error_free_socket;
134
176
        }
135
177
 
136
178
        if (*host == '\0') host = NULL;
142
184
 
143
185
                if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, 0))) {
144
186
                        log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
145
 
                        return -1;
 
187
                        goto error_free_socket;
146
188
                }
147
189
#else
148
190
                log_error_write(srv, __FILE__, __LINE__, "s",
149
191
                                "ERROR: Unix Domain sockets are not supported.");
150
 
                return -1;
 
192
                goto error_free_socket;
151
193
#endif
152
194
        }
153
195
 
157
199
 
158
200
                if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
159
201
                        log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
160
 
                        return -1;
 
202
                        goto error_free_socket;
161
203
                }
162
204
                srv_socket->use_ipv6 = 1;
163
205
        }
167
209
                srv_socket->addr.plain.sa_family = AF_INET;
168
210
                if (-1 == (srv_socket->fd = socket(srv_socket->addr.plain.sa_family, SOCK_STREAM, IPPROTO_TCP))) {
169
211
                        log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed:", strerror(errno));
170
 
                        return -1;
 
212
                        goto error_free_socket;
171
213
                }
172
214
        }
173
215
 
 
216
#ifdef FD_CLOEXEC
 
217
        /* set FD_CLOEXEC now, fdevent_fcntl_set is called later; needed for pipe-logger forks */
 
218
        fcntl(srv_socket->fd, F_SETFD, FD_CLOEXEC);
 
219
#endif
 
220
 
174
221
        /* */
175
222
        srv->cur_fds = srv_socket->fd;
176
223
 
177
224
        val = 1;
178
225
        if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) {
179
226
                log_error_write(srv, __FILE__, __LINE__, "ss", "socketsockopt failed:", strerror(errno));
180
 
                return -1;
 
227
                goto error_free_socket;
181
228
        }
182
229
 
183
230
        switch(srv_socket->addr.plain.sa_family) {
202
249
                                                "sssss", "getaddrinfo failed: ",
203
250
                                                gai_strerror(r), "'", host, "'");
204
251
 
205
 
                                return -1;
 
252
                                goto error_free_socket;
206
253
                        }
207
254
 
208
255
                        memcpy(&(srv_socket->addr), res->ai_addr, res->ai_addrlen);
224
271
                                log_error_write(srv, __FILE__, __LINE__,
225
272
                                                "sds", "gethostbyname failed: ",
226
273
                                                h_errno, host);
227
 
                                return -1;
 
274
                                goto error_free_socket;
228
275
                        }
229
276
 
230
277
                        if (he->h_addrtype != AF_INET) {
231
278
                                log_error_write(srv, __FILE__, __LINE__, "sd", "addr-type != AF_INET: ", he->h_addrtype);
232
 
                                return -1;
 
279
                                goto error_free_socket;
233
280
                        }
234
281
 
235
282
                        if (he->h_length != sizeof(struct in_addr)) {
236
283
                                log_error_write(srv, __FILE__, __LINE__, "sd", "addr-length != sizeof(in_addr): ", he->h_length);
237
 
                                return -1;
 
284
                                goto error_free_socket;
238
285
                        }
239
286
 
240
287
                        memcpy(&(srv_socket->addr.ipv4.sin_addr.s_addr), he->h_addr_list[0], he->h_length);
264
311
                                host);
265
312
 
266
313
 
267
 
                        return -1;
 
314
                        goto error_free_socket;
268
315
                }
269
316
 
270
317
                /* connect failed */
279
326
                                "testing socket failed:",
280
327
                                host, strerror(errno));
281
328
 
282
 
                        return -1;
 
329
                        goto error_free_socket;
283
330
                }
284
331
 
285
332
                break;
286
333
        default:
287
 
                addr_len = 0;
288
 
 
289
 
                return -1;
 
334
                goto error_free_socket;
290
335
        }
291
336
 
292
337
        if (0 != bind(srv_socket->fd, (struct sockaddr *) &(srv_socket->addr), addr_len)) {
302
347
                                        host, port, strerror(errno));
303
348
                        break;
304
349
                }
305
 
                return -1;
 
350
                goto error_free_socket;
306
351
        }
307
352
 
308
353
        if (-1 == listen(srv_socket->fd, 128 * 8)) {
309
354
                log_error_write(srv, __FILE__, __LINE__, "ss", "listen failed: ", strerror(errno));
310
 
                return -1;
 
355
                goto error_free_socket;
311
356
        }
312
357
 
313
358
        if (s->is_ssl) {
314
359
#ifdef USE_OPENSSL
315
 
                if (srv->ssl_is_init == 0) {
316
 
                        SSL_load_error_strings();
317
 
                        SSL_library_init();
318
 
                        srv->ssl_is_init = 1;
319
 
 
320
 
                        if (0 == RAND_status()) {
321
 
                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
322
 
                                                "not enough entropy in the pool");
323
 
                                return -1;
324
 
                        }
325
 
                }
326
 
 
327
 
                if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
328
 
                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
329
 
                                        ERR_error_string(ERR_get_error(), NULL));
330
 
                        return -1;
331
 
                }
332
 
 
333
 
                if (!s->ssl_use_sslv2) {
334
 
                        /* disable SSLv2 */
335
 
                        if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
336
 
                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
337
 
                                                ERR_error_string(ERR_get_error(), NULL));
338
 
                                return -1;
339
 
                        }
340
 
                }
341
 
 
342
 
                if (!buffer_is_empty(s->ssl_cipher_list)) {
343
 
                        /* Disable support for low encryption ciphers */
344
 
                        if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
345
 
                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
346
 
                                                ERR_error_string(ERR_get_error(), NULL));
347
 
                                return -1;
348
 
                        }
349
 
                }
350
 
 
351
 
                if (buffer_is_empty(s->ssl_pemfile)) {
 
360
                if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
352
361
                        log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
353
 
                        return -1;
354
 
                }
355
 
 
356
 
                if (!buffer_is_empty(s->ssl_ca_file)) {
357
 
                        if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
358
 
                                log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
359
 
                                                ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
360
 
                                return -1;
361
 
                        }
362
 
                }
363
 
 
364
 
                if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
365
 
                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
366
 
                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
367
 
                        return -1;
368
 
                }
369
 
 
370
 
                if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
371
 
                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
372
 
                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
373
 
                        return -1;
374
 
                }
375
 
 
376
 
                if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
377
 
                        log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
378
 
                                        "Private key does not match the certificate public key, reason:",
379
 
                                        ERR_error_string(ERR_get_error(), NULL),
380
 
                                        s->ssl_pemfile);
381
 
                        return -1;
382
 
                }
383
 
                SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
384
 
                SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
385
 
 
386
 
                srv_socket->ssl_ctx = s->ssl_ctx;
 
362
                        goto error_free_socket;
 
363
                }
387
364
#else
388
365
 
389
366
                buffer_free(srv_socket->srv_token);
394
371
                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
395
372
                                "ssl requested but openssl support is not compiled in");
396
373
 
397
 
                return -1;
 
374
                goto error_free_socket;
 
375
#endif
 
376
#ifdef TCP_DEFER_ACCEPT
 
377
        } else if (s->defer_accept) {
 
378
                int v = s->defer_accept;
 
379
                if (-1 == setsockopt(srv_socket->fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &v, sizeof(v))) {
 
380
                        log_error_write(srv, __FILE__, __LINE__, "ss", "can't set TCP_DEFER_ACCEPT: ", strerror(errno));
 
381
                }
398
382
#endif
399
383
        } else {
400
384
#ifdef SO_ACCEPTFILTER
401
 
                /*
402
 
                 * FreeBSD accf_http filter
403
 
                 *
404
 
                 */
 
385
                /* FreeBSD accf_http filter */
 
386
                struct accept_filter_arg afa;
405
387
                memset(&afa, 0, sizeof(afa));
406
388
                strcpy(afa.af_name, "httpready");
407
389
                if (setsockopt(srv_socket->fd, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)) < 0) {
413
395
        }
414
396
 
415
397
        srv_socket->is_ssl = s->is_ssl;
416
 
        srv_socket->fde_ndx = -1;
417
398
 
418
399
        if (srv->srv_sockets.size == 0) {
419
400
                srv->srv_sockets.size = 4;
429
410
        buffer_free(b);
430
411
 
431
412
        return 0;
 
413
 
 
414
error_free_socket:
 
415
        if (srv_socket->fd != -1) {
 
416
                /* check if server fd are already registered */
 
417
                if (srv_socket->fde_ndx != -1) {
 
418
                        fdevent_event_del(srv->ev, &(srv_socket->fde_ndx), srv_socket->fd);
 
419
                        fdevent_unregister(srv->ev, srv_socket->fd);
 
420
                }
 
421
 
 
422
                close(srv_socket->fd);
 
423
        }
 
424
        buffer_free(srv_socket->srv_token);
 
425
        free(srv_socket);
 
426
 
 
427
        return -1;
432
428
}
433
429
 
434
430
int network_close(server *srv) {
491
487
                { NETWORK_BACKEND_UNSET,                NULL }
492
488
        };
493
489
 
 
490
#ifdef USE_OPENSSL
 
491
        /* load SSL certificates */
 
492
        for (i = 0; i < srv->config_context->used; i++) {
 
493
                specific_config *s = srv->config_storage[i];
 
494
 
 
495
                if (buffer_is_empty(s->ssl_pemfile)) continue;
 
496
 
 
497
#ifdef OPENSSL_NO_TLSEXT
 
498
                {
 
499
                        data_config *dc = (data_config *)srv->config_context->data[i];
 
500
                        if (COMP_HTTP_HOST == dc->comp) {
 
501
                            log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 
502
                                            "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
 
503
                            return -1;
 
504
                        }
 
505
                }
 
506
#endif
 
507
 
 
508
                if (srv->ssl_is_init == 0) {
 
509
                        SSL_load_error_strings();
 
510
                        SSL_library_init();
 
511
                        srv->ssl_is_init = 1;
 
512
 
 
513
                        if (0 == RAND_status()) {
 
514
                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 
515
                                                "not enough entropy in the pool");
 
516
                                return -1;
 
517
                        }
 
518
                }
 
519
 
 
520
                if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
 
521
                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 
522
                                        ERR_error_string(ERR_get_error(), NULL));
 
523
                        return -1;
 
524
                }
 
525
 
 
526
                if (!s->ssl_use_sslv2) {
 
527
                        /* disable SSLv2 */
 
528
                        if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
 
529
                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 
530
                                                ERR_error_string(ERR_get_error(), NULL));
 
531
                                return -1;
 
532
                        }
 
533
                }
 
534
 
 
535
                if (!buffer_is_empty(s->ssl_cipher_list)) {
 
536
                        /* Disable support for low encryption ciphers */
 
537
                        if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
 
538
                                log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 
539
                                                ERR_error_string(ERR_get_error(), NULL));
 
540
                                return -1;
 
541
                        }
 
542
                }
 
543
 
 
544
                if (!buffer_is_empty(s->ssl_ca_file)) {
 
545
                        if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
 
546
                                log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 
547
                                                ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
 
548
                                return -1;
 
549
                        }
 
550
                        if (s->ssl_verifyclient) {
 
551
                                STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
 
552
                                if (!certs) {
 
553
                                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 
554
                                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
 
555
                                }
 
556
                                if (SSL_CTX_set_session_id_context(s->ssl_ctx, (void*) &srv, sizeof(srv)) != 1) {
 
557
                                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 
558
                                                ERR_error_string(ERR_get_error(), NULL));
 
559
                                        return -1;
 
560
                                }
 
561
                                SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
 
562
                                SSL_CTX_set_verify(
 
563
                                        s->ssl_ctx,
 
564
                                        SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
 
565
                                        NULL
 
566
                                );
 
567
                                SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
 
568
                        }
 
569
                } else if (s->ssl_verifyclient) {
 
570
                        log_error_write(
 
571
                                srv, __FILE__, __LINE__, "s",
 
572
                                "SSL: You specified ssl.verifyclient.activate but no ca_file"
 
573
                        );
 
574
                }
 
575
 
 
576
                if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
 
577
                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 
578
                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
 
579
                        return -1;
 
580
                }
 
581
 
 
582
                if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
 
583
                        log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
 
584
                                        ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
 
585
                        return -1;
 
586
                }
 
587
 
 
588
                if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
 
589
                        log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
 
590
                                        "Private key does not match the certificate public key, reason:",
 
591
                                        ERR_error_string(ERR_get_error(), NULL),
 
592
                                        s->ssl_pemfile);
 
593
                        return -1;
 
594
                }
 
595
                SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
 
596
                SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 
597
 
 
598
# ifndef OPENSSL_NO_TLSEXT
 
599
                if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
 
600
                    !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
 
601
                        log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
 
602
                                        "failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
 
603
                        return -1;
 
604
                }
 
605
# endif
 
606
        }
 
607
#endif
 
608
 
494
609
        b = buffer_init();
495
610
 
496
611
        buffer_copy_string_buffer(b, srv->srvconf.bindhost);
566
681
                /* not our stage */
567
682
                if (COMP_SERVER_SOCKET != dc->comp) continue;
568
683
 
569
 
                if (dc->cond != CONFIG_COND_EQ) {
570
 
                        log_error_write(srv, __FILE__, __LINE__, "s", "only == is allowed for $SERVER[\"socket\"].");
571
 
 
572
 
                        return -1;
573
 
                }
 
684
                if (dc->cond != CONFIG_COND_EQ) continue;
574
685
 
575
686
                /* check if we already know this socket,
576
687
                 * if yes, don't init it */