wsproxy: warn when no cert. C sock close cleanup.
Warn early about no SSL cert and add clearer warning when a connection comes in as SSL but no cert file exists. For the C version, cleanup closing of the connection socket. Use shutdown for a cleaner cleanup with the client.
This commit is contained in:
parent
58da507bb8
commit
58dc1947de
|
@ -187,6 +187,7 @@ int ws_socket_free(ws_ctx_t *ctx) {
|
|||
ctx->ssl_ctx = NULL;
|
||||
}
|
||||
if (ctx->sockfd) {
|
||||
shutdown(ctx->sockfd, SHUT_RDWR);
|
||||
close(ctx->sockfd);
|
||||
ctx->sockfd = 0;
|
||||
}
|
||||
|
@ -350,26 +351,30 @@ ws_ctx_t *do_handshake(int sock) {
|
|||
handshake[len] = 0;
|
||||
if (len == 0) {
|
||||
handler_msg("ignoring empty handshake\n");
|
||||
close(sock);
|
||||
return NULL;
|
||||
} else if (bcmp(handshake, "<policy-file-request/>", 22) == 0) {
|
||||
len = recv(sock, handshake, 1024, 0);
|
||||
handshake[len] = 0;
|
||||
handler_msg("sending flash policy response\n");
|
||||
send(sock, policy_response, sizeof(policy_response), 0);
|
||||
close(sock);
|
||||
return NULL;
|
||||
} else if ((bcmp(handshake, "\x16", 1) == 0) ||
|
||||
(bcmp(handshake, "\x80", 1) == 0)) {
|
||||
// SSL
|
||||
if (! settings.cert) { return NULL; }
|
||||
if (!settings.cert) {
|
||||
handler_msg("SSL connection but no cert specified\n");
|
||||
return NULL;
|
||||
} else if (access(settings.cert, R_OK) != 0) {
|
||||
handler_msg("SSL connection but '%s' not found\n",
|
||||
settings.cert);
|
||||
return NULL;
|
||||
}
|
||||
ws_ctx = ws_socket_ssl(sock, settings.cert, settings.key);
|
||||
if (! ws_ctx) { return NULL; }
|
||||
scheme = "wss";
|
||||
handler_msg("using SSL socket\n");
|
||||
} else if (settings.ssl_only) {
|
||||
handler_msg("non-SSL connection disallowed\n");
|
||||
close(sock);
|
||||
return NULL;
|
||||
} else {
|
||||
ws_ctx = ws_socket(sock);
|
||||
|
@ -380,14 +385,12 @@ ws_ctx_t *do_handshake(int sock) {
|
|||
len = ws_recv(ws_ctx, handshake, 4096);
|
||||
if (len == 0) {
|
||||
handler_emsg("Client closed during handshake\n");
|
||||
close(sock);
|
||||
return NULL;
|
||||
}
|
||||
handshake[len] = 0;
|
||||
|
||||
if (!parse_handshake(handshake, &headers)) {
|
||||
handler_emsg("Invalid WS request\n");
|
||||
close(sock);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
@ -524,8 +527,7 @@ void start_server() {
|
|||
if (pid == 0) { // handler process
|
||||
ws_ctx = do_handshake(csock);
|
||||
if (ws_ctx == NULL) {
|
||||
close(csock);
|
||||
handler_msg("No connection after handshake");
|
||||
handler_msg("No connection after handshake\n");
|
||||
break; // Child process exits
|
||||
}
|
||||
|
||||
|
@ -533,13 +535,22 @@ void start_server() {
|
|||
if (pipe_error) {
|
||||
handler_emsg("Closing due to SIGPIPE\n");
|
||||
}
|
||||
close(csock);
|
||||
handler_msg("handler exit\n");
|
||||
break; // Child process exits
|
||||
} else { // parent process
|
||||
settings.handler_id += 1;
|
||||
}
|
||||
}
|
||||
if (pid == 0) {
|
||||
if (ws_ctx) {
|
||||
ws_socket_free(ws_ctx);
|
||||
} else {
|
||||
shutdown(csock, SHUT_RDWR);
|
||||
close(csock);
|
||||
}
|
||||
handler_msg("handler exit\n");
|
||||
} else {
|
||||
handler_msg("wsproxy exit\n");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -112,6 +112,11 @@ def do_handshake(sock):
|
|||
sock.close()
|
||||
return False
|
||||
elif handshake[0] in ("\x16", "\x80"):
|
||||
if not os.path.exists(settings['cert']):
|
||||
handler_msg("SSL connection but '%s' not found"
|
||||
% settings['cert'])
|
||||
sock.close()
|
||||
return False
|
||||
retsock = ssl.wrap_socket(
|
||||
sock,
|
||||
server_side=True,
|
||||
|
|
|
@ -257,6 +257,10 @@ int main(int argc, char *argv[])
|
|||
};
|
||||
|
||||
settings.cert = realpath("self.pem", NULL);
|
||||
if (!settings.cert) {
|
||||
/* Make sure it's always set to something */
|
||||
settings.cert = "self.pem";
|
||||
}
|
||||
settings.key = "";
|
||||
|
||||
while (1) {
|
||||
|
@ -326,9 +330,11 @@ int main(int argc, char *argv[])
|
|||
}
|
||||
|
||||
if (ssl_only) {
|
||||
if (!settings.cert || !access(settings.cert, R_OK)) {
|
||||
usage("SSL only and cert file not found\n");
|
||||
if (!access(settings.cert, R_OK)) {
|
||||
usage("SSL only and cert file '%s' not found\n", settings.cert);
|
||||
}
|
||||
} else if (access(settings.cert, R_OK) != 0) {
|
||||
fprintf(stderr, "Warning: '%s' not found\n", settings.cert);
|
||||
}
|
||||
|
||||
//printf(" verbose: %d\n", settings.verbose);
|
||||
|
|
|
@ -162,6 +162,8 @@ if __name__ == '__main__':
|
|||
|
||||
if options.ssl_only and not os.path.exists(options.cert):
|
||||
parser.error("SSL only and %s not found" % options.cert)
|
||||
elif not os.path.exists(options.cert):
|
||||
print "Warning: %s not found" % options.cert
|
||||
|
||||
settings['verbose'] = options.verbose
|
||||
settings['listen_host'] = host
|
||||
|
|
Loading…
Reference in New Issue