On Monday 15 August 2016 13:04:43 Reyk Floeter wrote: > On Sat, Aug 13, 2016 at 02:57:14AM +1000, Joel Sing wrote: > > The following diff makes httpd stricter with respect to TLS configuration: > > > > - Do not allow TLS and non-TLS to be configured on the same port. > > - Do not allow TLS options to be specified without a TLS listener. > > - Ensure that TLS options are the same when a server is specified on the > > > > same address/port. > > > > Currently, these configurations are permitted but do not work as intended. > > > > This also factors out (and reuses) the server matching code that was > > already duplicated. > > > > ok? > > - I think server_match() and server_tls_cmp() can both live in > server.c (server_match() somewhere close to server_foreach() - this > match function can be used for at least one other case outside of > parse.y).
I've moved server_tls_cmp() to server.c, however I'm not sure it makes sense for server_match() since it operates on conf (a global declared in parse.y) and I do not see any identical matching (the closest seems to be the code in server_privinit(), but it still differs). > - As discussed before, for consistency with the config, please use > "tls" instead of "TLS" in the log messages. Agreed, I'll handle this in a separate commit. > FYI, The SNI diff doesn't like the tls_cert_file and tls_key_file > checks in server_tls_cmp(), as they now become valid, but they can be > removed/changed later. Yes, they are independent diffs and we'll need to relax the restrictions slightly when we enable SNI. > Otherwise OK reyk@ Thanks.
