Permalink
Browse files

Merge branch 'dev' of https://github.com/cherokee/webserver into data…

…base_abstraction

Conflicts:
	cherokee/source.c
  • Loading branch information...
skinkie committed Nov 21, 2011
2 parents 1d522f7 + 4536bb7 commit fcf2e3ea7f4a64e8b47c74f5bd95f5c9d9bc23a7
View
@@ -20,6 +20,7 @@ Makefile.in
ChangeLog
aclocal.m4
admin/configured.py
+admin/wizards2
autom4te.cache/
cherokee-*.tar.gz
cherokee-config
View
@@ -46,6 +46,7 @@
NOTE_CERT_KEY = N_('PEM-encoded Private Key file for the server (Full path to the file)')
NOTE_CA_LIST = N_('File containing the trusted CA certificates, utilized for checking the client certificates (Full path to the file)')
NOTE_CIPHERS = N_('Ciphers that TLS/SSL is allowed to use. <a target="_blank" href="http://www.openssl.org/docs/apps/ciphers.html">Reference</a>. (Default: HIGH:!aNULL:!MD5).')
+NOTE_CIPHER_SERVER_PREFERENCE = N_('The cipher sequence that is specified by the server should have preference over the preference of the client. (Default: False).')
NOTE_CLIENT_CERTS = N_('Skip, Accept or Require client certificates.')
NOTE_VERIFY_DEPTH = N_('Limit up to which depth certificates in a chain are used during the verification procedure (Default: 1)')
NOTE_ERROR_HANDLER = N_('Allows the selection of how to generate the error responses.')
@@ -665,6 +666,7 @@ def __init__ (self, vsrv_num, refreshable):
# Advanced options
table = CTK.PropsTable()
table.Add (_('Ciphers'), CTK.TextCfg ('%s!ssl_ciphers' %(pre), True), _(NOTE_CIPHERS))
+ table.Add (_('Server Preference'), CTK.CheckCfgText ('%s!ssl_cipher_server_preference' % (pre), False, _('Prefer')), _(NOTE_CIPHER_SERVER_PREFERENCE))
table.Add (_('Client Certs. Request'), CTK.ComboCfg('%s!ssl_client_certs' %(pre), trans_options(CLIENT_CERTS)), _(NOTE_CLIENT_CERTS))
if CTK.cfg.get_val('%s!ssl_client_certs' %(pre)):
@@ -685,8 +687,8 @@ def __init__ (self, vsrv_num, refreshable):
table.Add (_('Enable HSTS'), CTK.CheckCfgText ('%s!hsts'%(pre), False, _('Accept')), _(NOTE_HSTS))
if int(CTK.cfg.get_val('%s!hsts' %(pre), "0")):
- table.Add (_('HSTS Max-Age'), CTK.TextCfg ('%s!hsts!max_age'%(pre), True, {'optional_string':_("One year")}), _(NOTE_HSTS_MAXAGE))
- table.Add (_('Include Subdomains'), CTK.CheckCfgText ('%s!subdomains'%(pre), True, _('Include all')), _(NOTE_HSTS_SUBDOMAINS))
+ table.Add (_('HSTS Max-Age'), CTK.TextCfg ('%s!hsts!max_age' %(pre), True, {'optional_string':_("31536000")}), _(NOTE_HSTS_MAXAGE))
+ table.Add (_('Include Subdomains'), CTK.CheckCfgText ('%s!hsts!subdomains'%(pre), True, _('Include all')), _(NOTE_HSTS_SUBDOMAINS))
submit = CTK.Submitter (url_apply)
submit.bind ('submit_success', refreshable.JS_to_refresh())
View
@@ -72,6 +72,16 @@ def upgrade_to_1_0_13 (cfg):
del(cfg[key])
+# Converts from 1.0.13 to 1.2.102
+def upgrade_to_1_2_102 (cfg):
+ # Fix HSTS entries with the value "One year".
+ # Eg: vserver!1!hsts!max_age = One year
+ for v in cfg.keys('vserver'):
+ max_age_val = cfg.get_val ('vserver!%s!hsts!max_age'%(v))
+ if max_age_val and not max_age_val.isdigit():
+ cfg['vserver!%s!hsts!max_age'%(v)] = "31536000"
+
+
def config_version_get_current():
ver = configured.VERSION.split ('b')[0]
v1,v2,v3 = ver.split (".")
@@ -145,5 +155,9 @@ def config_version_update_cfg (cfg):
if ver_config_i < 1000013:
upgrade_to_1_0_13 (cfg)
+ # Update to.. 1.2.102
+ if ver_config_i < 1200102:
+ upgrade_to_1_2_102 (cfg)
+
cfg["config!version"] = ver_release_s
return True
@@ -61,8 +61,8 @@ def Commit_Rule (self):
if not os.path.exists (cert_dir):
try:
os.makedirs (cert_dir)
- except e:
- return {'ret': 'error', 'errors': {'%s!cert_key'%(PREFIX): str(e)}}
+ except Exception, e:
+ return {'ret': 'error', 'errors': {'%s!gen_autosigned_cert'%(PREFIX): str(e)}}
# Cert files
cert_fp = os.path.join (cert_dir, "autogenerated.crt")
@@ -291,6 +291,7 @@ ret_t cherokee_connection_instance_encoder (cherokee_connection_t *conn);
ret_t cherokee_connection_sleep (cherokee_connection_t *conn, cherokee_msec_t msecs);
void cherokee_connection_update_timeout (cherokee_connection_t *conn);
void cherokee_connection_add_expiration_header (cherokee_connection_t *conn, cherokee_buffer_t *buffer, cherokee_boolean_t use_maxage);
+ret_t cherokee_connection_build_host_string (cherokee_connection_t *conn, cherokee_buffer_t *buf);
ret_t cherokee_connection_build_host_port_string (cherokee_connection_t *conn, cherokee_buffer_t *buf);
/* Iteration
View
@@ -559,15 +559,38 @@ cherokee_connection_setup_error_handler (cherokee_connection_t *conn)
ret_t
cherokee_connection_setup_hsts_handler (cherokee_connection_t *conn)
{
- ret_t ret;
+ ret_t ret;
+ cherokee_list_t *i;
+ int port = -1;
+ cherokee_server_t *srv = CONN_SRV(conn);
/* Redirect to:
* "https://" + host + request + query_string
*/
- cherokee_buffer_clean (&conn->redirect);
+ cherokee_buffer_clean (&conn->redirect);
+
+ /* 1.- Proto */
cherokee_buffer_add_str (&conn->redirect, "https://");
- cherokee_connection_build_host_port_string (conn, &conn->redirect);
+ /* 2.- Host */
+ cherokee_connection_build_host_string (conn, &conn->redirect);
+
+ /* 3.- Port */
+ list_for_each (i, &srv->listeners) {
+ if (BIND_IS_TLS(i)) {
+ port = BIND(i)->port;
+ break;
+ }
+ }
+
+ if ((port != -1) &&
+ (! http_port_is_standard (port, true)))
+ {
+ cherokee_buffer_add_char (&conn->redirect, ':');
+ cherokee_buffer_add_ulong10 (&conn->redirect, port);
+ }
+
+ /* 4.- Request */
cherokee_buffer_add_buffer (&conn->redirect, &conn->request);
if (conn->query_string.len > 0) {
@@ -875,6 +898,22 @@ build_response_header (cherokee_connection_t *conn,
cherokee_encoder_add_headers (conn->encoder, buffer);
}
}
+
+ /* HSTS support
+ */
+ if ((conn->socket.is_tls == TLS) &&
+ (CONN_VSRV(conn)->hsts.enabled))
+ {
+ cherokee_buffer_add_str (buffer, "Strict-Transport-Security: ");
+ cherokee_buffer_add_str (buffer, "max-age=");
+ cherokee_buffer_add_ulong10 (buffer, (culong_t) CONN_VSRV(conn)->hsts.max_age);
+
+ if (CONN_VSRV(conn)->hsts.subdomains) {
+ cherokee_buffer_add_str (buffer, "; includeSubdomains");
+ }
+
+ cherokee_buffer_add_str (buffer, CRLF);
+ }
}
@@ -2942,8 +2981,8 @@ cherokee_connection_update_timeout (cherokee_connection_t *conn)
ret_t
-cherokee_connection_build_host_port_string (cherokee_connection_t *conn,
- cherokee_buffer_t *buf)
+cherokee_connection_build_host_string (cherokee_connection_t *conn,
+ cherokee_buffer_t *buf)
{
/* 1st choice: Request host */
if (! cherokee_buffer_is_empty (&conn->host)) {
@@ -2964,6 +3003,22 @@ cherokee_connection_build_host_port_string (cherokee_connection_t *conn,
cherokee_buffer_add_buffer (buf, &conn->bind->server_address);
}
+ return ret_ok;
+}
+
+ret_t
+cherokee_connection_build_host_port_string (cherokee_connection_t *conn,
+ cherokee_buffer_t *buf)
+{
+ ret_t ret;
+
+ /* Host
+ */
+ ret = cherokee_connection_build_host_string (conn, buf);
+ if (unlikely (ret != ret_ok)) {
+ return ret_error;
+ }
+
/* Port
*/
if ((conn->bind != NULL) &&
@@ -388,6 +388,12 @@ _vserver_new (cherokee_cryptor_t *cryp,
options |= SSL_OP_NO_SSLv2;
}
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ if (vsrv->cipher_server_preference) {
+ options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+ }
+#endif
+
SSL_CTX_set_options (n->context, options);
/* Set cipher list that vserver will accept.
View
@@ -277,23 +277,6 @@ cherokee_handler_error_add_headers (cherokee_handler_error_t *hdl, cherokee_buff
cherokee_buffer_add_str (buffer, CRLF);
}
- /* HSTS support
- */
- if ((conn->socket.is_tls != TLS) &&
- (CONN_VSRV(conn)->hsts.enabled) &&
- (conn->error_code == http_moved_permanently))
- {
- cherokee_buffer_add_str (buffer, "Strict-Transport-Security: ");
- cherokee_buffer_add_str (buffer, "max-age=");
- cherokee_buffer_add_ulong10 (buffer, (culong_t) CONN_VSRV(conn)->hsts.max_age);
-
- if (CONN_VSRV(conn)->hsts.subdomains) {
- cherokee_buffer_add_str (buffer, "; includeSubdomains");
- }
-
- cherokee_buffer_add_str (buffer, CRLF);
- }
-
/* Usual headers
*/
cherokee_buffer_add_str (buffer, "Content-Type: text/html"CRLF);
View
@@ -516,7 +516,7 @@ build_header (cherokee_handler_fcgi_t *hdl, cherokee_buffer_t *buffer)
/* No POST?
*/
- if ((! http_method_with_input (conn->header.method)) || (! conn->post.has_info)) {
+ if ((! http_method_with_input (conn->header.method)) || (! conn->post.has_info) || (! conn->post.len)) {
TRACE (ENTRIES",post", "Post: %s\n", "has no post");
add_empty_packet (hdl, FCGI_STDIN);
}
Oops, something went wrong.

0 comments on commit fcf2e3e

Please sign in to comment.