Mercurial > dovecot > core-2.2
changeset 10225:67b88d1a12f2 HEAD
*-login: Added support for TLS SNI.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 28 Oct 2009 21:20:46 -0400 |
parents | 3f1c47797dee |
children | e5bd42b8c2f0 |
files | src/login-common/login-settings.c src/login-common/login-settings.h src/login-common/main.c src/login-common/ssl-proxy-openssl.c |
diffstat | 4 files changed, 46 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/src/login-common/login-settings.c Wed Oct 28 21:17:53 2009 -0400 +++ b/src/login-common/login-settings.c Wed Oct 28 21:20:46 2009 -0400 @@ -185,6 +185,7 @@ login_settings_read(struct master_service *service, pool_t pool, const struct ip_addr *local_ip, const struct ip_addr *remote_ip, + const char *local_host, void ***other_settings_r) { struct master_service_settings_input input; @@ -196,6 +197,7 @@ input.roots = login_set_roots; input.module = login_process_name; input.service = login_protocol; + input.local_host = local_host; if (local_ip != NULL) input.local_ip = *local_ip;
--- a/src/login-common/login-settings.h Wed Oct 28 21:17:53 2009 -0400 +++ b/src/login-common/login-settings.h Wed Oct 28 21:20:46 2009 -0400 @@ -39,6 +39,7 @@ login_settings_read(struct master_service *service, pool_t pool, const struct ip_addr *local_ip, const struct ip_addr *remote_ip, + const char *local_host, void ***other_settings_r); #endif
--- a/src/login-common/main.c Wed Oct 28 21:17:53 2009 -0400 +++ b/src/login-common/main.c Wed Oct 28 21:20:46 2009 -0400 @@ -72,7 +72,7 @@ pool = pool_alloconly_create("login client", 3*1024); set = login_settings_read(master_service, pool, &local_ip, - &conn->remote_ip, &other_sets); + &conn->remote_ip, NULL, &other_sets); if (!ssl_connections && !conn->ssl) { client = client_create(conn->fd, FALSE, pool, set, other_sets, @@ -224,7 +224,7 @@ set_pool = pool_alloconly_create("global login settings", 4096); global_login_settings = - login_settings_read(master_service, set_pool, NULL, NULL, + login_settings_read(master_service, set_pool, NULL, NULL, NULL, &global_other_settings); /* main_preinit() needs to know the client limit, which is set by
--- a/src/login-common/ssl-proxy-openssl.c Wed Oct 28 21:17:53 2009 -0400 +++ b/src/login-common/ssl-proxy-openssl.c Wed Oct 28 21:20:46 2009 -0400 @@ -590,9 +590,8 @@ return sfd[1]; } -int ssl_proxy_alloc(int fd, const struct ip_addr *ip, - const struct login_settings *set, - struct ssl_proxy **proxy_r) +static struct ssl_server_context * +ssl_server_context_get(const struct login_settings *set) { struct ssl_server_context *ctx, lookup_ctx; @@ -606,7 +605,16 @@ ctx = hash_table_lookup(ssl_servers, &lookup_ctx); if (ctx == NULL) ctx = ssl_server_context_init(set); + return ctx; +} +int ssl_proxy_alloc(int fd, const struct ip_addr *ip, + const struct login_settings *set, + struct ssl_proxy **proxy_r) +{ + struct ssl_server_context *ctx; + + ctx = ssl_server_context_get(set); return ssl_proxy_alloc_common(ctx->ctx, fd, ip, set, proxy_r); } @@ -1007,6 +1015,28 @@ return ret; } +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +static void ssl_servername_callback(SSL *ssl, int *al ATTR_UNUSED, + void *context ATTR_UNUSED) +{ + struct ssl_server_context *ctx; + struct ssl_proxy *proxy; + struct client *client; + const char *host; + void **other_sets; + + proxy = SSL_get_ex_data(ssl, extdata_index); + host = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); + + client = proxy->client; + client->set = login_settings_read(master_service, client->pool, + &client->local_ip, &client->ip, host, + &other_sets); + ctx = ssl_server_context_get(client->set); + SSL_set_SSL_CTX(ssl, ctx->ctx); +} +#endif + static struct ssl_server_context * ssl_server_context_init(const struct login_settings *set) { @@ -1038,6 +1068,14 @@ ssl_proxy_get_use_certificate_error(ctx->cert)); } +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + if (SSL_CTX_set_tlsext_servername_callback(ctx->ctx, + ssl_servername_callback) != 1) { + if (set->verbose_ssl) + i_debug("OpenSSL library doesn't support SNI"); + } +#endif + ssl_proxy_ctx_use_key(ctx->ctx, set); SSL_CTX_set_info_callback(ctx->ctx, ssl_info_callback);