Permalink
Browse files

- lophttpd: add SO_REUSEPORT where supported, add TLSv1.1 and TLSv1.2…

… support
  • Loading branch information...
stealth committed Oct 30, 2014
1 parent 80a0383 commit 2f085c42c4dc7f37cfc7d561de386ae998f84b5c
Showing with 37 additions and 4 deletions.
  1. +5 −0 HINTS
  2. +16 −1 README.md
  3. +5 −0 socket.cc
  4. +11 −3 ssl.cc
View
5 HINTS
@@ -12,6 +12,11 @@ in general:
iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp --sport 80 -j NOTRACK
or in the new shape:
iptables -t raw -A PREROUTING -p tcp --dport 80 -j CT --notrack
iptables -t raw -A OUTPUT -p tcp --sport 80 -j CT --notrack
This really buys you connection performance.
- Whenever possible use the "mmap" log provider, it really rocks.
View
@@ -53,6 +53,21 @@ Features
* transparent seccomp sandbox support for Linux
* comes with a separate frontend revproxy that also supports load balancing
Build
-----
Check the `Makefile` for the platform of your choice and enable or disable stuff
you want to use (e.g. sandboxing or libressl) or do not want or just leave it as is.
If you want TLS support with ephemeral keying:
$ ./newdh
then
$ make -f Makefile.osx
Run
---
@@ -249,7 +264,7 @@ submitted documents which nobody can download.
HTTPS
-----
Since version 0.98, _lophttpd_ supports HTTPS (TLSv1). Just generate
Since version 0.98, _lophttpd_ supports HTTPS (TLSv1+). Just generate
a public/private keypair:
$ openssl genrsa -out serverkey.pem 4096
View
@@ -83,6 +83,11 @@ int reuse(int sock)
return -1;
}
#ifdef SO_REUSEPORT
one = 1;
setsockopt(sock, SOL_SOCKET, SO_REUSEPORT, &one, len);
#endif
return 0;
}
View
14 ssl.cc
@@ -52,7 +52,7 @@ using namespace std;
#ifdef USE_CIPHERS
string ciphers = USE_CIPHERS;
#else
string ciphers = "!LOW:!EXP:!MD5:!CAMELLIA:!RC4:!MEDIUM:!DES:!ADH:kDHE:RSA:AES256:SHA256:SHA384:IDEA:@STRENGTH";
string ciphers = "!LOW:!EXP:!MD5:!CAMELLIA:!RC4:!MEDIUM:!DES:!ADH:kDHE:RSA:AESGCM:AES256:AES128:SHA256:SHA384:IDEA:@STRENGTH";
#endif
@@ -87,8 +87,8 @@ int ssl_container::init(const map<string, string> &certs, const map<string, stri
OpenSSL_add_all_algorithms();
OpenSSL_add_all_digests();
if ((ssl_method = TLSv1_server_method()) == NULL) {
err = "ssl_container::init::TLSv1_server_method:";
if ((ssl_method = SSLv23_server_method()) == NULL) {
err = "ssl_container::init::SSLv23_server_method:";
err += ERR_error_string(ERR_get_error(), NULL);
return -1;
}
@@ -100,6 +100,8 @@ int ssl_container::init(const map<string, string> &certs, const map<string, stri
string cpath = "", kpath = "", host = "";
SSL_CTX *ssl_ctx = NULL;
long op = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_SINGLE_DH_USE;
for (map<string, string>::const_iterator it = certs.begin(); it != certs.end(); ++it) {
if (keys.count(it->first) == 0) {
@@ -140,6 +142,12 @@ int ssl_container::init(const map<string, string> &certs, const map<string, stri
return -1;
}
if ((SSL_CTX_set_options(ssl_ctx, op) & op) != op) {
err = "ssl_container::init::SSL_CTX_set_options:";
err += ERR_error_string(ERR_get_error(), NULL);
return -1;
}
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
// check for DHE and enable it if there are parameters

0 comments on commit 2f085c4

Please sign in to comment.