Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / fc0421fde990a28018054aa2c5c85eb89ec59400^! / . / include / types
commitfc0421fde990a28018054aa2c5c85eb89ec59400[log] [tgz]
authorEmeric Brun <ebrun@exceliance.fr>Fri Sep 07 17:30:07 2012 +0200
committerWilly Tarreau <w@1wt.eu>Mon Sep 10 09:27:02 2012 +0200
treeb6d5fb7b07404d05102f5cd2370b45a4189b1dd9
parent61aaad06e85ae7f46cf5589bce8bc7f9331e7962 [diff]
MEDIUM: ssl: add support for SNI and wildcard certificates

A side effect of this change is that the "ssl" keyword on "bind" lines is now
just a boolean and that "crt" is needed to designate certificate files or
directories.

Note that much refcounting was needed to have the free() work correctly due to
the number of cert aliases which can make a context be shared by multiple names.

diff --git a/include/types/protocols.h b/include/types/protocols.h
index 1ff448e..bd8b355 100644
--- a/include/types/protocols.h
+++ b/include/types/protocols.h

@@ -98,11 +98,12 @@
 struct ssl_conf {
 #ifdef USE_OPENSSL
 	char *ciphers;             /* cipher suite to use if non-null */
-	char *cert;                /* ssl main certificate */
 	int nosslv3;               /* disable SSLv3 */
 	int notlsv1;               /* disable TLSv1 */
 	int prefer_server_ciphers; /* Prefer server ciphers */
-	SSL_CTX *ctx;              /* SSL configuration */
+	SSL_CTX *default_ctx;      /* SSL context of first/default certificate */
+	struct eb_root sni_ctx;    /* sni_ctx tree of all known certs full-names sorted by name */
+	struct eb_root sni_w_ctx;  /* sni_ctx tree of all known certs wildcards sorted by name */
 #endif
 	int ref_cnt;               /* number of users of this config, maybe 0 on error */
 	struct list by_fe;         /* next binding for the same frontend, or NULL */

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
new file mode 100644
index 0000000..1ded15e
--- /dev/null
+++ b/include/types/ssl_sock.h

@@ -0,0 +1,34 @@
+/*
+ * include/types/ssl_sock.h
+ * SSL settings for listeners and servers
+ *
+ * Copyright (C) 2012 EXCELIANCE, Emeric Brun <ebrun@exceliance.fr>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, version 2.1
+ * exclusively.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef _TYPES_SSL_SOCK_H
+#define _TYPES_SSL_SOCK_H
+
+#include <openssl/ssl.h>
+#include <ebmbtree.h>
+
+struct sni_ctx {
+	SSL_CTX *ctx;             /* context associated to the certificate */
+	int order;                /* load order for the certificate */
+	struct ebmb_node name;    /* node holding the servername value */
+};
+
+#endif /* _TYPES_SSL_SOCK_H */