Merge 'fanout/certload_improve'

Merge into feature/sni-improvements Conflicts: src/polarssl
chickenkiller · Oct 12, 2013 · 1f13947 · 1f13947
2 parents 19df4cb + ba6defc
commit 1f13947
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 5 deletions.
diff --git a/src/connection.c b/src/connection.c
@@ -915,7 +915,10 @@ static int connection_sni_cb(void *p_conn, ssl_context *ssl, const unsigned char
     bdestroy(hostname);
     if(certpath != NULL) bdestroy(certpath);
     if(keypath != NULL) bdestroy(keypath);
-    return -1;
+
+    // don't return error here. this way the ssl handshake continues and the
+    //   the default cert will get used instead
+    return 0;
 }
 
 

diff --git a/src/server.c b/src/server.c
@@ -45,6 +45,7 @@
 #include "setting.h"
 #include "pattern.h"
 #include "config/config.h"
+#include "unixy.h"
 #include <signal.h>
 
 darray_t *SERVER_QUEUE = NULL;
@@ -150,11 +151,18 @@ static int Server_load_ciphers(Server *srv, bstring ssl_ciphers_val)
 static int Server_init_ssl(Server *srv)
 {
     int rc = 0;
+    bstring certdir = NULL;
     bstring certpath = NULL;
     bstring keypath = NULL;
-
-    bstring certdir = Setting_get_str("certdir", NULL);
-    check(certdir != NULL, "to use ssl, you must specify a certdir");
+
+    bstring certdir_setting = Setting_get_str("certdir", NULL);
+    check(certdir_setting != NULL, "to use ssl, you must specify a certdir");
+
+    if(srv->chroot != NULL && !Unixy_in_chroot()) {
+        certdir = bformat("%s%s", bdata(srv->chroot), bdata(certdir_setting));
+    } else {
+        certdir = bstrcpy(certdir_setting);
+    }
 
     certpath = bformat("%s%s.crt", bdata(certdir), bdata(srv->uuid)); 
     check_mem(certpath);
@@ -193,13 +201,15 @@ static int Server_init_ssl(Server *srv)
     srv->dhm_P = ssl_default_dhm_P;
     srv->dhm_G = ssl_default_dhm_G;
 
+    bdestroy(certdir);
     bdestroy(certpath);
     bdestroy(keypath);
 
     return 0;
 
 error:
-    // Do not free certfile, as we're pulling it from Settings
+    // Do not free certdir_setting, as we're pulling it from Settings
+    if(certdir != NULL) bdestroy(certdir);
     if(certpath != NULL) bdestroy(certpath);
     if(keypath != NULL) bdestroy(keypath);
     return -1;

diff --git a/src/unixy.c b/src/unixy.c
@@ -43,6 +43,7 @@
 #include <stdlib.h>
 
 char *m2program = "mongrel2";
+static int in_chroot = 0;
 
 int Unixy_chroot(bstring path)
 {
@@ -54,6 +55,8 @@ int Unixy_chroot(bstring path)
     rc = chroot(to_dir);
     check(rc == 0, "Can't chroot to %s, rerun as root if this is what you want.", bdata(path));
 
+    in_chroot = 1;
+
     rc = chdir("/");
     check(rc == 0, "Can't chdir to / directory inside chroot.");
 
@@ -64,6 +67,12 @@ int Unixy_chroot(bstring path)
 }
 
 
+int Unixy_in_chroot()
+{
+    return in_chroot;
+}
+
+
 int Unixy_drop_priv(bstring path)
 {
     if(path != NULL) {

diff --git a/src/unixy.h b/src/unixy.h
@@ -42,6 +42,8 @@ char *m2program;
 
 int Unixy_chroot(bstring path);
 
+int Unixy_in_chroot();
+
 int Unixy_drop_priv(bstring path);
 
 bstring Unixy_getcwd();