diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2020-10-11 03:21:45 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2020-10-11 03:21:45 +0000 |
| commit | 0faf9979b4e01899ed33a60ace9f05afb9a253ec (patch) | |
| tree | 747ceb4ddbf7a5b24c8832be23a67d3bfebffb73 /usr.sbin | |
| parent | e7ca9f38dc7b40ebabb88b7a406942e5065af423 (diff) | |
Handle absence of TLS certs while parsing the config
There is a soft fail mechanism to handle missing certs for seamless
interaction with acme-client. Move this to the config parser. This is
simpler than server.c r1.117 and avoids a crash due to listening on
port 443 without having set up the TLS context first. More precisely,
the crash happens if a server with missing certificate is visited via
https in a configuration where there is a second server with valid
certificate and key.
From Joshua Sing (joshua at hypera dot dev)
ok benno
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/httpd/parse.y | 11 | ||||
| -rw-r--r-- | usr.sbin/httpd/server.c | 15 |
2 files changed, 11 insertions, 15 deletions
diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index 6b911ad4f88..d0195148619 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.117 2020/08/26 06:50:20 florian Exp $ */ +/* $OpenBSD: parse.y,v 1.118 2020/10/11 03:21:44 tb Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -355,10 +355,17 @@ server : SERVER optmatch STRING { YYERROR; } - if (server_tls_load_keypair(srv) == -1) + if (server_tls_load_keypair(srv) == -1) { + /* Soft fail as there may be no certificate. */ log_warnx("%s:%d: server \"%s\": failed to " "load public/private keys", file->name, yylval.lineno, srv->srv_conf.name); + serverconfig_free(srv_conf); + srv_conf = NULL; + free(srv); + srv = NULL; + break; + } if (server_tls_load_ca(srv) == -1) { yyerror("server \"%s\": failed to load " diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index a16b5181117..a624a056977 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.120 2019/10/14 11:07:08 florian Exp $ */ +/* $OpenBSD: server.c,v 1.121 2020/10/11 03:21:44 tb Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -119,13 +119,6 @@ server_privinit(struct server *srv) } /* Open listening socket in the privileged process */ - if ((srv->srv_conf.flags & SRVFLAG_TLS) && srv->srv_conf.tls_cert == - NULL) { - /* soft fail if cert is not there yet */ - srv->srv_s = -1; - return (0); - } - if ((srv->srv_s = server_socket_listen(&srv->srv_conf.ss, srv->srv_conf.port, &srv->srv_conf)) == -1) return (-1); @@ -257,10 +250,6 @@ server_tls_init(struct server *srv) if ((srv->srv_conf.flags & SRVFLAG_TLS) == 0) return (0); - if (srv->srv_conf.tls_cert == NULL) - /* soft fail if cert is not there yet */ - return (0); - log_debug("%s: setting up tls for %s", __func__, srv->srv_conf.name); if (tls_init() != 0) { @@ -1160,7 +1149,7 @@ server_accept(int fd, short event, void *arg) if (srv->srv_conf.flags & SRVFLAG_TLS) { if (tls_accept_socket(srv->srv_tls_ctx, &clt->clt_tls_ctx, clt->clt_s) != 0) { - server_close(clt, "failed to setup tls context"); + server_close(clt, "failed to accept tls socket"); return; } event_again(&clt->clt_ev, clt->clt_s, EV_TIMEOUT|EV_READ, |