16 local ipairs = ipairs; |
16 local ipairs = ipairs; |
17 local traceback = debug.traceback; |
17 local traceback = debug.traceback; |
18 local logger = require "util.logger"; |
18 local logger = require "util.logger"; |
19 local log = logger.init("server_epoll"); |
19 local log = logger.init("server_epoll"); |
20 local socket = require "socket"; |
20 local socket = require "socket"; |
21 local luasec = require "ssl"; |
|
22 local realtime = require "util.time".now; |
21 local realtime = require "util.time".now; |
23 local monotonic = require "util.time".monotonic; |
22 local monotonic = require "util.time".monotonic; |
24 local indexedbheap = require "util.indexedbheap"; |
23 local indexedbheap = require "util.indexedbheap"; |
25 local createtable = require "util.table".create; |
24 local createtable = require "util.table".create; |
26 local inet = require "util.net"; |
25 local inet = require "util.net"; |
612 |
611 |
613 function interface:set_sslctx(sslctx) |
612 function interface:set_sslctx(sslctx) |
614 self._sslctx = sslctx; |
613 self._sslctx = sslctx; |
615 end |
614 end |
616 |
615 |
|
616 function interface:sslctx() |
|
617 return self.tls_ctx |
|
618 end |
|
619 |
|
620 function interface:ssl_info() |
|
621 local sock = self.conn; |
|
622 return sock.info and sock:info(); |
|
623 end |
|
624 |
|
625 function interface:ssl_peercertificate() |
|
626 local sock = self.conn; |
|
627 return sock.getpeercertificate and sock:getpeercertificate(); |
|
628 end |
|
629 |
|
630 function interface:ssl_peerverification() |
|
631 local sock = self.conn; |
|
632 return sock.getpeerverification and sock:getpeerverification(); |
|
633 end |
|
634 |
|
635 function interface:ssl_peerfinished() |
|
636 local sock = self.conn; |
|
637 return sock.getpeerfinished and sock:getpeerfinished(); |
|
638 end |
|
639 |
617 function interface:starttls(tls_ctx) |
640 function interface:starttls(tls_ctx) |
618 if tls_ctx then self.tls_ctx = tls_ctx; end |
641 if tls_ctx then self.tls_ctx = tls_ctx; end |
619 self.starttls = false; |
642 self.starttls = false; |
620 if self.writebuffer and (self.writebuffer[1] or type(self.writebuffer) == "string") then |
643 if self.writebuffer and (self.writebuffer[1] or type(self.writebuffer) == "string") then |
621 self:debug("Start TLS after write"); |
644 self:debug("Start TLS after write"); |
639 if tls_ctx then self.tls_ctx = tls_ctx; end |
662 if tls_ctx then self.tls_ctx = tls_ctx; end |
640 self._tls = true; |
663 self._tls = true; |
641 self.starttls = false; |
664 self.starttls = false; |
642 self:debug("Starting TLS now"); |
665 self:debug("Starting TLS now"); |
643 self:updatenames(); -- Can't getpeer/sockname after wrap() |
666 self:updatenames(); -- Can't getpeer/sockname after wrap() |
644 local ok, conn, err = pcall(luasec.wrap, self.conn, self.tls_ctx); |
667 local conn, err = self.tls_ctx:wrap(self.conn); |
645 if not ok then |
|
646 conn, err = ok, conn; |
|
647 self:debug("Failed to initialize TLS: %s", err); |
|
648 end |
|
649 if not conn then |
668 if not conn then |
650 self:on("disconnect", err); |
669 self:on("disconnect", err); |
651 self:destroy(); |
670 self:destroy(); |
652 return conn, err; |
671 return conn, err; |
653 end |
672 end |
654 conn:settimeout(0); |
673 conn:settimeout(0); |
655 self.conn = conn; |
674 self.conn = conn; |
656 if conn.sni then |
675 if conn.sni then |
657 if self.servername then |
676 if self.servername then |
658 conn:sni(self.servername); |
677 conn:sni(self.servername); |
659 elseif self._server and type(self._server.hosts) == "table" and next(self._server.hosts) ~= nil then |
678 elseif next(self.tls_ctx._sni_contexts) ~= nil then |
660 conn:sni(self._server.hosts, true); |
679 conn:sni(self.tls_ctx._sni_contexts, true); |
661 end |
680 end |
662 end |
681 end |
663 if self.extra and self.extra.tlsa and conn.settlsa then |
682 if self.extra and self.extra.tlsa and conn.settlsa then |
664 -- TODO Error handling |
683 -- TODO Error handling |
665 if not conn:setdane(self.servername or self.extra.dane_hostname) then |
684 if not conn:setdane(self.servername or self.extra.dane_hostname) then |