This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 343740678ab5617d10102e426a460dceea59d895 (commit) from da43373bdbe9a2fd91a8a08b78b3a87f707a2f45 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 343740678ab5617d10102e426a460dceea59d895 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 6 13:42:27 2012 +0200
pound: Add patch to select certificates by their SANs.
http://www.apsis.ch/pound/pound_list/archive/2012/2012-02/1329442080000#1329...
-----------------------------------------------------------------------
Summary of changes: lfs/pound | 3 +- .../Pound-2.6-reneg-ciphers-altnames-nosslv2.patch | 452 ++++++++++++++++++++ 2 files changed, 454 insertions(+), 1 deletions(-) create mode 100644 src/patches/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch
Difference in files: diff --git a/lfs/pound b/lfs/pound index 1b9e523..f2a7f5f 100644 --- a/lfs/pound +++ b/lfs/pound @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = pound -PAK_VER = 3 +PAK_VER = 4
DEPS = ""
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -p4 < $(DIR_SRC)/src/patches/pound-2.6.patch + cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc --enable-cert1l cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/patches/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch b/src/patches/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch new file mode 100644 index 0000000..9c874c8 --- /dev/null +++ b/src/patches/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch @@ -0,0 +1,452 @@ +diff -Naur Pound-2.6.orig/config.c Pound-2.6.reneg-ciphers-altnames-nosslv2/config.c +--- Pound-2.6.orig/config.c 2011-12-28 14:57:45.000000000 +0100 ++++ Pound-2.6.reneg-ciphers-altnames-nosslv2/config.c 2012-02-15 21:49:39.000000000 +0100 +@@ -31,6 +31,8 @@ + + #include "pound.h" + ++#include <openssl/x509v3.h> ++ + #ifdef MISS_FACILITYNAMES + + /* This is lifted verbatim from the Linux sys/syslog.h */ +@@ -76,7 +78,7 @@ + static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination; + static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr; + static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale; +-static regex_t ClientCert, AddHeader, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11; ++static regex_t ClientCert, AddHeader, DisableSSLv2, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11; + static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName; + + static regmatch_t matches[5]; +@@ -167,6 +169,53 @@ + } + } + ++unsigned char ** ++get_subjectaltnames(X509 *x509, unsigned int *count) ++{ ++ *count = 0; ++ unsigned int local_count = 0; ++ unsigned char **result = NULL; ++ ++ STACK_OF(GENERAL_NAME) *san_stack = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); ++ ++ unsigned char *temp[sk_GENERAL_NAME_num(san_stack)]; ++ ++ GENERAL_NAME *name = NULL; ++ while(sk_GENERAL_NAME_num(san_stack) > 0) ++ { ++ name = sk_GENERAL_NAME_pop(san_stack); ++ ++ switch(name->type) ++ { ++ case GEN_DNS: ++ temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName)+1); ++ if(temp[local_count] == NULL) { conf_err("out of memory"); } ++ local_count++; ++ break; ++ default: ++ logmsg(LOG_INFO, "unsupported subjectAltName type encountered: %i", name->type); ++ } ++ ++ GENERAL_NAME_free(name); ++ } ++ ++ result = (unsigned char**)malloc(sizeof(unsigned char*)*local_count); ++ if(result == NULL) { conf_err("out of memory"); } ++ int i; ++ for(i = 0;i < local_count; i++) ++ { ++ result[i] = strndup(temp[i], strlen(temp[i])+1); ++ if(result[i] == NULL) { conf_err("out of memory"); } ++ ++ free(temp[i]); ++ } ++ *count = local_count; ++ ++ sk_GENERAL_NAME_pop_free(san_stack, GENERAL_NAME_free); ++ ++ return result; ++} ++ + /* + * parse a back-end + */ +@@ -289,9 +338,12 @@ + } else if(!regexec(&HTTPS, lin, 4, matches, 0)) { + if((res->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) + conf_err("SSL_CTX_new failed - aborted"); ++ SSL_CTX_set_app_data(res->ctx, res); + SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_options(res->ctx, SSL_OP_ALL); ++ SSL_CTX_clear_options(res->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); ++ SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT); + sprintf(lin, "%d-Pound-%ld", getpid(), random()); + SSL_CTX_set_session_id_context(res->ctx, (unsigned char *)lin, strlen(lin)); + SSL_CTX_set_tmp_rsa_callback(res->ctx, RSA_tmp_callback); +@@ -299,6 +351,7 @@ + } else if(!regexec(&HTTPSCert, lin, 4, matches, 0)) { + if((res->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) + conf_err("SSL_CTX_new failed - aborted"); ++ SSL_CTX_set_app_data(res->ctx, res); + lin[matches[1].rm_eo] = '\0'; + if(SSL_CTX_use_certificate_chain_file(res->ctx, lin + matches[1].rm_so) != 1) + conf_err("SSL_CTX_use_certificate_chain_file failed - aborted"); +@@ -309,6 +362,8 @@ + SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_options(res->ctx, SSL_OP_ALL); ++ SSL_CTX_clear_options(res->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); ++ SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT); + sprintf(lin, "%d-Pound-%ld", getpid(), random()); + SSL_CTX_set_session_id_context(res->ctx, (unsigned char *)lin, strlen(lin)); + SSL_CTX_set_tmp_rsa_callback(res->ctx, RSA_tmp_callback); +@@ -805,13 +860,23 @@ + /* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername %s", servername); */ + + SSL_set_SSL_CTX(ssl, NULL); +- for(pc = ctx; pc; pc = pc->next) ++ for(pc = ctx; pc; pc = pc->next) { + if(fnmatch(pc->server_name, server_name, 0) == 0) { + /* logmsg(LOG_DEBUG, "Found cert for %s", servername); */ + SSL_set_SSL_CTX(ssl, pc->ctx); + return SSL_TLSEXT_ERR_OK; + } +- ++ else if(pc->subjectAltNameCount > 0 && pc->subjectAltNames != NULL) { ++ int i; ++ for(i = 0; i < pc->subjectAltNameCount; i++) { ++ if(fnmatch(pc->subjectAltNames[i], server_name, 0) == 0) { ++ SSL_set_SSL_CTX(ssl, pc->ctx); ++ return SSL_TLSEXT_ERR_OK; ++ } ++ } ++ } ++ } ++ + /* logmsg(LOG_DEBUG, "No match for %s, default used", server_name); */ + SSL_set_SSL_CTX(ssl, ctx->ctx); + return SSL_TLSEXT_ERR_OK; +@@ -829,11 +894,15 @@ + SERVICE *svc; + MATCHER *m; + int has_addr, has_port, has_other; ++ long ssl_op_enable, ssl_op_disable; + struct hostent *host; + struct sockaddr_in in; + struct sockaddr_in6 in6; + POUND_CTX *pc; + ++ ssl_op_enable = SSL_OP_ALL; ++ ssl_op_disable = SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION | SSL_OP_LEGACY_SERVER_CONNECT; ++ + if((res = (LISTENER *)malloc(sizeof(LISTENER))) == NULL) + conf_err("ListenHTTPS config: out of memory - aborted"); + memset(res, 0, sizeof(LISTENER)); +@@ -844,6 +913,8 @@ + res->err500 = "An internal server error occurred. Please try again later."; + res->err501 = "This method may not be used."; + res->err503 = "The service is not available. Please try again later."; ++ res->allow_client_reneg = 0; ++ res->disable_ssl_v2 = 0; + res->log_level = log_level; + if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED)) + conf_err("xHTTP bad default pattern - aborted"); +@@ -959,6 +1030,9 @@ + fclose(fcert); + memset(server_name, '\0', MAXBUF); + X509_NAME_oneline(X509_get_subject_name(x509), server_name, MAXBUF - 1); ++ pc->subjectAltNameCount = 0; ++ pc->subjectAltNames = NULL; ++ pc->subjectAltNames = get_subjectaltnames(x509, &(pc->subjectAltNameCount)); + X509_free(x509); + if(!regexec(&CNName, server_name, 4, matches, 0)) { + server_name[matches[1].rm_eo] = '\0'; +@@ -1029,6 +1103,25 @@ + strcat(res->add_head, "\r\n"); + strcat(res->add_head, lin + matches[1].rm_so); + } ++ } else if(!regexec(&DisableSSLv2, lin, 4, matches, 0)) { ++ res->disable_ssl_v2 = 1; ++ } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) { ++ res->allow_client_reneg = atoi(lin + matches[1].rm_so); ++ if (res->allow_client_reneg == 2) { ++ ssl_op_enable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; ++ ssl_op_disable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; ++ } else { ++ ssl_op_disable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; ++ ssl_op_enable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; ++ } ++ } else if(!regexec(&SSLHonorCipherOrder, lin, 4, matches, 0)) { ++ if (atoi(lin + matches[1].rm_so)) { ++ ssl_op_enable |= SSL_OP_CIPHER_SERVER_PREFERENCE; ++ ssl_op_disable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE; ++ } else { ++ ssl_op_disable |= SSL_OP_CIPHER_SERVER_PREFERENCE; ++ ssl_op_enable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE; ++ } + } else if(!regexec(&Ciphers, lin, 4, matches, 0)) { + has_other = 1; + if(res->ctx == NULL) +@@ -1105,12 +1198,19 @@ + conf_err("ListenHTTPS: can't set SNI callback"); + #endif + for(pc = res->ctx; pc; pc = pc->next) { ++ SSL_CTX_set_app_data(pc->ctx, res); + SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY); +- SSL_CTX_set_options(pc->ctx, SSL_OP_ALL); ++ SSL_CTX_set_options(pc->ctx, ssl_op_enable); ++ SSL_CTX_clear_options(pc->ctx, ssl_op_disable); ++ if (res->disable_ssl_v2 == 1) ++ { ++ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv2); ++ } + sprintf(lin, "%d-Pound-%ld", getpid(), random()); + SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin, strlen(lin)); + SSL_CTX_set_tmp_rsa_callback(pc->ctx, RSA_tmp_callback); + SSL_CTX_set_tmp_dh_callback(pc->ctx, DH_tmp_callback); ++ SSL_CTX_set_info_callback(pc->ctx, SSLINFO_callback); + } + return res; + } else { +@@ -1305,6 +1405,9 @@ + || regcomp(&DynScale, "^[ \t]*DynScale[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&ClientCert, "^[ \t]*ClientCert[ \t]+([0-3])[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+"(.+)"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) ++ || regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) ++ || regcomp(&DisableSSLv2, "^[ \t]*DisableSSLv2[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) ++ || regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+"(.+)"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&CAlist, "^[ \t]*CAlist[ \t]+"(.+)"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&VerifyList, "^[ \t]*VerifyList[ \t]+"(.+)"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) +@@ -1463,6 +1566,9 @@ + regfree(&DynScale); + regfree(&ClientCert); + regfree(&AddHeader); ++ regfree(&SSLAllowClientRenegotiation); ++ regfree(&DisableSSLv2); ++ regfree(&SSLHonorCipherOrder); + regfree(&Ciphers); + regfree(&CAlist); + regfree(&VerifyList); +diff -Naur Pound-2.6.orig/http.c Pound-2.6.reneg-ciphers-altnames-nosslv2/http.c +--- Pound-2.6.orig/http.c 2011-12-28 14:57:45.000000000 +0100 ++++ Pound-2.6.reneg-ciphers-altnames-nosslv2/http.c 2012-02-15 21:44:46.000000000 +0100 +@@ -246,6 +246,11 @@ + + static int err_to = -1; + ++typedef struct { ++ int timeout; ++ RENEG_STATE *reneg_state; ++} BIO_ARG; ++ + /* + * Time-out for client read/gets + * the SSL manual says not to do it, but it works well enough anyway... +@@ -253,18 +258,32 @@ + static long + bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long argl, long ret) + { ++ BIO_ARG *bio_arg; + struct pollfd p; + int to, p_res, p_err; + + if(cmd != BIO_CB_READ && cmd != BIO_CB_WRITE) + return ret; + ++ //logmsg(LOG_NOTICE, "bio callback"); + /* a time-out already occured */ +- if((to = *((int *)BIO_get_callback_arg(bio)) * 1000) < 0) { ++ if((bio_arg = (BIO_ARG*)BIO_get_callback_arg(bio))==NULL) return ret; ++ if((to = bio_arg->timeout * 1000) < 0) { + errno = ETIMEDOUT; + return -1; + } + ++ /* Renegotiations */ ++ //logmsg(LOG_NOTICE, "RENEG STATE %d", bio_arg->reneg_state==NULL?-1:*bio_arg->reneg_state); ++ if (bio_arg->reneg_state != NULL && *bio_arg->reneg_state == RENEG_ABORT) { ++ logmsg(LOG_NOTICE, "REJECTING renegotiated session"); ++ errno = ECONNABORTED; ++ return -1; ++ } ++ ++ //logmsg(LOG_NOTICE, "TO %d", to); ++ if (to == 0) return ret; ++ + for(;;) { + memset(&p, 0, sizeof(p)); + BIO_get_fd(bio, &p.fd); +@@ -299,7 +318,7 @@ + return -1; + case 0: + /* timeout - mark the BIO as unusable for the future */ +- BIO_set_callback_arg(bio, (char *)&err_to); ++ bio_arg->timeout = err_to; + #ifdef EBUG + logmsg(LOG_WARNING, "(%lx) CALLBACK timeout poll after %d secs: %s", + pthread_self(), to / 1000, strerror(p_err)); +@@ -503,7 +522,14 @@ + regmatch_t matches[4]; + struct linger l; + double start_req, end_req; ++ RENEG_STATE reneg_state; ++ BIO_ARG ba1, ba2; + ++ reneg_state = RENEG_INIT; ++ ba1.reneg_state = &reneg_state; ++ ba2.reneg_state = &reneg_state; ++ ba1.timeout = 0; ++ ba2.timeout = 0; + from_host = ((thr_arg *)arg)->from_host; + memcpy(&from_host_addr, from_host.ai_addr, from_host.ai_addrlen); + from_host.ai_addr = (struct sockaddr *)&from_host_addr; +@@ -512,6 +538,8 @@ + free(((thr_arg *)arg)->from_host.ai_addr); + free(arg); + ++ if(lstn->allow_client_reneg) reneg_state = RENEG_ALLOW; ++ + n = 1; + setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&n, sizeof(n)); + l.l_onoff = 1; +@@ -535,10 +563,11 @@ + close(sock); + return; + } +- if(lstn->to > 0) { +- BIO_set_callback_arg(cl, (char *)&lstn->to); ++ //if(lstn->to > 0) { ++ ba1.timeout = lstn->to; ++ BIO_set_callback_arg(cl, (char *)&ba1); + BIO_set_callback(cl, bio_callback); +- } ++ //} + + if(lstn->ctx != NULL) { + if((ssl = SSL_new(lstn->ctx->ctx)) == NULL) { +@@ -547,6 +576,7 @@ + BIO_free_all(cl); + return; + } ++ SSL_set_app_data(ssl, &reneg_state); + SSL_set_bio(ssl, cl, cl); + if((bb = BIO_new(BIO_f_ssl())) == NULL) { + logmsg(LOG_WARNING, "(%lx) BIO_new(Bio_f_ssl()) failed", pthread_self()); +@@ -848,7 +878,8 @@ + } + BIO_set_close(be, BIO_CLOSE); + if(backend->to > 0) { +- BIO_set_callback_arg(be, (char *)&backend->to); ++ ba2.timeout = backend->to; ++ BIO_set_callback_arg(be, (char *)&ba2); + BIO_set_callback(be, bio_callback); + } + if(backend->ctx != NULL) { +diff -Naur Pound-2.6.orig/pound.8 Pound-2.6.reneg-ciphers-altnames-nosslv2/pound.8 +--- Pound-2.6.orig/pound.8 2011-12-28 14:57:45.000000000 +0100 ++++ Pound-2.6.reneg-ciphers-altnames-nosslv2/pound.8 2012-02-15 21:44:46.000000000 +0100 +@@ -501,6 +501,19 @@ + and + .I SSL_CTX_set_cipher_list(3). + .TP ++\fBSSLHonorCipherOrder\fR 0|1 ++If this value is 1, the server will broadcast a preference to use \fBCiphers\fR in the ++order supplied in the \fBCiphers\fR directive. If the value is 0, the server will treat ++the Ciphers list as the list of Ciphers it will accept, but no preference will be ++indicated. Default value is 0. ++.TP ++\fBSSLAllowClientRenegotiation\fR 0|1|2 ++If this value is 0, client initiated renegotiation will be disabled. This will mitigate ++DoS exploits based on client renegotiation, regardless of the patch status of clients and ++servers related to "Secure renegotiation". If the value is 1, secure renegotiation is ++supported. If the value is 2, insecure renegotiation is supported, with unpatched ++clients. /fBThis can lead to a DoS and a Man in the Middle attack!/fR Default value is 0. ++.TP + \fBCAlist\fR "CAcert_file" + Set the list of "trusted" CA's for this server. The CAcert_file is a file containing + a sequence of CA certificates (PEM format). The names of the defined CA certificates +diff -Naur Pound-2.6.orig/pound.h Pound-2.6.reneg-ciphers-altnames-nosslv2/pound.h +--- Pound-2.6.orig/pound.h 2011-12-28 14:57:45.000000000 +0100 ++++ Pound-2.6.reneg-ciphers-altnames-nosslv2/pound.h 2012-02-15 21:49:39.000000000 +0100 +@@ -380,6 +380,8 @@ + SSL_CTX *ctx; + char *server_name; + struct _pound_ctx *next; ++ unsigned int subjectAltNameCount; ++ unsigned char **subjectAltNames; + } POUND_CTX; + + /* Listener definition */ +@@ -404,6 +406,8 @@ + int rewr_dest; /* rewrite destination header */ + int disabled; /* true if the listener is disabled */ + int log_level; /* log level for this listener */ ++ int allow_client_reneg; /* Allow Client SSL Renegotiation */ ++ int disable_ssl_v2; /* Disable SSL version 2 */ + SERVICE *services; + struct _listener *next; + } LISTENER; +@@ -419,6 +423,9 @@ + struct _thr_arg *next; + } thr_arg; /* argument to processing threads: socket, origin */ + ++/* Track SSL handshare/renegotiation so we can reject client-renegotiations. */ ++typedef enum { RENEG_INIT=0, RENEG_REJECT, RENEG_ALLOW, RENEG_ABORT } RENEG_STATE; ++ + /* Header types */ + #define HEADER_ILLEGAL -1 + #define HEADER_OTHER 0 +@@ -591,6 +598,11 @@ + extern DH *DH_tmp_callback(SSL *, int, int); + + /* ++ * Renegotiation callback ++ */ ++extern void SSLINFO_callback(const SSL *s, int where, int rc); ++ ++/* + * expiration stuff + */ + #ifndef EXPIRE_TO +diff -Naur Pound-2.6.orig/svc.c Pound-2.6.reneg-ciphers-altnames-nosslv2/svc.c +--- Pound-2.6.orig/svc.c 2011-12-28 14:57:45.000000000 +0100 ++++ Pound-2.6.reneg-ciphers-altnames-nosslv2/svc.c 2012-02-15 21:44:46.000000000 +0100 +@@ -1797,3 +1797,34 @@ + close(ctl); + } + } ++ ++void ++SSLINFO_callback(const SSL *ssl, int where, int rc) ++{ ++ RENEG_STATE *reneg_state; ++ ++ /* Get our thr_arg where we're tracking this connection info */ ++ if ((reneg_state = (RENEG_STATE *)SSL_get_app_data(ssl)) == NULL) return; ++ ++ /* If we're rejecting renegotiations, move to ABORT if Client Hello is being read. */ ++ if ((where & SSL_CB_ACCEPT_LOOP) && *reneg_state == RENEG_REJECT) { ++ int state = SSL_get_state(ssl); ++ ++ if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) { ++ *reneg_state = RENEG_ABORT; ++ logmsg(LOG_WARNING,"rejecting client initiated renegotiation"); ++ } ++ } ++ else if (where & SSL_CB_HANDSHAKE_DONE && *reneg_state == RENEG_INIT) { ++ // Reject any followup renegotiations ++ *reneg_state = RENEG_REJECT; ++ } ++ ++ //if (where & SSL_CB_HANDSHAKE_START) logmsg(LOG_DEBUG, "handshake start"); ++ //else if (where & SSL_CB_HANDSHAKE_DONE) logmsg(LOG_DEBUG, "handshake done"); ++ //else if (where & SSL_CB_LOOP) logmsg(LOG_DEBUG, "loop"); ++ //else if (where & SSL_CB_READ) logmsg(LOG_DEBUG, "read"); ++ //else if (where & SSL_CB_WRITE) logmsg(LOG_DEBUG, "write"); ++ //else if (where & SSL_CB_ALERT) logmsg(LOG_DEBUG, "alert"); ++} ++
hooks/post-receive -- IPFire 2.x development tree