dovecot-2.0-sslstream: *-login: Added support for TLS SNI.
dovecot at dovecot.org
dovecot at dovecot.org
Sat Feb 13 02:55:52 EET 2010
details: http://hg.dovecot.org/dovecot-2.0-sslstream/rev/67b88d1a12f2
changeset: 10226:67b88d1a12f2
user: Timo Sirainen <tss at iki.fi>
date: Wed Oct 28 21:20:46 2009 -0400
description:
*-login: Added support for TLS SNI.
diffstat:
4 files changed, 47 insertions(+), 6 deletions(-)
src/login-common/login-settings.c | 2 +
src/login-common/login-settings.h | 1
src/login-common/main.c | 4 +-
src/login-common/ssl-proxy-openssl.c | 46 +++++++++++++++++++++++++++++++---
diffs (128 lines):
diff -r 3f1c47797dee -r 67b88d1a12f2 src/login-common/login-settings.c
--- a/src/login-common/login-settings.c Wed Oct 28 21:17:53 2009 -0400
+++ b/src/login-common/login-settings.c Wed Oct 28 21:20:46 2009 -0400
@@ -185,6 +185,7 @@ login_settings_read(struct master_servic
login_settings_read(struct master_service *service, pool_t pool,
const struct ip_addr *local_ip,
const struct ip_addr *remote_ip,
+ const char *local_host,
void ***other_settings_r)
{
struct master_service_settings_input input;
@@ -196,6 +197,7 @@ login_settings_read(struct master_servic
input.roots = login_set_roots;
input.module = login_process_name;
input.service = login_protocol;
+ input.local_host = local_host;
if (local_ip != NULL)
input.local_ip = *local_ip;
diff -r 3f1c47797dee -r 67b88d1a12f2 src/login-common/login-settings.h
--- a/src/login-common/login-settings.h Wed Oct 28 21:17:53 2009 -0400
+++ b/src/login-common/login-settings.h Wed Oct 28 21:20:46 2009 -0400
@@ -39,6 +39,7 @@ login_settings_read(struct master_servic
login_settings_read(struct master_service *service, pool_t pool,
const struct ip_addr *local_ip,
const struct ip_addr *remote_ip,
+ const char *local_host,
void ***other_settings_r);
#endif
diff -r 3f1c47797dee -r 67b88d1a12f2 src/login-common/main.c
--- a/src/login-common/main.c Wed Oct 28 21:17:53 2009 -0400
+++ b/src/login-common/main.c Wed Oct 28 21:20:46 2009 -0400
@@ -72,7 +72,7 @@ static void client_connected(const struc
pool = pool_alloconly_create("login client", 3*1024);
set = login_settings_read(master_service, pool, &local_ip,
- &conn->remote_ip, &other_sets);
+ &conn->remote_ip, NULL, &other_sets);
if (!ssl_connections && !conn->ssl) {
client = client_create(conn->fd, FALSE, pool, set, other_sets,
@@ -224,7 +224,7 @@ int main(int argc, char *argv[])
set_pool = pool_alloconly_create("global login settings", 4096);
global_login_settings =
- login_settings_read(master_service, set_pool, NULL, NULL,
+ login_settings_read(master_service, set_pool, NULL, NULL, NULL,
&global_other_settings);
/* main_preinit() needs to know the client limit, which is set by
diff -r 3f1c47797dee -r 67b88d1a12f2 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Wed Oct 28 21:17:53 2009 -0400
+++ b/src/login-common/ssl-proxy-openssl.c Wed Oct 28 21:20:46 2009 -0400
@@ -590,9 +590,8 @@ ssl_proxy_alloc_common(SSL_CTX *ssl_ctx,
return sfd[1];
}
-int ssl_proxy_alloc(int fd, const struct ip_addr *ip,
- const struct login_settings *set,
- struct ssl_proxy **proxy_r)
+static struct ssl_server_context *
+ssl_server_context_get(const struct login_settings *set)
{
struct ssl_server_context *ctx, lookup_ctx;
@@ -606,7 +605,16 @@ int ssl_proxy_alloc(int fd, const struct
ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
if (ctx == NULL)
ctx = ssl_server_context_init(set);
-
+ return ctx;
+}
+
+int ssl_proxy_alloc(int fd, const struct ip_addr *ip,
+ const struct login_settings *set,
+ struct ssl_proxy **proxy_r)
+{
+ struct ssl_server_context *ctx;
+
+ ctx = ssl_server_context_get(set);
return ssl_proxy_alloc_common(ctx->ctx, fd, ip, set, proxy_r);
}
@@ -1007,6 +1015,28 @@ end:
return ret;
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+static void ssl_servername_callback(SSL *ssl, int *al ATTR_UNUSED,
+ void *context ATTR_UNUSED)
+{
+ struct ssl_server_context *ctx;
+ struct ssl_proxy *proxy;
+ struct client *client;
+ const char *host;
+ void **other_sets;
+
+ proxy = SSL_get_ex_data(ssl, extdata_index);
+ host = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+
+ client = proxy->client;
+ client->set = login_settings_read(master_service, client->pool,
+ &client->local_ip, &client->ip, host,
+ &other_sets);
+ ctx = ssl_server_context_get(client->set);
+ SSL_set_SSL_CTX(ssl, ctx->ctx);
+}
+#endif
+
static struct ssl_server_context *
ssl_server_context_init(const struct login_settings *set)
{
@@ -1038,6 +1068,14 @@ ssl_server_context_init(const struct log
ssl_proxy_get_use_certificate_error(ctx->cert));
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ if (SSL_CTX_set_tlsext_servername_callback(ctx->ctx,
+ ssl_servername_callback) != 1) {
+ if (set->verbose_ssl)
+ i_debug("OpenSSL library doesn't support SNI");
+ }
+#endif
+
ssl_proxy_ctx_use_key(ctx->ctx, set);
SSL_CTX_set_info_callback(ctx->ctx, ssl_info_callback);
More information about the dovecot-cvs
mailing list