diff options
Diffstat (limited to 'src/network.c')
| -rw-r--r-- | src/network.c | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/src/network.c b/src/network.c index f59f60d..395dfae 100644 --- a/src/network.c +++ b/src/network.c @@ -25,7 +25,9 @@ # include <openssl/ssl.h> # include <openssl/err.h> # include <openssl/rand.h> -# include <openssl/dh.h> +# ifndef OPENSSL_NO_DH +# include <openssl/dh.h> +# endif # include <openssl/bn.h> # if OPENSSL_VERSION_NUMBER >= 0x0090800fL @@ -42,8 +44,6 @@ static void ssl_info_callback(const SSL *ssl, int where, int ret) { if (0 != (where & SSL_CB_HANDSHAKE_START)) { connection *con = SSL_get_app_data(ssl); ++con->renegotiations; - } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) { - ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; } } #endif @@ -389,7 +389,7 @@ static int network_server_init(server *srv, buffer *host_token, specific_config goto error_free_socket; } - if (s->is_ssl) { + if (s->ssl_enabled) { #ifdef USE_OPENSSL if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) { log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set"); @@ -423,7 +423,7 @@ static int network_server_init(server *srv, buffer *host_token, specific_config #endif } - srv_socket->is_ssl = s->is_ssl; + srv_socket->is_ssl = s->ssl_enabled; if (srv->srv_sockets.size == 0) { srv->srv_sockets.size = 4; @@ -505,7 +505,9 @@ int network_init(server *srv) { #endif #ifdef USE_OPENSSL +# ifndef OPENSSL_NO_DH DH *dh; +# endif BIO *bio; /* 1024-bit MODP Group with 160-bit prime order subgroup (RFC5114) @@ -611,6 +613,16 @@ int network_init(server *srv) { return -1; } + if (s->ssl_empty_fragments) { +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#else + ssloptions &= ~0x00000800L; /* hardcode constant */ + log_error_write(srv, __FILE__, __LINE__, "ss", "WARNING: SSL:", + "'insert empty fragments' not supported by the openssl version used to compile lighttpd with"); +#endif + } + SSL_CTX_set_options(s->ssl_ctx, ssloptions); SSL_CTX_set_info_callback(s->ssl_ctx, ssl_info_callback); @@ -645,6 +657,7 @@ int network_init(server *srv) { } } +#ifndef OPENSSL_NO_DH /* Support for Diffie-Hellman key exchange */ if (!buffer_is_empty(s->ssl_dh_file)) { /* DH parameters from file */ @@ -678,6 +691,11 @@ int network_init(server *srv) { SSL_CTX_set_tmp_dh(s->ssl_ctx,dh); SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE); DH_free(dh); +#else + if (!buffer_is_empty(s->ssl_dh_file)) { + log_error_write(srv, __FILE__, __LINE__, "ss", "SSL: openssl compiled without DH support, can't load parameters from", s->ssl_dh_file->ptr); + } +#endif #if OPENSSL_VERSION_NUMBER >= 0x0090800fL #ifndef OPENSSL_NO_ECDH |