Re: httpd: Add SNI support

Sat, 13 Aug 2016 14:31:05 -0700 

On Sun, Aug 14, 2016 at 04:06:26AM +1000, Joel Sing wrote:
> The following enables SNI support within httpd.
> 
> It requires libtls to have server side support for SNI (diff previously
> posted).
> 

The code is amazingly simple but it works fine and the diff is good:

OK reyk@

Two small notes:

- A few of the TLS log messages could probably be turned into DPRINTFs
later and we should find a consistent way to print TLS lowercase or
uppercase :)

- We could probably also use tls_conn_servername() in
server_handshake_tls() to switch srv_conf early, but this not really
needed and would only provide a small benefit for settings that cannot
be set in the "vhosts" (eg. timeouts, connection/request options).

Reyk

> Index: server.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/server.c,v
> retrieving revision 1.85
> diff -u -p -r1.85 server.c
> --- server.c  28 Apr 2016 17:18:06 -0000      1.85
> +++ server.c  13 Aug 2016 17:18:51 -0000
> @@ -159,6 +159,8 @@ server_tls_load_keypair(struct server *s
>  int
>  server_tls_init(struct server *srv)
>  {
> +     struct server_config *srv_conf;
> +
>       if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0)
>               return (0);
>  
> @@ -207,6 +209,19 @@ server_tls_init(struct server *srv)
>               return (-1);
>       }
>  
> +     TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) {
> +             if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL)
> +                     continue;
> +             log_debug("%s: adding keypair for server %s", __func__,
> +                 srv->srv_conf.name);
> +             if (tls_config_add_keypair_mem(srv->srv_tls_config,
> +                 srv_conf->tls_cert, srv_conf->tls_cert_len,
> +                 srv_conf->tls_key, srv_conf->tls_key_len) != 0) {
> +                     log_warnx("%s: failed to add tls keypair", __func__);
> +                     return (-1);
> +             }
> +     }
> +
>       if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) {
>               log_warnx("%s: failed to configure TLS - %s", __func__,
>                   tls_error(srv->srv_tls_ctx));
> @@ -261,6 +276,9 @@ server_launch(void)
>       struct server           *srv;
>  
>       TAILQ_FOREACH(srv, env->sc_servers, srv_entry) {
> +             log_debug("%s: configuring server %s", __func__,
> +                 srv->srv_conf.name);
> +
>               server_tls_init(srv);
>               server_http_init(srv);
>  
> 

--

Reply via email to