From 1851096a147711e82c078fdf42a8fd71a6ab0d72 Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 22 Aug 2016 15:02:18 +0000 Subject: [PATCH] Enable SNI support in httpd(8). ok reyk@ --- usr.sbin/httpd/httpd.h | 4 ++-- usr.sbin/httpd/parse.y | 4 ++-- usr.sbin/httpd/server.c | 33 +++++++++++++++++++++++++++------ 3 files changed, 31 insertions(+), 10 deletions(-) diff --git a/usr.sbin/httpd/httpd.h b/usr.sbin/httpd/httpd.h index 070b5d39124..95ff26a79f7 100644 --- a/usr.sbin/httpd/httpd.h +++ b/usr.sbin/httpd/httpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: httpd.h,v 1.107 2016/08/16 18:41:57 tedu Exp $ */ +/* $OpenBSD: httpd.h,v 1.108 2016/08/22 15:02:18 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter @@ -530,7 +530,7 @@ int cmdline_symset(char *); /* server.c */ pid_t server(struct privsep *, struct privsep_proc *); -int server_tls_cmp(struct server *, struct server *); +int server_tls_cmp(struct server *, struct server *, int); int server_tls_load_keypair(struct server *); int server_privinit(struct server *); void server_purge(struct server *); diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index 6900bc68161..cc72dd83a8a 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.80 2016/08/15 16:12:34 jsing Exp $ */ +/* $OpenBSD: parse.y,v 1.81 2016/08/22 15:02:18 jsing Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter @@ -314,7 +314,7 @@ server : SERVER optmatch STRING { free(srv); YYERROR; } - if (server_tls_cmp(s, srv) != 0) { + if (server_tls_cmp(s, srv, 0) != 0) { yyerror("server \"%s\": tls " "configuration mismatch on same " "address/port", diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 293655ed475..543f53c26e4 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.91 2016/08/16 18:41:57 tedu Exp $ */ +/* $OpenBSD: server.c,v 1.92 2016/08/22 15:02:18 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter @@ -132,7 +132,7 @@ server_privinit(struct server *srv) } int -server_tls_cmp(struct server *s1, struct server *s2) +server_tls_cmp(struct server *s1, struct server *s2, int match_keypair) { struct server_config *sc1, *sc2; @@ -141,10 +141,6 @@ server_tls_cmp(struct server *s1, struct server *s2) if (sc1->tls_protocols != sc2->tls_protocols) return (-1); - if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0) - return (-1); - if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0) - return (-1); if (strcmp(sc1->tls_ciphers, sc2->tls_ciphers) != 0) return (-1); if (strcmp(sc1->tls_dhe_params, sc2->tls_dhe_params) != 0) @@ -152,6 +148,13 @@ server_tls_cmp(struct server *s1, struct server *s2) if (strcmp(sc1->tls_ecdhe_curve, sc2->tls_ecdhe_curve) != 0) return (-1); + if (match_keypair) { + if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0) + return (-1); + if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0) + return (-1); + } + return (0); } @@ -182,6 +185,8 @@ server_tls_load_keypair(struct server *srv) int server_tls_init(struct server *srv) { + struct server_config *srv_conf; + if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) return (0); @@ -230,6 +235,19 @@ server_tls_init(struct server *srv) return (-1); } + TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { + if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL) + continue; + log_debug("%s: adding keypair for server %s", __func__, + srv->srv_conf.name); + if (tls_config_add_keypair_mem(srv->srv_tls_config, + srv_conf->tls_cert, srv_conf->tls_cert_len, + srv_conf->tls_key, srv_conf->tls_key_len) != 0) { + log_warnx("%s: failed to add tls keypair", __func__); + return (-1); + } + } + if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) { log_warnx("%s: failed to configure tls - %s", __func__, tls_error(srv->srv_tls_ctx)); @@ -284,6 +302,9 @@ server_launch(void) struct server *srv; TAILQ_FOREACH(srv, env->sc_servers, srv_entry) { + log_debug("%s: configuring server %s", __func__, + srv->srv_conf.name); + server_tls_init(srv); server_http_init(srv); -- 2.20.1