[mod_wolfssl] add complex preproc logic for SNI

add complex preproc logic for SNI detection
- HAVE_SNI is not sufficient
- HAVE_LIGHTY is not sufficient (in wolfssl <= 4.5.0)
Instead, use more complex logic wrapping calls to SNI_Callback()
in wolfssl.

x-ref:
  "[lighttpd] -mod-wolfssl inhibited by missing library functionality"
  https://github.com/openwrt/packages/issues/14142
  "put all SNI code behind simpler preprocessor directive HAVE_SNI"
  https://github.com/wolfSSL/wolfssl/pull/3538
This commit is contained in:
Glenn Strauss 2020-12-06 22:50:49 -05:00
parent 083b3fb992
commit a43420ba07
1 changed files with 12 additions and 3 deletions

View File

@ -2041,13 +2041,22 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
* && (HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_LIGHTY)))
* and sniRecvCb sniRecvCbArg are hidden by *different* set of defines
* in wolfssl/internal.h)
* Note: SNI callbacks disabled if wolfSSL is not built OPENSSL_ALL ! */
#ifdef OPENSSL_ALL /* regretable */
* Note: wolfSSL SNI callbacks members not present unless wolfSSL is
* built OPENSSL_ALL or some additional combination of preprocessor
* defines. The following should work with more recent wolfSSL versions
* (and HAVE_LIGHTY is not sufficient in wolfssl <= 4.5.0) */
#if defined(OPENSSL_ALL) \
|| (defined(OPENSSL_EXTRA) \
&& (defined(HAVE_STUNNEL) \
|| defined(WOLFSSL_NGINX) \
|| defined(WOLFSSL_HAPROXY)))
#else
#undef HAVE_SNI
#endif
#ifdef HAVE_SNI
wolfSSL_CTX_set_servername_callback(
s->ssl_ctx, network_ssl_servername_callback);
wolfSSL_CTX_set_servername_arg(s->ssl_ctx, srv);
#endif /* regretable */
#else
log_error(srv->errh, __FILE__, __LINE__,
"SSL: WARNING: SNI callbacks *crippled* in wolfSSL library build");