SSL (patch 4)
Bear Giles
bear at coyotesong.com
Sun May 26 17:57:34 UTC 2002
Moved SSL initialization from per-client to once-per-server.
This also means that the server cert and static key must be
available for the server to start (when SSL is enabled), which
is not an undue burden since it just timeshifts any problem
from when a client tries to connect to the server with SSL
to startup.
Bear Giles
-- Attached file included as plaintext by Ecartis --
-- Desc: /tmp/inn4
Index: inn/nnrpd/misc.c
diff -c inn/nnrpd/misc.c:1.2 inn/nnrpd/misc.c:1.3
*** inn/nnrpd/misc.c:1.2 Sun May 26 10:25:59 2002
--- inn/nnrpd/misc.c Sun May 26 11:50:12 2002
***************
*** 1,4 ****
! /* $Id: misc.c,v 1.2 2002/05/26 16:25:59 bear Exp $
**
** Miscellaneous support routines.
*/
--- 1,4 ----
! /* $Id: misc.c,v 1.3 2002/05/26 17:50:12 bear Exp $
**
** Miscellaneous support routines.
*/
***************
*** 663,687 ****
return;
}
- result=tls_init_serverengine(5, /* depth to verify */
- 1, /* can client auth? */
- 0, /* required client to auth? */
- (char *)sasl_config_getstring("tls_ca_file", ""),
- (char *)sasl_config_getstring("tls_ca_path", ""),
- (char *)sasl_config_getstring("tls_cert_file", ""),
- (char *)sasl_config_getstring("tls_key_file", ""));
-
- if (result == -1) {
- Reply("%d Error initializing TLS\r\n", NNTP_STARTTLS_BAD_VAL);
-
- syslog(L_ERROR, "error initializing TLS: "
- "[CA_file: %s] [CA_path: %s] [cert_file: %s] [key_file: %s]",
- (char *) sasl_config_getstring("tls_ca_file", ""),
- (char *) sasl_config_getstring("tls_ca_path", ""),
- (char *) sasl_config_getstring("tls_cert_file", ""),
- (char *) sasl_config_getstring("tls_key_file", ""));
- return;
- }
Reply("%d Begin TLS negotiation now\r\n", NNTP_STARTTLS_NEXT_VAL);
(void)fflush(stdout);
--- 663,668 ----
Index: inn/nnrpd/nnrpd.c
diff -c inn/nnrpd/nnrpd.c:1.3 inn/nnrpd/nnrpd.c:1.4
*** inn/nnrpd/nnrpd.c:1.3 Sun May 26 10:31:16 2002
--- inn/nnrpd/nnrpd.c Sun May 26 11:50:12 2002
***************
*** 1,4 ****
! /* $Id: nnrpd.c,v 1.3 2002/05/26 16:31:16 bear Exp $
**
** NNTP server for readers (NNRP) for InterNetNews.
**
--- 1,4 ----
! /* $Id: nnrpd.c,v 1.4 2002/05/26 17:50:12 bear Exp $
**
** NNTP server for readers (NNRP) for InterNetNews.
**
***************
*** 203,209 ****
syslog(L_NOTICE, "%s overstats count %d hit %d miss %d time %d size %d dbz %d seek %d get %d artcheck %d", ClientHost,
OVERcount, OVERhit, OVERmiss, OVERtime, OVERsize, OVERdbz, OVERseek, OVERget, OVERartcheck);
! #ifdef HAVE_OPENSSL
if (tls_conn) {
SSL_shutdown(tls_conn);
tls_conn = NULL;
--- 203,209 ----
syslog(L_NOTICE, "%s overstats count %d hit %d miss %d time %d size %d dbz %d seek %d get %d artcheck %d", ClientHost,
OVERcount, OVERhit, OVERmiss, OVERtime, OVERsize, OVERdbz, OVERseek, OVERget, OVERartcheck);
! #ifdef HAVE_SSL
if (tls_conn) {
SSL_shutdown(tls_conn);
tls_conn = NULL;
***************
*** 999,1004 ****
--- 999,1032 ----
NNRPACCESS = concatpath(innconf->pathetc,_PATH_NNRPACCESS);
SPOOLlen = strlen(innconf->patharticles);
+ #ifdef HAVE_SSL
+ /*
+ * if we have a SSL session, either initially or after
+ * STARTTLS, make sure we can before proceeding. The
+ * SSL_CTX object may be expensive to initialize, but it
+ * can be shared by all child processes
+ */
+ sasl_config_read();
+ ssl_result=tls_init_serverengine(5, /* depth to verify */
+ 0, /* can client auth? */
+ 0, /* required client to auth? */
+ (char *)sasl_config_getstring("tls_ca_file", ""),
+ (char *)sasl_config_getstring("tls_ca_path", ""),
+ (char *)sasl_config_getstring("tls_cert_file", ""),
+ (char *)sasl_config_getstring("tls_key_file", ""));
+ if (ssl_result == -1) {
+ Reply("%d Error initializing TLS\r\n", NNTP_STARTTLS_BAD_VAL);
+
+ syslog(L_ERROR, "error initializing TLS: "
+ "[CA_file: %s] [CA_path: %s] [cert_file: %s] [key_file: %s]",
+ (char *) sasl_config_getstring("tls_ca_file", ""),
+ (char *) sasl_config_getstring("tls_ca_path", ""),
+ (char *) sasl_config_getstring("tls_cert_file", ""),
+ (char *) sasl_config_getstring("tls_key_file", ""));
+ ExitWithStats(1, FALSE);
+ }
+ #endif
+
if (DaemonMode) {
#ifdef HAVE_INET6
***************
*** 1189,1214 ****
#ifdef HAVE_SSL
ClientSSL = FALSE;
if (initialSSL) {
- sasl_config_read();
- ssl_result=tls_init_serverengine(5, /* depth to verify */
- 0, /* can client auth? */
- 0, /* required client to auth? */
- (char *)sasl_config_getstring("tls_ca_file", ""),
- (char *)sasl_config_getstring("tls_ca_path", ""),
- (char *)sasl_config_getstring("tls_cert_file", ""),
- (char *)sasl_config_getstring("tls_key_file", ""));
- if (ssl_result == -1) {
- Reply("%d Error initializing TLS\r\n", NNTP_STARTTLS_BAD_VAL);
-
- syslog(L_ERROR, "error initializing TLS: "
- "[CA_file: %s] [CA_path: %s] [cert_file: %s] [key_file: %s]",
- (char *) sasl_config_getstring("tls_ca_file", ""),
- (char *) sasl_config_getstring("tls_ca_path", ""),
- (char *) sasl_config_getstring("tls_cert_file", ""),
- (char *) sasl_config_getstring("tls_key_file", ""));
- ExitWithStats(1, FALSE);
- }
-
ssl_result=tls_start_servertls(0, /* read */
1); /* write */
if (ssl_result==-1) {
--- 1217,1222 ----
Index: inn/nnrpd/tls.c
diff -c inn/nnrpd/tls.c:1.2 inn/nnrpd/tls.c:1.3
*** inn/nnrpd/tls.c:1.2 Sun May 26 11:19:43 2002
--- inn/nnrpd/tls.c Sun May 26 11:50:13 2002
***************
*** 603,609 ****
return (-1);
}
-
/*
* This is the actual handshake routine. It will do all the negotiations
* and will check the client cert etc.
--- 603,608 ----
More information about the inn-patches
mailing list