#define CERTIFICATE_AUTHORITY_KEY "keyid:always"
#define CERTIFICATE_ALT_NAME_PREFIX "DNS:"
#define CERTIFICATE_VERSION 2
-#define VALID_DATETIME_FMT "%Y%m%d%H%M%SZ"
+#define VALID_DATETIME_FMT "%y%m%d%H%M%SZ"
#define VALID_DATETIME_BUFLEN 16
static int generate_webpage_certificate(struct client_state *csp);
extern int ssl_send_data(struct ssl_attr *ssl_attr, const unsigned char *buf, size_t len)
{
BIO *bio = ssl_attr->openssl_attr.bio;
+ SSL *ssl;
int ret = 0;
int pos = 0; /* Position of unsent part in buffer */
+ int fd = -1;
if (len == 0)
{
return 0;
}
+ if (BIO_get_ssl(bio, &ssl) == 1)
+ {
+ fd = SSL_get_fd(ssl);
+ }
+
while (pos < len)
{
int send_len = (int)len - pos;
- log_error(LOG_LEVEL_WRITING, "TLS: %N", send_len, buf+pos);
+ log_error(LOG_LEVEL_WRITING, "TLS on socket %d: %N",
+ fd, send_len, buf+pos);
/*
* Sending one part of the buffer
if (!BIO_should_retry(bio))
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Sending data over TLS/SSL failed");
+ "Sending data on socket %d over TLS/SSL failed", fd);
return -1;
}
}
extern int ssl_recv_data(struct ssl_attr *ssl_attr, unsigned char *buf, size_t max_length)
{
BIO *bio = ssl_attr->openssl_attr.bio;
+ SSL *ssl;
int ret = 0;
+ int fd = -1;
+
memset(buf, 0, max_length);
/*
if (ret < 0)
{
log_ssl_errors(LOG_LEVEL_ERROR,
- "Receiving data over TLS/SSL failed");
+ "Receiving data on socket %d over TLS/SSL failed", fd);
return -1;
}
- log_error(LOG_LEVEL_RECEIVED, "TLS: %N", ret, buf);
+ if (BIO_get_ssl(bio, &ssl) == 1)
+ {
+ fd = SSL_get_fd(ssl);
+ }
+
+ log_error(LOG_LEVEL_RECEIVED, "TLS from socket %d: %N",
+ fd, ret, buf);
return ret;
}
}
else
{
+ int i;
if (bs->type == V_ASN1_NEG_INTEGER)
{
if (BIO_puts(bio, " (Negative)") < 0)
goto exit;
}
}
- for (int i = 0; i < bs->length; i++)
+ for (i = 0; i < bs->length; i++)
{
if (BIO_printf(bio, "%02x%c", bs->data[i],
((i + 1 == bs->length) ? '\n' : ':')) <= 0)
BIO_write(bio, &zero, 1);
len = BIO_get_mem_data(bio, &bio_mem_data);
+ if (len <= 0)
+ {
+ log_error(LOG_LEVEL_ERROR, "BIO_get_mem_data() returned %d "
+ "while gathering certificate information", len);
+ ret = -1;
+ goto exit;
+ }
encoded_text = html_encode(bio_mem_data);
if (encoded_text == NULL)
{
struct ssl_attr *ssl_attr = &csp->ssl_client_attr;
/* Paths to certificates file and key file */
char *key_file = NULL;
- char *ca_file = NULL;
char *cert_file = NULL;
int ret = 0;
SSL *ssl;
/*
* Preparing paths to certificates files and key file
*/
- ca_file = csp->config->ca_cert_file;
cert_file = make_certs_path(csp->config->certificate_directory,
(const char *)csp->http->hash_of_host_hex, CERT_FILE_TYPE);
key_file = make_certs_path(csp->config->certificate_directory,
goto exit;
}
+ if (csp->config->cipher_list != NULL)
+ {
+ if (!SSL_set_cipher_list(ssl, csp->config->cipher_list))
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "Setting the cipher list '%s' for the client connection failed",
+ csp->config->cipher_list);
+ ret = -1;
+ goto exit;
+ }
+ }
+
/*
* Handshake with client
*/
goto exit;
}
+ if (csp->config->cipher_list != NULL)
+ {
+ if (!SSL_set_cipher_list(ssl, csp->config->cipher_list))
+ {
+ log_ssl_errors(LOG_LEVEL_ERROR,
+ "Setting the cipher list '%s' for the server connection failed",
+ csp->config->cipher_list);
+ ret = -1;
+ goto exit;
+ }
+ }
+
/*
* Set the hostname to check against the received server certificate
*/
chain = SSL_get_peer_cert_chain(ssl);
if (chain)
{
- for (int i = 0; i < sk_X509_num(chain); i++)
+ int i;
+ for (i = 0; i < sk_X509_num(chain); i++)
{
if (ssl_store_cert(csp, sk_X509_value(chain, i)) != 0)
{
{
log_ssl_errors(LOG_LEVEL_ERROR,
"Error checking certificate %s validity", cert_file);
+ ret = -1;
}
X509_free(cert);
}
}
+ if (file_exists(cert_opt.output_file) == 0 &&
+ file_exists(cert_opt.subject_key) == 1)
+ {
+ log_error(LOG_LEVEL_ERROR,
+ "A website key already exists but there's no matching certificate. "
+ "Removing %s before creating a new key and certificate.",
+ cert_opt.subject_key);
+ if (unlink(cert_opt.subject_key))
+ {
+ log_error(LOG_LEVEL_ERROR, "Failed to unlink %s: %E",
+ cert_opt.subject_key);
+
+ freez(cert_opt.output_file);
+ freez(cert_opt.subject_key);
+
+ return -1;
+ }
+ }
+
/*
* Create key for requested host
*/
projects / privoxy.git / blobdiff