walkero/nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Add --client-private-key-file and --client-cert-file options

Browse Source
This commit is contained in:
Tatsuhiro Tsujikawa 2013-11-02 22:58:02 +09:00
parent 5bb7066474
commit 69967aeef8
4 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/shrpx.cc
View File

@ -418,6 +418,8 @@ void fill_default_config()
mod_config()->npn_list = nullptr; mod_config()->npn_list = nullptr;
mod_config()->verify_client = false; mod_config()->verify_client = false;
mod_config()->verify_client_cacert = nullptr; mod_config()->verify_client_cacert = nullptr;
mod_config()->client_private_key_file = nullptr;
mod_config()->client_cert_file = nullptr;
} }
} // namespace } // namespace
@ -600,6 +602,13 @@ void print_help(std::ostream& out)
<< " to verify client certificate.\n" << " to verify client certificate.\n"
<< " The file must be in PEM format. It can\n" << " The file must be in PEM format. It can\n"
<< " contain multiple certificates.\n" << " contain multiple certificates.\n"
<< " --client-private-key-file=<PATH>\n"
<< " Path to file that contains client private\n"
<< " key used in backend client authentication.\n"
<< " --client-cert-file=<PATH>\n"
<< " Path to file that contains client\n"
<< " certificate used in backend client\n"
<< " authentication.\n"
<< "\n" << "\n"
<< " HTTP/2.0 and SPDY:\n" << " HTTP/2.0 and SPDY:\n"
<< " -c, --spdy-max-concurrent-streams=<NUM>\n" << " -c, --spdy-max-concurrent-streams=<NUM>\n"
@ -739,8 +748,11 @@ int main(int argc, char **argv)
{"npn-list", required_argument, &flag, 38}, {"npn-list", required_argument, &flag, 38},
{"verify-client", no_argument, &flag, 39}, {"verify-client", no_argument, &flag, 39},
{"verify-client-cacert", required_argument, &flag, 40}, {"verify-client-cacert", required_argument, &flag, 40},
{"client-private-key-file", required_argument, &flag, 41},
{"client-cert-file", required_argument, &flag, 42},
{nullptr, 0, nullptr, 0 } {nullptr, 0, nullptr, 0 }
}; };
int option_index = 0; int option_index = 0;
int c = getopt_long(argc, argv, "DL:b:c:f:hkn:psv", long_options, int c = getopt_long(argc, argv, "DL:b:c:f:hkn:psv", long_options,
&option_index); &option_index);
@ -951,6 +963,15 @@ int main(int argc, char **argv)
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_VERIFY_CLIENT_CACERT, cmdcfgs.push_back(std::make_pair(SHRPX_OPT_VERIFY_CLIENT_CACERT,
optarg)); optarg));
break; break;
case 41:
// --client-private-key-file
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE,
optarg));
break;
case 42:
// --client-cert-file
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CLIENT_CERT_FILE, optarg));
break;
default: default:
break; break;
} }

6
src/shrpx_config.cc
View File

@ -102,6 +102,8 @@ const char SHRPX_OPT_WRITE_BURST[] = "write-burst";
const char SHRPX_OPT_NPN_LIST[] = "npn-list"; const char SHRPX_OPT_NPN_LIST[] = "npn-list";
const char SHRPX_OPT_VERIFY_CLIENT[] = "verify-client"; const char SHRPX_OPT_VERIFY_CLIENT[] = "verify-client";
const char SHRPX_OPT_VERIFY_CLIENT_CACERT[] = "verify-client-cacert"; const char SHRPX_OPT_VERIFY_CLIENT_CACERT[] = "verify-client-cacert";
const char SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE[] = "client-private-key-file";
const char SHRPX_OPT_CLIENT_CERT_FILE[] = "client-cert-file";
namespace { namespace {
Config *config = nullptr; Config *config = nullptr;
@ -412,6 +414,10 @@ int parse_config(const char *opt, const char *optarg)
mod_config()->verify_client = util::strieq(optarg, "yes"); mod_config()->verify_client = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_VERIFY_CLIENT_CACERT)) { } else if(util::strieq(opt, SHRPX_OPT_VERIFY_CLIENT_CACERT)) {
set_config_str(&mod_config()->verify_client_cacert, optarg); set_config_str(&mod_config()->verify_client_cacert, optarg);
} else if(util::strieq(opt, SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE)) {
set_config_str(&mod_config()->client_private_key_file, optarg);
} else if(util::strieq(opt, SHRPX_OPT_CLIENT_CERT_FILE)) {
set_config_str(&mod_config()->client_cert_file, optarg);
} else if(util::strieq(opt, "conf")) { } else if(util::strieq(opt, "conf")) {
LOG(WARNING) << "conf is ignored"; LOG(WARNING) << "conf is ignored";
} else { } else {

4
src/shrpx_config.h
View File

@ -93,6 +93,8 @@ extern const char SHRPX_OPT_WRITE_BURST[];
extern const char SHRPX_OPT_NPN_LIST[]; extern const char SHRPX_OPT_NPN_LIST[];
extern const char SHRPX_OPT_VERIFY_CLIENT[]; extern const char SHRPX_OPT_VERIFY_CLIENT[];
extern const char SHRPX_OPT_VERIFY_CLIENT_CACERT[]; extern const char SHRPX_OPT_VERIFY_CLIENT_CACERT[];
extern const char SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE[];
extern const char SHRPX_OPT_CLIENT_CERT_FILE[];
union sockaddr_union { union sockaddr_union {
sockaddr sa; sockaddr sa;
@ -191,6 +193,8 @@ struct Config {
// Path to file containing CA certificate solely used for client // Path to file containing CA certificate solely used for client
// certificate validation // certificate validation
char *verify_client_cacert; char *verify_client_cacert;
char *client_private_key_file;
char *client_cert_file;
}; };
const Config* get_config(); const Config* get_config();

21
src/shrpx_ssl.cc
View File

@ -296,6 +296,27 @@ SSL_CTX* create_ssl_client_context()
} }
} }
if(get_config()->client_private_key_file) {
if(SSL_CTX_use_PrivateKey_file(ssl_ctx,
get_config()->client_private_key_file,
SSL_FILETYPE_PEM) != 1) {
LOG(FATAL) << "Could not load client private key from "
<< get_config()->client_private_key_file << ": "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
}
if(get_config()->client_cert_file) {
if(SSL_CTX_use_certificate_chain_file(ssl_ctx,
get_config()->client_cert_file)
!= 1) {
LOG(FATAL) << "Could not load client certificate from "
<< get_config()->client_cert_file << ": "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
}
SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, nullptr); SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, nullptr);
return ssl_ctx; return ssl_ctx;
} }