Roxen.git / server / base_server / global_variables.pike

version» Context lines:

Roxen.git/server/base_server/global_variables.pike:1:   // This file is part of Roxen WebServer. - // Copyright © 1996 - 2009, Roxen IS. + // Copyright 1996 - 2009, Roxen IS.   // $Id$      // #pragma strict_types   #define DEFVAR mixed...:object   #define BDEFVAR mixed...:object      #define IN_ROXEN   #include <module.h>   inherit "read_config";   inherit "basic_defvar";
Roxen.git/server/base_server/global_variables.pike:212:    "again after some minutes). Thus, if the user doesn't allow "    "the cookie to be set, she won't be bothered with "    "multiple requests."),0, do_set_cookie( o ));   }      protected int hide_if_empty(RequestID id, Variable.Variable var)   {    return !sizeof(var->query());   }    + protected void update_ssl_suite_filter_default(Variable.Variable var) + { +  int val = var->query(); +  if (!val || (val & 16)) { +  if (val && !(val & 4)) { +  var->set_warning(LOCALE(1155, "Warning: RSA-encryption enabled.")); +  } +  return; +  } +  val |= 16; // Upgrade marker. +  if (!val & 4) { +  val |= 4; // Change default to ephemeral. +  } +  var->low_set(val); + } +    void set_up_ssl_variables( Protocol o )   {    function(DEFVAR) defvar = o->defvar;       defvar( "ssl_keys", o->CertificateKeyChoiceVariable    (VAR_NO_DEFAULT,    LOCALE(1125, "SSL/TLS Certificate(s)"),    LOCALE(1126, "<p>The TLS certificate(s) to use.</p>\n"    "<p>Certificate and key files matching the "    "<b>Global Variables/Settings/Certificate and "
Roxen.git/server/base_server/global_variables.pike:322: Inside #if constant(SSL.ServerConnection)
      defvar( "ssl_password",    Variable.String("", VAR_INVISIBLE,    LOCALE(1082, "SSL decryption password"),    LOCALE(1083, "Optional password to decrypt the "    "SSL key file(s).")));       defvar("ssl_suite_filter",    Variable.IntChoice(0,    ([ -  0: "Default", -  4: "Ephemeral key exchanges only", -  8: "Suite B (relaxed)", -  12: "Suite B (ephemeral only)", -  14: "Suite B (transitional)", -  15: "Suite B (strict)", +  0: "Roxen default policy", +  16: "Allow RSA-encryption", +  20: "Ephemeral key exchanges only", +  24: "Suite B (allow RSA-encryption)", +  28: "Suite B (ephemeral only)", +  30: "Suite B (transitional)", +  31: "Suite B (strict)",    ]),    0,    LOCALE(1084, "Additional suite filtering"),    LOCALE(1085, "<p>Selects an additional cipher suite "    "policy.</p>"    "<p>The supported filter modes are:\n"    "<dl>\n" -  "<dt>Default</dt>\n" -  "<dd>Use the default cipher suite selection " -  "policy, and allow all cipher suites that " -  "have sufficient strength.</dd>\n" +  "<dt>Roxen default policy</dt>\n" +  "<dd>Use the Roxen default cipher suite " +  "selection policy. This is currently the " +  "same as <b>Ephemeral key exchanges " +  "only</b>, but may differ in other " +  "versions of Roxen.</dd>\n" +  "<dt>Allow RSA-encryption</dt>\n" +  "<dd>Allow old cipher suites that use RSA-" +  "encryption for the key-exchange. " +  "These suites are vulnerable to the " +  "<a href='https://robotattack.org/'>" +  "ROBOT</a> vulnerability, and should " +  "usually <b>NOT</b> be allowed.</dd>\n"    "<dt>Ephemeral key exchanges only</dt>\n"    "<dd>Only allow cipher suites that use a "    "key exchange with ephemeral keys (aka "    "\"Perfect Forward Security\"). Ie "    "either ECDHE or DHE.</dd>\n" -  "<dt>Suite B (relaxed)</dt>\n" -  "<dd>Same as <b>Default</b>, but prefer the " -  "suites specified in <b>Suite B</b>.</dd>\n" +  "<dt>Suite B (allow RSA-encryption)</dt>\n" +  "<dd>Same as <b>Allow RSA-encryption</b>, " +  "but prefer the suites specified in " +  "<b>Suite B</b>. Should usually <b>NOT</b> " +  "be used.</dd>\n"    "<dt>Suite B (ephemeral only)</dt>\n"    "<dd>Same as <b>Ephemeral key exchanges "    "only</b>, but prefer the suites specified "    "in <b>Suite B</b>.</dd>\n"    "<dt>Suite B (transitional)</dt>\n"    "<dd>Support only the suites specified by "    "RFCs 5430 and 6460.</dd>\n"    "<dt>Suite B (strict)</dt>\n"    "<dd>Support only the suites specified by "    "RFC 6460.</dt>\n"    "</dl>\n"    "</p>\n"    "<p>Note: Full Suite B operation is not "    "supported in all configurations.</p>\n"    "<p>Note: For full Suite B compliance a "    "suitable certificate must also be " -  "used.</p>"))); +  "used.</p>")))-> +  set_changed_callback(update_ssl_suite_filter_default);   #endif /* SSL.ServerConnection */   #if constant(SSL.Constants.PROTOCOL_TLS_MAX)    mapping(SSL.Constants.ProtocolVersion: string) ssl_versions = ([    SSL.Constants.PROTOCOL_SSL_3_0: "SSL 3.0",    SSL.Constants.PROTOCOL_TLS_1_0: "TLS 1.0 (aka SSL 3.1)",    ]);   #if constant(SSL.Constants.PROTOCOL_TLS_1_1)    // NB: The symbol may be available, but the Pike binary might be to old...    for (SSL.Constants.ProtocolVersion v = SSL.Constants.PROTOCOL_TLS_1_1;    v <= SSL.Constants.PROTOCOL_TLS_MAX; v++) {
Roxen.git/server/base_server/global_variables.pike:653:    "version of Roxen, as recommended by the HTTP/1.0 and "    "HTTP/1.1 RFCs:"    "<p><blockquote><i>"    "Note: Revealing the specific software version of the server "    "may allow the server machine to become more vulnerable to "    "attacks against software that is known to contain security "    "holes. Server implementors are encouraged to make this field "    "a configurable option."    "</i></blockquote></p>"));    -  defvar("ident", replace(real_version," ","·"), +  defvar("ident", replace(real_version," ",""),    LOCALE(126, "Identify, Identify as"),    TYPE_STRING /* |VAR_MORE */,    LOCALE(127, "Enter the name that Roxen should use when talking to clients. "),    0, ident_disabled_p);       defvar("config_header_string", "",    LOCALE(532, "Show this string in header"),    TYPE_STRING /* |VAR_MORE */,    LOCALE(533, "Enter a identifier that will be displayed in the head of "    " config interface. This makes it easier to distinguish "
Roxen.git/server/base_server/global_variables.pike:1014:    // since the effect of the gc is radically different now we    // intentionally use a different variable name to reset the value.    definvisvar ("mem_cache_gc", 300, TYPE_INT);       v = defvar ("mem_cache_size", 100,    LOCALE(1043, "Cache: Memory cache size"),    TYPE_INT,    LOCALE(1044, #"\   <p>Maximum size in MByte for all RAM caches taken together. This limit   covers the caches visible in the <a - href='/actions/?action=cachestatus.pike&class=status&_roxen_wizard_id=&form._roxen_wizard_id;'>Cache status</a> - page.</p> + href='/actions/?action=cachestatus.pike&class=status&_roxen_wizard_id=&form._roxen_wizard_id;'>Cache status</a> page.</p>      <p>Note that there are many more things in the Roxen WebServer that   take space, including some caches that are not handled by the common   RAM cache. Also, there is various indirect memory overhead that is not   directly accounted for by the size calculations. All these taken   together means that the figure configured here cannot be mapped   straightly to the size of the Roxen process as reported by the OS. The   optimal setting here is the one that in general keeps the Roxen   process at a size that avoids swapping and leaves enough memory for   buffers and other processes that need to run at the same time (e.g.