diff options
| author | Roland Reichwein <mail@reichwein.it> | 2020-05-15 16:28:32 +0200 |
|---|---|---|
| committer | Roland Reichwein <mail@reichwein.it> | 2020-05-15 16:28:32 +0200 |
| commit | 2a3c27aadee91cd7b179e762ef0fe99128345bd1 (patch) | |
| tree | ca6c49de6ec9b19e968cd33f38368da635f26afe /https.cpp | |
| parent | 27a7f04277cacee6ca4517653f63d5cad9c61ee3 (diff) | |
Reload certificates daily
Diffstat (limited to 'https.cpp')
| -rw-r--r-- | https.cpp | 62 |
1 files changed, 45 insertions, 17 deletions
@@ -43,6 +43,8 @@ using tcp = boost::asio::ip::tcp; // from <boost/asio/ip/tcp.hpp> namespace { + // reload certs once a day: may be updated by certbot + const int32_t certificates_timer_seconds { 24 * 60*60 }; //------------------------------------------------------------------------------ // Report a failure @@ -459,12 +461,6 @@ private: /* Load a signed certificate into the ssl context, and configure the context for use with a server. - - For this to work with the browser or operating system, it is - necessary to import the "Beast Test CA" certificate into - the local certificate store, browser, or operating system - depending on your environment Please see the documentation - accompanying the Beast certificate for more details. */ void load_server_certificate(boost::asio::ssl::context& ctx, fs::path cert_path, fs::path key_path) { @@ -485,13 +481,6 @@ void load_server_certificate(boost::asio::ssl::context& ctx, fs::path cert_path, "QMUk26jPTIVTLfXmmwU0u8vUkpR7LQKkwwIBAg==\n" "-----END DH PARAMETERS-----\n"; - ctx.set_password_callback( - [](std::size_t, - boost::asio::ssl::context_base::password_purpose) - { - return "test"; - }); - ctx.set_options( boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2 | @@ -642,6 +631,25 @@ namespace HTTPS { Server::Server(Config& config, boost::asio::io_context& ioc, const Socket& socket, plugins_container_type& plugins, Statistics& statistics) : ::Server(config, ioc, socket, plugins, statistics) + , m_certificates_timer(ioc, boost::asio::chrono::seconds(certificates_timer_seconds)) + , m_certificates_timer_callback { + [&](const boost::system::error_code& error){ + reload_certificates(); + m_certificates_timer.expires_at(m_certificates_timer.expires_at() + boost::asio::chrono::seconds(certificates_timer_seconds)); + m_certificates_timer.async_wait(m_certificates_timer_callback); + }} +{ + load_certificates(); // load initially + + // Reload certs once a day, maybe updated by certbot + m_certificates_timer.async_wait(m_certificates_timer_callback); +} + +Server::~Server() +{ +} + +void Server::load_certificates() { // initial dummy, before we can add specific ctx w/ certificate std::shared_ptr<ssl::context> ctx_dummy{std::make_shared<ssl::context>(tls_method)}; @@ -650,12 +658,12 @@ Server::Server(Config& config, boost::asio::io_context& ioc, const Socket& socke m_ctx.emplace("", ctx_dummy); // import the real certificates - for (const auto& serve_site: socket.serve_sites) { - for (const auto& site: config.Sites()) { + for (const auto& serve_site: m_socket.serve_sites) { + for (const auto& site: m_config.Sites()) { if (site.name == serve_site) { std::shared_ptr<ssl::context> ctx {std::make_shared<ssl::context>(tls_method)}; - std::cout << "Creating SSL context/cert for site " << serve_site << " on port " << socket.port << std::endl; + std::cout << "Creating SSL context/cert for site " << serve_site << " on port " << m_socket.port << std::endl; load_server_certificate(*ctx, site.cert_path, site.key_path); SSL_CTX_set_client_hello_cb(ctx->native_handle(), servername_callback, &m_ctx); @@ -669,8 +677,28 @@ Server::Server(Config& config, boost::asio::io_context& ioc, const Socket& socke } } -Server::~Server() +void Server::reload_certificates() { + for (const auto& serve_site: m_socket.serve_sites) { + for (const auto& site: m_config.Sites()) { + if (site.name == serve_site) { + + std::cout << "Updating SSL context/cert for site " << serve_site << " on port " << m_socket.port << std::endl; + + auto it_host {site.hosts.begin()}; + if (it_host == site.hosts.end()) { + std::cout << " Warning: No configured host found." << std::endl; + } else { + auto it_ctx {m_ctx.find(*it_host)}; + if (it_ctx == m_ctx.end()) { + std::cout << " Warning: No context found for configured host." << std::endl; + } else { + load_server_certificate(*it_ctx->second, site.cert_path, site.key_path); + } + } + } + } + } } int Server::start() |