adds support for ssl cert chain files and improves ssl error handling

Mon, 26 Dec 2016 16:46:55 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Mon, 26 Dec 2016 16:46:55 +0100
changeset 129
fd324464f56f
parent 128
288fd9b9a739
child 130
198ad9d8cec1

adds support for ssl cert chain files and improves ssl error handling

doc/create_cert.sh file | annotate | diff | comparison | revisions
src/server/daemon/config.c file | annotate | diff | comparison | revisions
src/server/daemon/httplistener.c file | annotate | diff | comparison | revisions
src/server/daemon/sessionhandler.c file | annotate | diff | comparison | revisions
src/server/daemon/webserver.c file | annotate | diff | comparison | revisions
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/create_cert.sh	Mon Dec 26 16:46:55 2016 +0100
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
+
--- a/src/server/daemon/config.c	Mon Dec 26 15:34:44 2016 +0100
+++ b/src/server/daemon/config.c	Mon Dec 26 16:46:55 2016 +0100
@@ -581,7 +581,7 @@
         sstr_t chain = cfg_directivelist_get_str(obj->directives, S("Chain"));
         WSBool config_ok = WS_TRUE;
         // TODO: log error
-        if(!cert.ptr) {
+        if(!cert.ptr && !chain.ptr) {
             config_ok = WS_FALSE;
         }
         if(!privkey.ptr) {
@@ -600,6 +600,10 @@
     // TODO: check if all important configs are set
     
     HttpListener *listener = http_listener_create(&lc);
+    if(!listener) {
+        return 1;
+    }
+    
     listener->default_vs.vs_name = lc.vs.ptr;
     cfg->listeners = ucx_list_append(cfg->listeners, listener); 
     
--- a/src/server/daemon/httplistener.c	Mon Dec 26 15:34:44 2016 +0100
+++ b/src/server/daemon/httplistener.c	Mon Dec 26 16:46:55 2016 +0100
@@ -166,19 +166,38 @@
         SSL_CTX *ctx = SSL_CTX_new( SSLv23_server_method());
         SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
         
-        sstr_t file = sstrdup(conf->certfile);
-        int ret = SSL_CTX_use_certificate_file(ctx, file.ptr, SSL_FILETYPE_PEM);
-        free(file.ptr);
-        if(!ret) {
-            // TODO: cleanup
-            return NULL;
+        // TODO: cleanup on error
+        
+        sstr_t file;
+        int ret;
+        char errbuf[512];
+        
+        if(!conf->chainfile.ptr) {
+            file = sstrdup(conf->certfile);
+            ret = SSL_CTX_use_certificate_file(ctx, file.ptr, SSL_FILETYPE_PEM);
+            free(file.ptr);
+            if(!ret) {
+                ERR_error_string(ERR_get_error(), errbuf);
+                log_ereport(LOG_MISCONFIG, "Cannot load ssl chain file: %s", errbuf);
+                return NULL;
+            }
+        } else {
+            file = sstrdup(conf->chainfile);
+            int ret = SSL_CTX_use_certificate_chain_file(ctx, file.ptr);
+            free(file.ptr);
+            if(!ret) { 
+                ERR_error_string(ERR_get_error(), errbuf);
+                log_ereport(LOG_MISCONFIG, "Cannot load ssl cert file: %s", errbuf);
+                return NULL;
+            }
         }
         
         file = sstrdup(conf->privkeyfile);
         ret = SSL_CTX_use_PrivateKey_file(ctx, file.ptr, SSL_FILETYPE_PEM);
         free(file.ptr);
-        if(!ret) {
-            // TODO: cleanup
+        if(!ret) { 
+            ERR_error_string(ERR_get_error(), errbuf);
+            log_ereport(LOG_MISCONFIG, "Cannot load ssl key file: %s", errbuf);
             return NULL;
         }
         
--- a/src/server/daemon/sessionhandler.c	Mon Dec 26 15:34:44 2016 +0100
+++ b/src/server/daemon/sessionhandler.c	Mon Dec 26 16:46:55 2016 +0100
@@ -60,7 +60,7 @@
 int connection_ssl_read(Connection *conn, void *buf, int len) {
     int ret = SSL_read(conn->ssl, buf, len);
     if(ret <= 0) {
-        conn->ssl_error = SSL_get_error();
+        conn->ssl_error = ERR_get_error();
     }
     return ret;
 }
@@ -68,7 +68,7 @@
 int connection_ssl_write(Connection *conn, const void *buf, int len) {
     int ret = SSL_write(conn->ssl, buf, len);
     if(ret <= 0) {
-        conn->ssl_error = SSL_get_error();
+        conn->ssl_error = ERR_get_error();
     }
     return ret;
 }
--- a/src/server/daemon/webserver.c	Mon Dec 26 15:34:44 2016 +0100
+++ b/src/server/daemon/webserver.c	Mon Dec 26 16:46:55 2016 +0100
@@ -60,7 +60,7 @@
 
 static RestartCallback *atrestart;
 
-int webserver_init() {
+int webserver_init() { 
     // init NSPR
     systhread_init("webserver");
     

mercurial