diff options
Diffstat (limited to 'tcpd')
| -rw-r--r-- | tcpd/libcouriertls.c | 43 |
1 files changed, 39 insertions, 4 deletions
diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c index 3ab335e..81ef3e2 100644 --- a/tcpd/libcouriertls.c +++ b/tcpd/libcouriertls.c @@ -488,6 +488,9 @@ static int client_cert_cb(ssl_handle ssl, X509 **x509, EVP_PKEY **pkey) return rc; } +static SSL_CTX *tls_create_int(int isserver, const struct tls_info *info, + int internal); + static int server_cert_cb(ssl_handle ssl, int *ad, void *arg) { #ifdef HAVE_OPENSSL_SNI @@ -522,15 +525,42 @@ static int server_cert_cb(ssl_handle ssl, int *ad, void *arg) } if (access(buffer, R_OK) == 0) - read_certfile(SSL_get_SSL_CTX(ssl), buffer, &cert_file_flags); + { + SSL_CTX *orig_ctx=SSL_get_SSL_CTX(ssl); + SSL_CTX *temp_ctx=tls_create_int(1, info, 1); + int rc; + if (!temp_ctx) + { + (*info->tls_err_msg)("Cannot load certificate file", + info->app_data); + exit(1); + } + SSL_set_SSL_CTX(ssl, temp_ctx); + rc=read_certfile(orig_ctx, buffer, &cert_file_flags); + SSL_set_SSL_CTX(ssl, orig_ctx); + tls_destroy(temp_ctx); + if (!rc) + { + (*info->tls_err_msg)("Cannot load certificate file", + info->app_data); + exit(1); + } + } free(buffer); + #endif return SSL_TLSEXT_ERR_OK; } SSL_CTX *tls_create(int isserver, const struct tls_info *info) { + return tls_create_int(isserver, info, 0); +} + +SSL_CTX *tls_create_int(int isserver, const struct tls_info *info, + int internal) +{ SSL_CTX *ctx; const char *protocol=safe_getenv(info, "TLS_PROTOCOL"); const char *ssl_cipher_list=safe_getenv(info, "TLS_CIPHER_LIST"); @@ -644,8 +674,15 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) #endif #endif info_copy->tlscache=NULL; - init_session_cache(info_copy, ctx); + if (internal) + { + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + } + else + { + init_session_cache(info_copy, ctx); + } s = safe_getenv(info, "TCPLOCALIP"); @@ -662,8 +699,6 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) return (NULL); } - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); - n=atoi(safe_getenv(info, "TLS_INTCACHESIZE")); if (n > 0) |