On Sun, Aug 14, 2016 at 04:06:26AM +1000, Joel Sing wrote: > The following enables SNI support within httpd. > > It requires libtls to have server side support for SNI (diff previously > posted). >
The code is amazingly simple but it works fine and the diff is good: OK reyk@ Two small notes: - A few of the TLS log messages could probably be turned into DPRINTFs later and we should find a consistent way to print TLS lowercase or uppercase :) - We could probably also use tls_conn_servername() in server_handshake_tls() to switch srv_conf early, but this not really needed and would only provide a small benefit for settings that cannot be set in the "vhosts" (eg. timeouts, connection/request options). Reyk > Index: server.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/server.c,v > retrieving revision 1.85 > diff -u -p -r1.85 server.c > --- server.c 28 Apr 2016 17:18:06 -0000 1.85 > +++ server.c 13 Aug 2016 17:18:51 -0000 > @@ -159,6 +159,8 @@ server_tls_load_keypair(struct server *s > int > server_tls_init(struct server *srv) > { > + struct server_config *srv_conf; > + > if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) > return (0); > > @@ -207,6 +209,19 @@ server_tls_init(struct server *srv) > return (-1); > } > > + TAILQ_FOREACH(srv_conf, &srv->srv_hosts, entry) { > + if (srv_conf->tls_cert == NULL || srv_conf->tls_key == NULL) > + continue; > + log_debug("%s: adding keypair for server %s", __func__, > + srv->srv_conf.name); > + if (tls_config_add_keypair_mem(srv->srv_tls_config, > + srv_conf->tls_cert, srv_conf->tls_cert_len, > + srv_conf->tls_key, srv_conf->tls_key_len) != 0) { > + log_warnx("%s: failed to add tls keypair", __func__); > + return (-1); > + } > + } > + > if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) { > log_warnx("%s: failed to configure TLS - %s", __func__, > tls_error(srv->srv_tls_ctx)); > @@ -261,6 +276,9 @@ server_launch(void) > struct server *srv; > > TAILQ_FOREACH(srv, env->sc_servers, srv_entry) { > + log_debug("%s: configuring server %s", __func__, > + srv->srv_conf.name); > + > server_tls_init(srv); > server_http_init(srv); > > --