Roxen.git / server / base_server / roxen.pike

version» Context lines:

Roxen.git/server/base_server/roxen.pike:1:   // This file is part of Roxen WebServer.   // Copyright © 1996 - 2009, Roxen IS.   //   // The Roxen WebServer main program.   //   // Per Hedbor, Henrik Grubbström, Pontus Hagland, David Hedbor and others.   // ABS and suicide systems contributed freely by Francesco Chemolli    - constant cvs_version="$Id: roxen.pike,v 1.1075 2010/12/02 13:42:11 grubba Exp $"; + constant cvs_version="$Id: roxen.pike,v 1.1076 2010/12/21 14:52:28 grubba Exp $";      //! @appears roxen   //!   //! The Roxen WebServer main program.      // The argument cache. Used by the image cache.   ArgCache argcache;      // Some headerfiles   #define IN_ROXEN
Roxen.git/server/base_server/roxen.pike:2243:    string msg = (MSG); \    array args = ({ARGS}); \    if (sizeof (args)) msg = sprintf (msg, @args); \    report_error ("TLS port %s: %s", get_url(), msg); \    (VAR)->add_warning (msg); \    cert_err_unbind(); \    cert_failure = 1; \    return; \    } while (0)    +  protected void filter_preferred_suites() { + #ifndef ALLOW_WEAK_SSL +  // Filter weak and really weak cipher suites. +  ctx->preferred_suites -= ({ +  SSL.Constants.SSL_rsa_export_with_rc4_40_md5, +  SSL.Constants.SSL_rsa_with_null_sha, +  SSL.Constants.SSL_rsa_with_null_md5, +  SSL.Constants.SSL_dhe_dss_export_with_des40_cbc_sha, +  SSL.Constants.SSL_null_with_null_null, +  }); + #endif +  } +     void certificates_changed(Variable.Variable|void ignored,    void|int ignore_eaddrinuse)    {    int old_cert_failure = cert_failure;       string raw_keydata;    array(string) certificates = ({});    array(object) decoded_certs = ({});    Variable.Variable Certificates = getvar("ssl_cert_file");   
Roxen.git/server/base_server/roxen.pike:2350:    SSL3_WERR(sprintf("RSA key size: %d bits", rsa->rsa_size()));       if (rsa->rsa_size() > 512)    {    /* Too large for export */    ctx->short_rsa = Crypto.RSA()->generate_key(512, ctx->random);       // ctx->long_rsa = Crypto.RSA()->generate_key(rsa->rsa_size(), ctx->random);    }    ctx->rsa_mode(); +  filter_preferred_suites();       array(int) key_matches =    map(decoded_certs,    lambda (object tbs) {    return tbs->public_key->rsa->public_key_equal (rsa);    });       int num_key_matches;    // DWIM: Make sure the main cert comes first.    array(string) new_certificates = allocate(sizeof(certificates));
Roxen.git/server/base_server/roxen.pike:2402:    //dsa->use_random(ctx->random);    ctx->dsa = dsa;    /* Use default DH parameters */   #if constant(SSL.Cipher)    ctx->dh_params = SSL.Cipher.DHParameters();   #else    ctx->dh_params = SSL.cipher()->dh_parameters();   #endif       ctx->dhe_dss_mode(); +  filter_preferred_suites();       // FIXME: Add cert <-> private key check.       ctx->certificates = certificates;    }    else    CERT_ERROR (KeyFile, LOC_M(17,"No private key found.\n"));      #if EXPORT    ctx->export_mode();
Roxen.git/server/base_server/roxen.pike:2464:    {    // Don't bind if we don't have correct certs.    if (!ctx->certificates) return;    ::bind (ignore_eaddrinuse);    }       void create(int pn, string i, void|int ignore_eaddrinuse)    {    ctx->random = Crypto.Random.random_string;    +  filter_preferred_suites(); +     set_up_ssl_variables( this_object() );       ::setup(pn, i);       certificates_changed (0, ignore_eaddrinuse);       // Install the change callbacks here to avoid duplicate calls    // above.    // FIXME: Both variables ought to be updated on save before the    // changed callback is called. Currently you can get warnings