On Sun, Aug 14, 2016 at 04:06:26AM +1000, Joel Sing wrote:
> The following enables SNI support within httpd.
>
> It requires libtls to have server side support for SNI (diff previously
> posted).
>
The code is amazingly simple but it works fine and the diff is good:
OK reyk@
Two small notes:
- A few of the TLS log messages could probably be turned into DPRINTFs
later and we should find a consistent way to print TLS lowercase or
uppercase :)
- We could probably also use tls_conn_servername() in
server_handshake_tls() to switch srv_conf early, but this not really
needed and would only provide a small benefit for settings that cannot
be set in the "vhosts" (eg. timeouts, connection/request options).
Reyk
> Index: server.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/server.c,v
> retrieving revision 1.85
> diff -u -p -r1.85 server.c
> --- server.c 28 Apr 2016 17:18:06 - 1.85
> +++ server.c 13 Aug 2016 17:18:51 -
> @@ -159,6 +159,8 @@ server_tls_load_keypair(struct server *s
> int
> server_tls_init(struct server *srv)
> {
> + struct server_config *srv_conf;
> +
> if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0)
> return (0);
>
> @@ -207,6 +209,19 @@ server_tls_init(struct server *srv)
> return (-1);
> }
>
> + TAILQ_FOREACH(srv_conf, >srv_hosts, entry) {
> + if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL)
> + continue;
> + log_debug("%s: adding keypair for server %s", __func__,
> + srv->srv_conf.name);
> + if (tls_config_add_keypair_mem(srv->srv_tls_config,
> + srv_conf->tls_cert, srv_conf->tls_cert_len,
> + srv_conf->tls_key, srv_conf->tls_key_len) != 0) {
> + log_warnx("%s: failed to add tls keypair", __func__);
> + return (-1);
> + }
> + }
> +
> if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) {
> log_warnx("%s: failed to configure TLS - %s", __func__,
> tls_error(srv->srv_tls_ctx));
> @@ -261,6 +276,9 @@ server_launch(void)
> struct server *srv;
>
> TAILQ_FOREACH(srv, env->sc_servers, srv_entry) {
> + log_debug("%s: configuring server %s", __func__,
> + srv->srv_conf.name);
> +
> server_tls_init(srv);
> server_http_init(srv);
>
>
--