added ssl.ca-file and updated error-message if private and public key don't match
git-svn-id: svn+ssh://svn.lighttpd.net/lighttpd/trunk@46 152afb58-edef-0310-8abb-c4023f1b3aa9
parent
75b6e9ff3d
commit
f378f32a5d
|
|
@ -241,6 +241,7 @@ typedef struct {
|
|||
|
||||
/* server wide */
|
||||
buffer *ssl_pemfile;
|
||||
buffer *ssl_ca_file;
|
||||
unsigned short use_ipv6;
|
||||
unsigned short is_ssl;
|
||||
unsigned short allow_http11;
|
||||
|
|
@ -424,6 +425,7 @@ typedef struct {
|
|||
int fde_ndx;
|
||||
|
||||
buffer *ssl_pemfile;
|
||||
buffer *ssl_ca_file;
|
||||
unsigned short use_ipv6;
|
||||
unsigned short is_ssl;
|
||||
unsigned short max_request_size;
|
||||
|
|
|
|||
|
|
@ -200,6 +200,8 @@ static int config_insert(server *srv) {
|
|||
{ "debug.log-request-header-on-error", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 36 */
|
||||
{ "debug.log-state-handling", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 37 */
|
||||
|
||||
{ "ssl.ca-file", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 38 */
|
||||
|
||||
|
||||
{ "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||||
{ "server.docroot", "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
|
||||
|
|
@ -247,6 +249,7 @@ static int config_insert(server *srv) {
|
|||
s->mimetypes = array_init();
|
||||
s->server_name = buffer_init();
|
||||
s->ssl_pemfile = buffer_init();
|
||||
s->ssl_ca_file = buffer_init();
|
||||
s->error_handler = buffer_init();
|
||||
s->server_tag = buffer_init();
|
||||
s->max_keep_alive_requests = 128;
|
||||
|
|
@ -293,6 +296,7 @@ static int config_insert(server *srv) {
|
|||
cv[34].destination = &(s->log_request_header);
|
||||
|
||||
cv[35].destination = &(s->allow_http11);
|
||||
cv[38].destination = s->ssl_ca_file;
|
||||
|
||||
srv->config_storage[i] = s;
|
||||
|
||||
|
|
@ -444,6 +448,8 @@ int config_patch_connection(server *srv, connection *con, const char *stage, siz
|
|||
PATCH(use_xattr);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
|
||||
PATCH(ssl_pemfile);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
|
||||
PATCH(ssl_ca_file);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) {
|
||||
PATCH(is_ssl);
|
||||
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.follow-symlink"))) {
|
||||
|
|
@ -1005,7 +1011,7 @@ int config_set_defaults(server *srv) {
|
|||
}
|
||||
|
||||
if (s->is_ssl) {
|
||||
if (s->ssl_pemfile->used == 0) {
|
||||
if (buffer_is_empty(s->ssl_pemfile)) {
|
||||
/* PEM file is require */
|
||||
|
||||
log_error_write(srv, __FILE__, __LINE__, "s",
|
||||
|
|
|
|||
|
|
@ -281,21 +281,31 @@ int network_server_init(server *srv, buffer *host_token, specific_config *s) {
|
|||
return -1;
|
||||
}
|
||||
|
||||
if (0 > SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM)) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
ERR_error_string(ERR_get_error(), NULL));
|
||||
return -1;
|
||||
}
|
||||
if (!buffer_is_empty(s->ssl_ca_file)) {
|
||||
if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
ERR_error_string(ERR_get_error(), NULL));
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (0 > SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM)) {
|
||||
if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
ERR_error_string(ERR_get_error(), NULL));
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!SSL_CTX_check_private_key(s->ssl_ctx)) {
|
||||
if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
|
||||
"Private key does not match the certificate public key");
|
||||
ERR_error_string(ERR_get_error(), NULL));
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
|
||||
log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
|
||||
"Private key does not match the certificate public key, reason:",
|
||||
ERR_error_string(ERR_get_error(), NULL),
|
||||
s->ssl_pemfile);
|
||||
return -1;
|
||||
}
|
||||
srv_socket->ssl_ctx = s->ssl_ctx;
|
||||
|
|
|
|||
|
|
@ -242,6 +242,7 @@ static void server_free(server *srv) {
|
|||
buffer_free(s->server_name);
|
||||
buffer_free(s->server_tag);
|
||||
buffer_free(s->ssl_pemfile);
|
||||
buffer_free(s->ssl_ca_file);
|
||||
buffer_free(s->error_handler);
|
||||
array_free(s->indexfiles);
|
||||
array_free(s->mimetypes);
|
||||
|
|
|
|||
Loading…
Reference in New Issue