From 1374fac8de85fe1ac877096f18b60a1561dfc96f Mon Sep 17 00:00:00 2001 From: Roland Reichwein Date: Sat, 11 Apr 2020 15:58:01 +0200 Subject: Replace SSL_CTX_set_tlsext_servername_callback with SSL_client_hello_get0_ext --- https.cpp | 62 +++++++++++++++++++++++++++++++++++++++++++++------------- webserver.conf | 3 +++ 2 files changed, 51 insertions(+), 14 deletions(-) diff --git a/https.cpp b/https.cpp index a263a54..5230d60 100644 --- a/https.cpp +++ b/https.cpp @@ -6,6 +6,7 @@ #include "response.h" #include +#include #include #include @@ -566,25 +567,62 @@ void load_server_certificate(boost::asio::ssl::context& ctx, fs::path cert_path, boost::asio::buffer(dh.data(), dh.size())); } +int ServerNameError(SSL *s, HTTPS::Server::ctx_type& ctx_map) +{ + std::shared_ptr ctx{ctx_map.at("")}; + SSL_set_SSL_CTX(s, ctx->native_handle()); + return SSL_CLIENT_HELLO_SUCCESS; // OK for now +} + int servername_callback(SSL *s, int *al, void *arg) { - int type {SSL_get_servername_type(s)}; - std::string server_name {SSL_get_servername(s, type)}; + HTTPS::Server::ctx_type& ctx_map = *(HTTPS::Server::ctx_type*)arg; + + if (0) { // not really necessary + int* numbers; + size_t numbers_size; + if (SSL_client_hello_get1_extensions_present(s, &numbers, &numbers_size) != 1) { + std::cout << "Error on SSL_client_hello_get1_extensions_present" << std::endl; + return ServerNameError(s, ctx_map); + } + bool server_name_available {false}; + for (size_t i = 0; i < numbers_size; i++) + if (numbers[i] == 0) + server_name_available = true; + + OPENSSL_free(numbers); + + if (!server_name_available) { + std::cout << "Error: No server_name available at SSL_client_hello_get1_extensions_present" << std::endl; + return ServerNameError(s, ctx_map); + } + } + + const unsigned char* data; + size_t data_size; + // 0 is server_name + if (SSL_client_hello_get0_ext(s, 0, &data, &data_size) != 1) { + std::cout << "Warning: Error on SSL_client_hello_get0_ext: servername not available. Using dummy ctx." << std::endl; + return ServerNameError(s, ctx_map); + } - HTTPS::Server::ctx_type* ctx_map = (HTTPS::Server::ctx_type*)arg; + // SNI Server Name, See https://tools.ietf.org/html/rfc6066 (TODO: why are there 5 bytes header?) + std::string server_name {std::string((const char*)data, (size_t)data_size)}; + if (server_name.size() >= 5 && server_name[0] == '\0') + server_name = server_name.substr(5); - auto it {ctx_map->find(server_name)}; + auto it {ctx_map.find(server_name)}; std::shared_ptr ctx{}; - if (it != ctx_map->end()) { + if (it != ctx_map.end()) { ctx = it->second; } else { - std::cout << "Warning: server_name " << server_name << " not found in list of prepared contexts. Using dummy ctx." << std::endl; - ctx = ctx_map->at(""); + std::cout << "Warning: server_name " << server_name << " (" << server_name.size() << ") not found in list of prepared contexts. Using dummy ctx." << std::endl; + return ServerNameError(s, ctx_map); } SSL_set_SSL_CTX(s, ctx->native_handle()); - return SSL_TLSEXT_ERR_OK; + return SSL_CLIENT_HELLO_SUCCESS; } } // anonymous namespace @@ -598,9 +636,7 @@ Server::Server(Config& config, boost::asio::io_context& ioc, const Socket& socke // initial dummy, before we can add specific ctx w/ certificate std::shared_ptr ctx_dummy{std::make_shared(tls_method)}; load_server_certificate(*ctx_dummy, "", ""); - //SSL_CTX_set_client_hello_cb(ctx_dummy->native_handle(), servername_callback, &m_ctx); - SSL_CTX_set_tlsext_servername_callback(ctx_dummy->native_handle(), servername_callback); - SSL_CTX_set_tlsext_servername_arg(ctx_dummy->native_handle(), &m_ctx); + SSL_CTX_set_client_hello_cb(ctx_dummy->native_handle(), servername_callback, &m_ctx); m_ctx.emplace("", ctx_dummy); // import the real certificates @@ -612,9 +648,7 @@ Server::Server(Config& config, boost::asio::io_context& ioc, const Socket& socke std::cout << "Creating SSL context/cert for site " << serve_site << " on port " << socket.port << std::endl; load_server_certificate(*ctx, site.cert_path, site.key_path); - //SSL_CTX_set_client_hello_cb(ctx->native_handle(), servername_callback, &m_ctx); - SSL_CTX_set_tlsext_servername_callback(ctx->native_handle(), servername_callback); - SSL_CTX_set_tlsext_servername_arg(ctx->native_handle(), &m_ctx); + SSL_CTX_set_client_hello_cb(ctx->native_handle(), servername_callback, &m_ctx); for (const auto& host: site.hosts) { std::cout << " Adding Host " << host << std::endl; diff --git a/webserver.conf b/webserver.conf index 44dba49..e3731bc 100644 --- a/webserver.conf +++ b/webserver.conf @@ -13,6 +13,7 @@ lists.antcom.de antcom.de www.antcom.de + localhost ip6-localhost 127.0.0.1 [::1] @@ -32,6 +33,8 @@ marx marx.antcom.de + marx1.antcom.de + localhost static-files /home/ernie/homepage/test1 -- cgit v1.2.3