# HG changeset patch # User Olaf Wintermann # Date 1482767215 -3600 # Node ID fd324464f56fadac81a66f3183fd812b24f8d70e # Parent 288fd9b9a7395a3181b554b09643479fd2f7d9ad adds support for ssl cert chain files and improves ssl error handling diff -r 288fd9b9a739 -r fd324464f56f doc/create_cert.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/doc/create_cert.sh Mon Dec 26 16:46:55 2016 +0100 @@ -0,0 +1,4 @@ +#!/bin/sh + +openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 + diff -r 288fd9b9a739 -r fd324464f56f src/server/daemon/config.c --- a/src/server/daemon/config.c Mon Dec 26 15:34:44 2016 +0100 +++ b/src/server/daemon/config.c Mon Dec 26 16:46:55 2016 +0100 @@ -581,7 +581,7 @@ sstr_t chain = cfg_directivelist_get_str(obj->directives, S("Chain")); WSBool config_ok = WS_TRUE; // TODO: log error - if(!cert.ptr) { + if(!cert.ptr && !chain.ptr) { config_ok = WS_FALSE; } if(!privkey.ptr) { @@ -600,6 +600,10 @@ // TODO: check if all important configs are set HttpListener *listener = http_listener_create(&lc); + if(!listener) { + return 1; + } + listener->default_vs.vs_name = lc.vs.ptr; cfg->listeners = ucx_list_append(cfg->listeners, listener); diff -r 288fd9b9a739 -r fd324464f56f src/server/daemon/httplistener.c --- a/src/server/daemon/httplistener.c Mon Dec 26 15:34:44 2016 +0100 +++ b/src/server/daemon/httplistener.c Mon Dec 26 16:46:55 2016 +0100 @@ -166,19 +166,38 @@ SSL_CTX *ctx = SSL_CTX_new( SSLv23_server_method()); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); - sstr_t file = sstrdup(conf->certfile); - int ret = SSL_CTX_use_certificate_file(ctx, file.ptr, SSL_FILETYPE_PEM); - free(file.ptr); - if(!ret) { - // TODO: cleanup - return NULL; + // TODO: cleanup on error + + sstr_t file; + int ret; + char errbuf[512]; + + if(!conf->chainfile.ptr) { + file = sstrdup(conf->certfile); + ret = SSL_CTX_use_certificate_file(ctx, file.ptr, SSL_FILETYPE_PEM); + free(file.ptr); + if(!ret) { + ERR_error_string(ERR_get_error(), errbuf); + log_ereport(LOG_MISCONFIG, "Cannot load ssl chain file: %s", errbuf); + return NULL; + } + } else { + file = sstrdup(conf->chainfile); + int ret = SSL_CTX_use_certificate_chain_file(ctx, file.ptr); + free(file.ptr); + if(!ret) { + ERR_error_string(ERR_get_error(), errbuf); + log_ereport(LOG_MISCONFIG, "Cannot load ssl cert file: %s", errbuf); + return NULL; + } } file = sstrdup(conf->privkeyfile); ret = SSL_CTX_use_PrivateKey_file(ctx, file.ptr, SSL_FILETYPE_PEM); free(file.ptr); - if(!ret) { - // TODO: cleanup + if(!ret) { + ERR_error_string(ERR_get_error(), errbuf); + log_ereport(LOG_MISCONFIG, "Cannot load ssl key file: %s", errbuf); return NULL; } diff -r 288fd9b9a739 -r fd324464f56f src/server/daemon/sessionhandler.c --- a/src/server/daemon/sessionhandler.c Mon Dec 26 15:34:44 2016 +0100 +++ b/src/server/daemon/sessionhandler.c Mon Dec 26 16:46:55 2016 +0100 @@ -60,7 +60,7 @@ int connection_ssl_read(Connection *conn, void *buf, int len) { int ret = SSL_read(conn->ssl, buf, len); if(ret <= 0) { - conn->ssl_error = SSL_get_error(); + conn->ssl_error = ERR_get_error(); } return ret; } @@ -68,7 +68,7 @@ int connection_ssl_write(Connection *conn, const void *buf, int len) { int ret = SSL_write(conn->ssl, buf, len); if(ret <= 0) { - conn->ssl_error = SSL_get_error(); + conn->ssl_error = ERR_get_error(); } return ret; } diff -r 288fd9b9a739 -r fd324464f56f src/server/daemon/webserver.c --- a/src/server/daemon/webserver.c Mon Dec 26 15:34:44 2016 +0100 +++ b/src/server/daemon/webserver.c Mon Dec 26 16:46:55 2016 +0100 @@ -60,7 +60,7 @@ static RestartCallback *atrestart; -int webserver_init() { +int webserver_init() { // init NSPR systhread_init("webserver");