is a libev-based high performance SSL/TLS proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend.
| configuration.c (hitch-1.5.2) | : | configuration.c (hitch-1.6.0) |
|---|
| | |
| skipping to change at line 151 | | skipping to change at line 151 |
|---|
| front_arg_new(void) | | front_arg_new(void) |
| { | | { |
| struct front_arg *fa; | | struct front_arg *fa; |
| | |
| ALLOC_OBJ(fa, FRONT_ARG_MAGIC); | | ALLOC_OBJ(fa, FRONT_ARG_MAGIC); |
| AN(fa); | | AN(fa); |
| fa->match_global_certs = -1; | | fa->match_global_certs = -1; |
| fa->sni_nomatch_abort = -1; | | fa->sni_nomatch_abort = -1; |
| fa->selected_protos = 0; | | fa->selected_protos = 0; |
| fa->prefer_server_ciphers = -1; | | fa->prefer_server_ciphers = -1; |
|
| | fa->client_verify = -1; |
| | |
| return (fa); | | return (fa); |
| } | | } |
| | |
| void | | void |
| front_arg_destroy(struct front_arg *fa) | | front_arg_destroy(struct front_arg *fa) |
| { | | { |
| struct cfg_cert_file *cf, *cftmp; | | struct cfg_cert_file *cf, *cftmp; |
| | |
| CHECK_OBJ_NOTNULL(fa, FRONT_ARG_MAGIC); | | CHECK_OBJ_NOTNULL(fa, FRONT_ARG_MAGIC); |
| free(fa->ip); | | free(fa->ip); |
| free(fa->port); | | free(fa->port); |
| free(fa->pspec); | | free(fa->pspec); |
|
| free(fa->ciphers); | | free(fa->ciphers_tlsv12); |
| | free(fa->ciphersuites_tlsv13); |
| HASH_ITER(hh, fa->certs, cf, cftmp) { | | HASH_ITER(hh, fa->certs, cf, cftmp) { |
| CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC); | | CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC); |
| HASH_DEL(fa->certs, cf); | | HASH_DEL(fa->certs, cf); |
| cfg_cert_file_free(&cf); | | cfg_cert_file_free(&cf); |
| } | | } |
| FREE_OBJ(fa); | | FREE_OBJ(fa); |
| } | | } |
| | |
| hitch_config * | | hitch_config * |
| config_new(void) | | config_new(void) |
| | |
| skipping to change at line 203 | | skipping to change at line 205 |
|---|
| r->PROXY_PROXY_LINE = 0; | | r->PROXY_PROXY_LINE = 0; |
| r->ALPN_PROTOS = NULL; | | r->ALPN_PROTOS = NULL; |
| r->ALPN_PROTOS_LV = NULL; | | r->ALPN_PROTOS_LV = NULL; |
| r->ALPN_PROTOS_LV_LEN = 0; | | r->ALPN_PROTOS_LV_LEN = 0; |
| r->CHROOT = NULL; | | r->CHROOT = NULL; |
| r->UID = -1; | | r->UID = -1; |
| r->GID = -1; | | r->GID = -1; |
| r->BACK_IP = strdup("127.0.0.1"); | | r->BACK_IP = strdup("127.0.0.1"); |
| r->BACK_PORT = strdup("8000"); | | r->BACK_PORT = strdup("8000"); |
| r->NCORES = 1; | | r->NCORES = 1; |
|
| r->CIPHER_SUITE = strdup(CFG_DEFAULT_CIPHERS); | | r->CIPHERS_TLSv12 = strdup(CFG_DEFAULT_CIPHERS); |
| r->ENGINE = NULL; | | r->ENGINE = NULL; |
| r->BACKLOG = 100; | | r->BACKLOG = 100; |
| r->SNI_NOMATCH_ABORT = 0; | | r->SNI_NOMATCH_ABORT = 0; |
| r->CERT_DEFAULT = NULL; | | r->CERT_DEFAULT = NULL; |
| r->CERT_FILES = NULL; | | r->CERT_FILES = NULL; |
| r->LISTEN_ARGS = NULL; | | r->LISTEN_ARGS = NULL; |
| r->PEM_DIR = NULL; | | r->PEM_DIR = NULL; |
| r->OCSP_DIR = strdup("/var/lib/hitch/"); | | r->OCSP_DIR = strdup("/var/lib/hitch/"); |
| AN(r->OCSP_DIR); | | AN(r->OCSP_DIR); |
| r->OCSP_VFY = 0; | | r->OCSP_VFY = 0; |
| r->OCSP_RESP_TMO = 10.0; | | r->OCSP_RESP_TMO = 10.0; |
| r->OCSP_CONN_TMO = 4.0; | | r->OCSP_CONN_TMO = 4.0; |
| r->OCSP_REFRESH_INTERVAL = 1800; | | r->OCSP_REFRESH_INTERVAL = 1800; |
|
| | r->CLIENT_VERIFY = SSL_VERIFY_NONE; |
| | r->CLIENT_VERIFY_CA = NULL; |
| #ifdef TCP_FASTOPEN_WORKS | | #ifdef TCP_FASTOPEN_WORKS |
| r->TFO = 0; | | r->TFO = 0; |
| #endif | | #endif |
| | |
| #ifdef USE_SHARED_CACHE | | #ifdef USE_SHARED_CACHE |
| r->SHARED_CACHE = 0; | | r->SHARED_CACHE = 0; |
| r->SHCUPD_IP = NULL; | | r->SHCUPD_IP = NULL; |
| r->SHCUPD_PORT = NULL; | | r->SHCUPD_PORT = NULL; |
| | |
| for (i = 0 ; i < MAX_SHCUPD_PEERS; i++) | | for (i = 0 ; i < MAX_SHCUPD_PEERS; i++) |
| memset(&r->SHCUPD_PEERS[i], 0, sizeof(shcupd_peer_opt)); | | memset(&r->SHCUPD_PEERS[i], 0, sizeof(shcupd_peer_opt)); |
| | |
| r->SHCUPD_MCASTIF = NULL; | | r->SHCUPD_MCASTIF = NULL; |
| r->SHCUPD_MCASTTTL = NULL; | | r->SHCUPD_MCASTTTL = NULL; |
| #endif | | #endif |
| | |
|
| r->LOG_LEVEL = 0; | | r->LOG_LEVEL = 1; |
| r->SYSLOG = 0; | | r->SYSLOG = 0; |
| r->SYSLOG_FACILITY = LOG_DAEMON; | | r->SYSLOG_FACILITY = LOG_DAEMON; |
| r->TCP_KEEPALIVE_TIME = 3600; | | r->TCP_KEEPALIVE_TIME = 3600; |
| r->BACKEND_REFRESH_TIME = 0; | | r->BACKEND_REFRESH_TIME = 0; |
| r->DAEMONIZE = 0; | | r->DAEMONIZE = 0; |
| r->PREFER_SERVER_CIPHERS = 0; | | r->PREFER_SERVER_CIPHERS = 0; |
| r->TEST = 0; | | r->TEST = 0; |
| | |
| r->BACKEND_CONNECT_TIMEOUT = 30; | | r->BACKEND_CONNECT_TIMEOUT = 30; |
| r->SSL_HANDSHAKE_TIMEOUT = 30; | | r->SSL_HANDSHAKE_TIMEOUT = 30; |
| | |
| skipping to change at line 292 | | skipping to change at line 296 |
|---|
| free(cfg->BACK_PORT); | | free(cfg->BACK_PORT); |
| HASH_ITER(hh, cfg->CERT_FILES, cf, cftmp) { | | HASH_ITER(hh, cfg->CERT_FILES, cf, cftmp) { |
| CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC); | | CHECK_OBJ_NOTNULL(cf, CFG_CERT_FILE_MAGIC); |
| HASH_DEL(cfg->CERT_FILES, cf); | | HASH_DEL(cfg->CERT_FILES, cf); |
| cfg_cert_file_free(&cf); | | cfg_cert_file_free(&cf); |
| } | | } |
| | |
| if (cfg->CERT_DEFAULT != NULL) | | if (cfg->CERT_DEFAULT != NULL) |
| cfg_cert_file_free(&cfg->CERT_DEFAULT); | | cfg_cert_file_free(&cfg->CERT_DEFAULT); |
| | |
|
| free(cfg->CIPHER_SUITE); | | free(cfg->CIPHERS_TLSv12); |
| | free(cfg->CIPHERSUITES_TLSv13); |
| free(cfg->ENGINE); | | free(cfg->ENGINE); |
| free(cfg->PIDFILE); | | free(cfg->PIDFILE); |
| free(cfg->OCSP_DIR); | | free(cfg->OCSP_DIR); |
| free(cfg->ALPN_PROTOS); | | free(cfg->ALPN_PROTOS); |
| free(cfg->ALPN_PROTOS_LV); | | free(cfg->ALPN_PROTOS_LV); |
| free(cfg->PEM_DIR); | | free(cfg->PEM_DIR); |
| free(cfg->PEM_DIR_GLOB); | | free(cfg->PEM_DIR_GLOB); |
|
| | free(cfg->CLIENT_VERIFY_CA); |
| #ifdef USE_SHARED_CACHE | | #ifdef USE_SHARED_CACHE |
| int i; | | int i; |
| free(cfg->SHCUPD_IP); | | free(cfg->SHCUPD_IP); |
| free(cfg->SHCUPD_PORT); | | free(cfg->SHCUPD_PORT); |
| | |
| for (i = 0; i < MAX_SHCUPD_PEERS; i++) { | | for (i = 0; i < MAX_SHCUPD_PEERS; i++) { |
| free(cfg->SHCUPD_PEERS[i].ip); | | free(cfg->SHCUPD_PEERS[i].ip); |
| free(cfg->SHCUPD_PEERS[i].port); | | free(cfg->SHCUPD_PEERS[i].port); |
| } | | } |
| | |
| | |
| skipping to change at line 842 | | skipping to change at line 848 |
|---|
| assert(k != NULL); | | assert(k != NULL); |
| assert(v != NULL); | | assert(v != NULL); |
| assert(strlen(k) >= 2); | | assert(strlen(k) >= 2); |
| | |
| if (strcmp(k, "tls") == 0) { | | if (strcmp(k, "tls") == 0) { |
| cfg->SELECTED_TLS_PROTOS = TLS_OPTION_PROTOS; | | cfg->SELECTED_TLS_PROTOS = TLS_OPTION_PROTOS; |
| } else if (strcmp(k, "ssl") == 0) { | | } else if (strcmp(k, "ssl") == 0) { |
| cfg->SELECTED_TLS_PROTOS = SSL_OPTION_PROTOS; | | cfg->SELECTED_TLS_PROTOS = SSL_OPTION_PROTOS; |
| } else if (strcmp(k, CFG_CIPHERS) == 0) { | | } else if (strcmp(k, CFG_CIPHERS) == 0) { |
| if (strlen(v) > 0) { | | if (strlen(v) > 0) { |
|
| config_assign_str(&cfg->CIPHER_SUITE, v); | | config_assign_str(&cfg->CIPHERS_TLSv12, v); |
| } | | } |
| } else if (strcmp(k, CFG_SSL_ENGINE) == 0) { | | } else if (strcmp(k, CFG_SSL_ENGINE) == 0) { |
| if (strlen(v) > 0) { | | if (strlen(v) > 0) { |
| config_assign_str(&cfg->ENGINE, v); | | config_assign_str(&cfg->ENGINE, v); |
| } | | } |
| } else if (strcmp(k, CFG_PREFER_SERVER_CIPHERS) == 0) { | | } else if (strcmp(k, CFG_PREFER_SERVER_CIPHERS) == 0) { |
| r = config_param_val_bool(v, &cfg->PREFER_SERVER_CIPHERS); | | r = config_param_val_bool(v, &cfg->PREFER_SERVER_CIPHERS); |
| } else if (strcmp(k, CFG_FRONTEND) == 0) { | | } else if (strcmp(k, CFG_FRONTEND) == 0) { |
| struct front_arg *fa; | | struct front_arg *fa; |
| struct cfg_cert_file *cert; | | struct cfg_cert_file *cert; |
| | |
| skipping to change at line 1231 | | skipping to change at line 1237 |
|---|
| fprintf(out, "Usage: %s [OPTIONS] PEM\n\n", basename(prog)); | | fprintf(out, "Usage: %s [OPTIONS] PEM\n\n", basename(prog)); |
| fprintf(out, "This is hitch, The Scalable TLS Unwrapping Daemon.\n\n"); | | fprintf(out, "This is hitch, The Scalable TLS Unwrapping Daemon.\n\n"); |
| fprintf(out, "CONFIGURATION:\n"); | | fprintf(out, "CONFIGURATION:\n"); |
| fprintf(out, "\n"); | | fprintf(out, "\n"); |
| fprintf(out, " --config=FILE Load configuration from specifie
d file.\n"); | | fprintf(out, " --config=FILE Load configuration from specifie
d file.\n"); |
| fprintf(out, "\n"); | | fprintf(out, "\n"); |
| fprintf(out, "ENCRYPTION METHODS:\n"); | | fprintf(out, "ENCRYPTION METHODS:\n"); |
| fprintf(out, "\n"); | | fprintf(out, "\n"); |
| fprintf(out, " --tls TLSv1 (default. No SSLv3)\n")
; | | fprintf(out, " --tls TLSv1 (default. No SSLv3)\n")
; |
| fprintf(out, " --ssl SSLv3 (enables SSLv3)\n"); | | fprintf(out, " --ssl SSLv3 (enables SSLv3)\n"); |
|
| fprintf(out, " -c --ciphers=SUITE Sets allowed ciphers (Default
: \"%s\")\n", config_disp_str(cfg->CIPHER_SUITE)); | | fprintf(out, " -c --ciphers=SUITE Sets allowed ciphers (Default
: \"%s\")\n", config_disp_str(cfg->CIPHERS_TLSv12)); |
| fprintf(out, " -e --ssl-engine=NAME Sets OpenSSL engine (Default:
\"%s\")\n", config_disp_str(cfg->ENGINE)); | | fprintf(out, " -e --ssl-engine=NAME Sets OpenSSL engine (Default:
\"%s\")\n", config_disp_str(cfg->ENGINE)); |
| fprintf(out, " -O --prefer-server-ciphers Prefer server list order\n"); | | fprintf(out, " -O --prefer-server-ciphers Prefer server list order\n"); |
| fprintf(out, "\n"); | | fprintf(out, "\n"); |
| fprintf(out, "SOCKET:\n"); | | fprintf(out, "SOCKET:\n"); |
| fprintf(out, "\n"); | | fprintf(out, "\n"); |
| fprintf(out, " --client Enable client proxy mode\n"); | | fprintf(out, " --client Enable client proxy mode\n"); |
| fprintf(out, " -b --backend=[HOST]:PORT Backend [connect] (default is
\"%s\")\n", config_disp_hostport(cfg->BACK_IP, cfg->BACK_PORT)); | | fprintf(out, " -b --backend=[HOST]:PORT Backend [connect] (default is
\"%s\")\n", config_disp_hostport(cfg->BACK_IP, cfg->BACK_PORT)); |
| fprintf(out, " The -b argument can also take
a UNIX domain socket path\n"); | | fprintf(out, " The -b argument can also take
a UNIX domain socket path\n"); |
| fprintf(out, " E.g. --backend=\"/path/to/soc
k\"\n"); | | fprintf(out, " E.g. --backend=\"/path/to/soc
k\"\n"); |
| fprintf(out, " -f --frontend=[HOST]:PORT[+CERT] Frontend [bind] (def
ault is \"%s\")\n", config_disp_hostport(cfg->LISTEN_DEFAULT->ip, cfg->LISTEN_DE
FAULT->port)); | | fprintf(out, " -f --frontend=[HOST]:PORT[+CERT] Frontend [bind] (def
ault is \"%s\")\n", config_disp_hostport(cfg->LISTEN_DEFAULT->ip, cfg->LISTEN_DE
FAULT->port)); |
| | |
| skipping to change at line 1383 | | skipping to change at line 1389 |
|---|
| cfg->ALPN_PROTOS_LV[i] = (unsigned char)(j - i - 1); | | cfg->ALPN_PROTOS_LV[i] = (unsigned char)(j - i - 1); |
| cfg->ALPN_PROTOS_LV_LEN = l + 1; | | cfg->ALPN_PROTOS_LV_LEN = l + 1; |
| } | | } |
| return (1); // ok! | | return (1); // ok! |
| } | | } |
| | |
| int | | int |
| config_parse_cli(int argc, char **argv, hitch_config *cfg) | | config_parse_cli(int argc, char **argv, hitch_config *cfg) |
| { | | { |
| static int tls = 0, ssl = 0; | | static int tls = 0, ssl = 0; |
|
| | struct front_arg *fa, *fatmp; |
| static int client = 0; | | static int client = 0; |
| int c, i; | | int c, i; |
| | |
| optind = 1; | | optind = 1; |
| | |
| struct option long_options[] = { | | struct option long_options[] = { |
| { CFG_CONFIG, 1, NULL, CFG_PARAM_CFGFILE }, | | { CFG_CONFIG, 1, NULL, CFG_PARAM_CFGFILE }, |
| { "tls", 0, &tls, 1}, | | { "tls", 0, &tls, 1}, |
| { "ssl", 0, &ssl, 1}, | | { "ssl", 0, &ssl, 1}, |
| { "client", 0, &client, 1}, | | { "client", 0, &client, 1}, |
| | |
| skipping to change at line 1572 | | skipping to change at line 1579 |
|---|
| cfg->PMODE = SSL_CLIENT; | | cfg->PMODE = SSL_CLIENT; |
| | |
| if ((!!cfg->WRITE_IP_OCTET + !!cfg->PROXY_PROXY_LINE + | | if ((!!cfg->WRITE_IP_OCTET + !!cfg->PROXY_PROXY_LINE + |
| !!cfg->WRITE_PROXY_LINE_V1 + !!cfg->WRITE_PROXY_LINE_V2) >= 2) { | | !!cfg->WRITE_PROXY_LINE_V1 + !!cfg->WRITE_PROXY_LINE_V2) >= 2) { |
| config_error_set("Options --write-ip, --write-proxy-proxy," | | config_error_set("Options --write-ip, --write-proxy-proxy," |
| " --write-proxy-v1 and --write-proxy-v2 are" | | " --write-proxy-v1 and --write-proxy-v2 are" |
| " mutually exclusive."); | | " mutually exclusive."); |
| return (1); | | return (1); |
| } | | } |
| | |
|
| | if (cfg->CLIENT_VERIFY != SSL_VERIFY_NONE && |
| | cfg->CLIENT_VERIFY_CA == NULL) { |
| | config_error_set("Setting 'client-verify-ca' is required when" |
| | " configuring client-verify"); |
| | return (1); |
| | } |
| | |
| | HASH_ITER(hh, cfg->LISTEN_ARGS, fa, fatmp) { |
| | if (fa->client_verify != -1 && |
| | fa->client_verify != SSL_VERIFY_NONE) { |
| | if (!fa->client_verify_ca && !cfg->CLIENT_VERIFY_CA) { |
| | config_error_set("No 'client-verify-ca' " |
| | "configured for frontend '%s'", |
| | fa->pspec); |
| | return (1); |
| | } |
| | } |
| | |
| | } |
| | |
| #ifdef USE_SHARED_CACHE | | #ifdef USE_SHARED_CACHE |
| if (cfg->SHCUPD_IP != NULL && ! cfg->SHARED_CACHE) { | | if (cfg->SHCUPD_IP != NULL && ! cfg->SHARED_CACHE) { |
| config_error_set("Shared cache update listener is defined," | | config_error_set("Shared cache update listener is defined," |
| " but shared cache is disabled."); | | " but shared cache is disabled."); |
| return (1); | | return (1); |
| } | | } |
| #endif | | #endif |
| | |
| /* ALPN/NPN protocol negotiation additional configuration and error | | /* ALPN/NPN protocol negotiation additional configuration and error |
| handling */ | | handling */ |
| | |
| skipping to change at line 1653 | | skipping to change at line 1680 |
|---|
| return (1); | | return (1); |
| } | | } |
| } | | } |
| | |
| if (cfg->PEM_DIR != NULL) { | | if (cfg->PEM_DIR != NULL) { |
| if (config_scan_pem_dir(cfg->PEM_DIR, cfg)) | | if (config_scan_pem_dir(cfg->PEM_DIR, cfg)) |
| return (1); | | return (1); |
| } | | } |
| | |
| if (cfg->PMODE == SSL_SERVER && cfg->CERT_DEFAULT == NULL) { | | if (cfg->PMODE == SSL_SERVER && cfg->CERT_DEFAULT == NULL) { |
|
| struct front_arg *fa, *fatmp; | | |
| HASH_ITER(hh, cfg->LISTEN_ARGS, fa, fatmp) | | HASH_ITER(hh, cfg->LISTEN_ARGS, fa, fatmp) |
| if (HASH_CNT(hh, fa->certs) == 0) { | | if (HASH_CNT(hh, fa->certs) == 0) { |
| config_error_set("No x509 certificate PEM file " | | config_error_set("No x509 certificate PEM file " |
| "specified for frontend '%s'!", fa->pspec); | | "specified for frontend '%s'!", fa->pspec); |
| return (1); | | return (1); |
| } | | } |
| } | | } |
| | |
| if (cfg->OCSP_DIR != NULL) { | | if (cfg->OCSP_DIR != NULL) { |
| struct stat sb; | | struct stat sb; |
| | | |
| End of changes. 12 change blocks. |
|---|
| 7 lines changed or deleted | | 33 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 