summaryrefslogtreecommitdiffstats
path: root/src/tls.c
Commit message (Collapse)AuthorAgeFilesLines
* Create certificates which last 68 years (INT32_MAX seconds)Thomas Karpiniec2021-05-161-1/+2
| | | | This avoids integer overflow on 32-bit architectures.
* Fix integer overflow error in tls.cbacardi552021-03-241-1/+1
|
* Move certificate expiration into the far futureDrew DeVault2021-03-041-1/+1
|
* Send client certificate hash for CGI scripts.nytpu2021-02-111-0/+11
| | | | | | | | | | | | Set SSL_VERIFY_PEER to request a client certificate from the server, when available. Have to shim the certificate verification function or else it will fail on self-signed client certs. In serve_cgi retrieve client certificate, create a fingerprint, and set proper environment variables. It's pretty barebones, it doesn't parse the certificate to give any other useful info like the common name, but it's acceptable IMO. For most CGI uses the fingerprint is the only thing that is needed anyways.
* Use v3 X509 certificateMatt Keeter2021-02-051-1/+14
| | | | | | | | | | This fixes an issue where rustls failed to validate the X509v1 certificate. Tested with Amfora, av-98, and titan (https://github.com/mkeeter/titan) This requires fresh certificates, which could break clients with strict trust-on-first-use policies; unfortunately, it doesn't appear to be possible to migrate v1 certificates to v3.
* Switch to using ECDSA (secp384r1) keysMark Dain2020-11-211-9/+4
|
* tls: fix crash when opening priv key for writingWilliam Casarin2020-11-081-1/+1
| | | | | | | | | | | | | | | | | | | The open syscall will return a negative value if the call fails. Switch the check to look for this instead of 0. before: [gmnisrv] generating certificate for localhost gmnisrv: src/tls.c:68: tls_host_gencert: Assertion `pf' failed. abort (core dumped) ./gmnisrv -C config.ini after: [gmnisrv] generating certificate for localhost [gmnisrv] opening private key for writing failed: No such file or directory [gmnisrv] TLS initialization failed Signed-off-by: William Casarin <jb55@jb55.com>
* Overhaul network I/O to be async for realDrew DeVault2020-10-251-10/+23
| | | | | Had to totally cut off OpenSSL from the network fd because obviously OpenSSL is just going to wreck our shit
* Free up resources throughoutDrew DeVault2020-09-261-3/+13
|
* Implement TLS exchange with clientsDrew DeVault2020-09-241-3/+29
| | | | This probably leaves a bit to be desired tbh
* tls: move cert/key into host structureDrew DeVault2020-09-241-9/+4
| | | | | | | | We'll later want to set these on the SSL object (rather than SSL_CTX), so move these into the host struct for later access. We'll prefer to set it on the SSL object so that we can automatically use an up-to-date certificate, per ~sircmpwn/gmni#26.
* Implement TLS storeDrew DeVault2020-09-241-0/+176
Includes hands-free certificate generation and loading