On Mon, Feb 15, 2021 at 12:41:31PM +0100, Claudio Jeker wrote: > For SNI all TLS servers need to run with the same config. The config > parser has an extra step for this. The problem is it also compares the > TLS config params with non-TLS servers when a server block has both > listen * port 80 and listen * tls port 443. > > The following diff fixes that and also removes the unused last argument of > server_tls_cmp().
I don't know why the match_keypair option was added, but it's been dead since it landed. ok tb > -- > :wq Claudio > > Index: httpd.h > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v > retrieving revision 1.154 > diff -u -p -r1.154 httpd.h > --- httpd.h 27 Jan 2021 07:21:52 -0000 1.154 > +++ httpd.h 13 Feb 2021 08:32:34 -0000 > @@ -622,7 +622,7 @@ int cmdline_symset(char *); > > /* server.c */ > void server(struct privsep *, struct privsep_proc *); > -int server_tls_cmp(struct server *, struct server *, int); > +int server_tls_cmp(struct server *, struct server *); > int server_tls_load_ca(struct server *); > int server_tls_load_crl(struct server *); > int server_tls_load_keypair(struct server *); > Index: parse.y > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/parse.y,v > retrieving revision 1.124 > diff -u -p -r1.124 parse.y > --- parse.y 22 Jan 2021 13:07:17 -0000 1.124 > +++ parse.y 13 Feb 2021 09:02:18 -0000 > @@ -333,7 +333,8 @@ server : SERVER optmatch STRING { > free(srv); > YYERROR; > } > - if (server_tls_cmp(s, srv, 0) != 0) { > + if (srv->srv_conf.flags & SRVFLAG_TLS && > + server_tls_cmp(s, srv) != 0) { > yyerror("server \"%s\": tls " > "configuration mismatch on same " > "address/port", > Index: server.c > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/server.c,v > retrieving revision 1.124 > diff -u -p -r1.124 server.c > --- server.c 2 Jan 2021 18:35:07 -0000 1.124 > +++ server.c 15 Feb 2021 11:38:08 -0000 > @@ -127,7 +127,7 @@ server_privinit(struct server *srv) > } > > int > -server_tls_cmp(struct server *s1, struct server *s2, int match_keypair) > +server_tls_cmp(struct server *s1, struct server *s2) > { > struct server_config *sc1, *sc2; > > @@ -146,13 +146,6 @@ server_tls_cmp(struct server *s1, struct > return (-1); > if (strcmp(sc1->tls_ecdhe_curves, sc2->tls_ecdhe_curves) != 0) > return (-1); > - > - if (match_keypair) { > - if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0) > - return (-1); > - if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0) > - return (-1); > - } > > return (0); > } >