# HG changeset patch
# User Timo Sirainen <tss@iki.fi>
# Date 1055373973 -10800
# Node ID ac6ee442376d482c4aeecce2f89606c5009566bd
# Parent  7ac153f219497d3ab96faef45587526c32ebe737
OpenSSL proxy changes - hopefully fixes something. Also don't crash with
"key not found from hash" if SSL handshake fails.

diff -r 7ac153f21949 -r ac6ee442376d src/login-common/ssl-proxy-gnutls.c
--- a/src/login-common/ssl-proxy-gnutls.c	Thu Jun 05 02:00:44 2003 +0300
+++ b/src/login-common/ssl-proxy-gnutls.c	Thu Jun 12 02:26:13 2003 +0300
@@ -333,6 +333,8 @@
 	proxy->fd_plain = sfd[0];
 	proxy->ip = *ip;
 
+	hash_insert(ssl_proxies, proxy, proxy);
+
 	proxy->refcount++;
 	ssl_handshake(proxy);
 	if (!ssl_proxy_destroy(proxy)) {
@@ -342,7 +344,6 @@
 	}
 
         main_ref();
-	hash_insert(ssl_proxies, proxy, proxy);
 	return sfd[1];
 }
 
diff -r 7ac153f21949 -r ac6ee442376d src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Thu Jun 05 02:00:44 2003 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Thu Jun 12 02:26:13 2003 +0300
@@ -14,6 +14,8 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
+#define SSL_CIPHER_LIST "ALL:!LOW"
+
 enum ssl_io_action {
 	SSL_ADD_INPUT,
 	SSL_REMOVE_INPUT,
@@ -320,7 +322,6 @@
 		return -1;
 	}
 
-	SSL_set_accept_state(ssl);
 	if (SSL_set_fd(ssl, fd) != 1) {
 		i_error("SSL_set_fd() failed: %s", ssl_last_error());
 		SSL_free(ssl);
@@ -344,6 +345,8 @@
 	proxy->fd_plain = sfd[0];
 	proxy->ip = *ip;
 
+	hash_insert(ssl_proxies, proxy, proxy);
+
 	proxy->refcount++;
 	ssl_handshake(proxy);
 	if (!ssl_proxy_unref(proxy)) {
@@ -353,7 +356,6 @@
 	}
 
         main_ref();
-	hash_insert(ssl_proxies, proxy, proxy);
 	return sfd[1];
 }
 
@@ -401,7 +403,6 @@
 void ssl_proxy_init(void)
 {
 	const char *certfile, *keyfile, *paramfile;
-	int ret;
 
 	certfile = getenv("SSL_CERT_FILE");
 	keyfile = getenv("SSL_KEY_FILE");
@@ -418,14 +419,20 @@
 	if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
 		i_fatal("SSL_CTX_new() failed");
 
-        ret = SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile);
-	if (ret != 1) {
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
+
+	if (SSL_CTX_set_cipher_list(ssl_ctx, SSL_CIPHER_LIST) != 1) {
+		i_fatal("Can't set cipher list to '%s': %s",
+			SSL_CIPHER_LIST, ssl_last_error());
+	}
+
+	if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
 		i_fatal("Can't load certificate file %s: %s",
 			certfile, ssl_last_error());
 	}
 
-	ret = SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile, SSL_FILETYPE_PEM);
-	if (ret != 1) {
+	if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, keyfile,
+					   SSL_FILETYPE_PEM) != 1) {
 		i_fatal("Can't load private key file %s: %s",
 			keyfile, ssl_last_error());
 	}