Re: httpd: Add SNI support

2016-08-13 Thread Reyk Floeter 
On Sun, Aug 14, 2016 at 04:06:26AM +1000, Joel Sing wrote:
> The following enables SNI support within httpd.
> 
> It requires libtls to have server side support for SNI (diff previously
> posted).
> 

The code is amazingly simple but it works fine and the diff is good:

OK reyk@

Two small notes:

- A few of the TLS log messages could probably be turned into DPRINTFs
later and we should find a consistent way to print TLS lowercase or
uppercase :)

- We could probably also use tls_conn_servername() in
server_handshake_tls() to switch srv_conf early, but this not really
needed and would only provide a small benefit for settings that cannot
be set in the "vhosts" (eg. timeouts, connection/request options).

Reyk

> Index: server.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/server.c,v
> retrieving revision 1.85
> diff -u -p -r1.85 server.c
> --- server.c  28 Apr 2016 17:18:06 -  1.85
> +++ server.c  13 Aug 2016 17:18:51 -
> @@ -159,6 +159,8 @@ server_tls_load_keypair(struct server *s
>  int
>  server_tls_init(struct server *srv)
>  {
> + struct server_config *srv_conf;
> +
>   if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0)
>   return (0);
>  
> @@ -207,6 +209,19 @@ server_tls_init(struct server *srv)
>   return (-1);
>   }
>  
> + TAILQ_FOREACH(srv_conf, >srv_hosts, entry) {
> + if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL)
> + continue;
> + log_debug("%s: adding keypair for server %s", __func__,
> + srv->srv_conf.name);
> + if (tls_config_add_keypair_mem(srv->srv_tls_config,
> + srv_conf->tls_cert, srv_conf->tls_cert_len,
> + srv_conf->tls_key, srv_conf->tls_key_len) != 0) {
> + log_warnx("%s: failed to add tls keypair", __func__);
> + return (-1);
> + }
> + }
> +
>   if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) {
>   log_warnx("%s: failed to configure TLS - %s", __func__,
>   tls_error(srv->srv_tls_ctx));
> @@ -261,6 +276,9 @@ server_launch(void)
>   struct server   *srv;
>  
>   TAILQ_FOREACH(srv, env->sc_servers, srv_entry) {
> + log_debug("%s: configuring server %s", __func__,
> + srv->srv_conf.name);
> +
>   server_tls_init(srv);
>   server_http_init(srv);
>  
> 

--

httpd: Add SNI support

2016-08-13 Thread Joel Sing 
The following enables SNI support within httpd.

It requires libtls to have server side support for SNI (diff previously
posted).

Index: server.c
===
RCS file: /cvs/src/usr.sbin/httpd/server.c,v
retrieving revision 1.85
diff -u -p -r1.85 server.c
--- server.c28 Apr 2016 17:18:06 -  1.85
+++ server.c13 Aug 2016 17:18:51 -
@@ -159,6 +159,8 @@ server_tls_load_keypair(struct server *s
 int
 server_tls_init(struct server *srv)
 {
+   struct server_config *srv_conf;
+
if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0)
return (0);
 
@@ -207,6 +209,19 @@ server_tls_init(struct server *srv)
return (-1);
}
 
+   TAILQ_FOREACH(srv_conf, >srv_hosts, entry) {
+   if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL)
+   continue;
+   log_debug("%s: adding keypair for server %s", __func__,
+   srv->srv_conf.name);
+   if (tls_config_add_keypair_mem(srv->srv_tls_config,
+   srv_conf->tls_cert, srv_conf->tls_cert_len,
+   srv_conf->tls_key, srv_conf->tls_key_len) != 0) {
+   log_warnx("%s: failed to add tls keypair", __func__);
+   return (-1);
+   }
+   }
+
if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) {
log_warnx("%s: failed to configure TLS - %s", __func__,
tls_error(srv->srv_tls_ctx));
@@ -261,6 +276,9 @@ server_launch(void)
struct server   *srv;
 
TAILQ_FOREACH(srv, env->sc_servers, srv_entry) {
+   log_debug("%s: configuring server %s", __func__,
+   srv->srv_conf.name);
+
server_tls_init(srv);
server_http_init(srv);