Roxen.git / server / base_server / roxen.pike

version» Context lines:

Roxen.git/server/base_server/roxen.pike:2312:    array args = ({ARGS}); \    if (sizeof (args)) msg = sprintf (msg, @args); \    report_error ("TLS port %s: %s", get_url(), msg); \    (VAR)->add_warning (msg); \    cert_err_unbind(); \    cert_failure = 1; \    return; \    } while (0)      #if constant(SSL.Constants.PROTOCOL_TLS_MAX) -  protected void set_version() +  protected void set_version(SSLContext|void ctx)    { -  +  if (!ctx) ctx = this_program::ctx;    ctx->min_version = query("ssl_min_version");    }   #endif    -  protected void filter_preferred_suites() +  protected void filter_preferred_suites(SSLContext|void ctx)    { -  +  if (!ctx) ctx = this_program::ctx;   #if constant(SSL.ServerConnection)    int mode = query("ssl_suite_filter");    int bits = query("ssl_key_bits");       /* Suite filter encoding:    *    * Bit Mask Meaning    * 0 1 Strict suite B    * 1 2 Transitional suite B    * 2 4 Ephemeral only
Roxen.git/server/base_server/roxen.pike:2376: Inside #if constant(SSL.ServerConnection)
   // Transitional mode.    ctx->configure_suite_b(bits, 1);    break;    default:    ctx->configure_suite_b(bits);    break;    }    suites = ctx->preferred_suites;       if (ctx->min_version < query("ssl_min_version")) { -  set_version(); +  set_version(ctx);    }    } else {    suites = ctx->get_suites(bits, 1);       // Make sure the min version is restored in case we've    // switched from Suite B. -  set_version(); +  set_version(ctx);    }    if (mode & 4) {    // Ephemeral suites only.    suites = filter(suites,    lambda(int suite) {    return (<    SSL.Constants.KE_dhe_dss,    SSL.Constants.KE_dhe_rsa,    SSL.Constants.KE_ecdhe_ecdsa,    SSL.Constants.KE_ecdhe_rsa,
Roxen.git/server/base_server/roxen.pike:2472:    report_error ("TLS port %s: %s", get_url(),    LOC_M(63,"No certificates found.\n"));    cert_err_unbind();    cert_failure = 1;    return;    }    }       // FIXME: Only do this if there are certs loaded?    // We must reset the set of certificates. -  // NB: Race condition here where the new SSLContext is -  // live before it has been configured completely. -  ctx = SSLContext(); -  set_version(); -  filter_preferred_suites(); +  SSLContext ctx = SSLContext(); +  ctx->random = Crypto.Random.random_string; +  set_version(ctx); +  filter_preferred_suites(ctx);       foreach(keypairs, int keypair_id) {    array(Crypto.Sign.State|array(string)) keypair =    CertDB.get_keypair(keypair_id);    if (!keypair) continue;       [Crypto.Sign.State private_key, array(string) certs] = keypair;    ctx->add_cert(private_key, certs, ({ name, "*" }));    }   
Roxen.git/server/base_server/roxen.pike:2500: Inside #if 0
   CERT_ERROR(Certificates,    LOC_M(71,"No matching keys and certificates found.\n"));    report_error ("TLS port %s: %s", get_url(),    LOC_M(71,"No matching keys and certificates found.\n"));    cert_err_unbind();    cert_failure = 1;    return;    }   #endif    +  this_program::ctx = ctx; +     if (!bound) {    bind (ignore_eaddrinuse);    if (old_cert_failure && bound)    report_notice (LOC_M(64, "TLS port %s opened.\n"), get_url());    if (!bound)    report_notice("Failed to bind port %s.\n", get_url());    }    }       class CertificateKeyChoiceVariable
Roxen.git/server/base_server/roxen.pike:2785:    {    ctx->random = Crypto.Random.random_string;       set_up_ssl_variables( this_object() );       // NB: setup() calls restore() which initializes the variables    // created above.    ::setup(pn, i);      #if constant(SSL.Constants.PROTOCOL_TLS_MAX) -  set_version(); +  set_version(ctx);   #endif    -  filter_preferred_suites(); +  filter_preferred_suites(ctx);       certificates_changed (0, ignore_eaddrinuse);       // Install the change callbacks here to avoid duplicate calls    // above.    // FIXME: Both variables ought to be updated on save before the    // changed callback is called. Currently you can get warnings    // that the files don't match if you update both variables    // at the same time.    getvar ("ssl_keys")->set_changed_callback(certificates_changed);
Roxen.git/server/base_server/roxen.pike:6429: Inside #if defined(SSL3_DEBUG)
   foreach(glob(base, paths), string fname) {   #ifdef SSL3_DEBUG    werror("Found PEM file %O, matching %O.\n",    Stdio.append_path(dir, fname), glob_pattern);   #endif    CertDB.register_pem_file(Stdio.append_path(dir, fname));    }    }    }    } -  CertDB.refresh_all_pem_files(force); +  +  if (CertDB.refresh_all_pem_files(force)) { +  +  // Update all open SSL/TLS ports with the new certificates. +  foreach(open_ports || ([]); ; mapping(string:mapping(int:Protocol)) ips) { +  foreach(ips || ([]); ; mapping(int:Protocol) ports) { +  foreach(ports || ([]); ; Protocol prot) { +  if (prot->certificates_changed) { +  prot->certificates_changed(UNDEFINED, !prot->bound);    } -  +  } +  } +  } +  } + }      protected BackgroundProcess scan_certs_process;      // Start a background process that scan for new certs every 10 minutes.   protected void start_scan_certs()   {    if (scan_certs_process) return;       scan_certs_process = BackgroundProcess(600, scan_certs);   }