}
}
-#ifdef HAVE_DNS_OVER_TLS
-static bool loadTLSCertificateAndKeys(shared_ptr<TLSFrontend>& frontend, boost::variant<std::string, std::vector<std::pair<int,std::string>>> certFiles, boost::variant<std::string, std::vector<std::pair<int,std::string>>> keyFiles)
+static bool loadTLSCertificateAndKeys(const std::string& context, std::vector<std::pair<std::string, std::string>>& pairs, boost::variant<std::string, std::vector<std::pair<int,std::string>>> certFiles, boost::variant<std::string, std::vector<std::pair<int,std::string>>> keyFiles)
{
if (certFiles.type() == typeid(std::string) && keyFiles.type() == typeid(std::string)) {
auto certFile = boost::get<std::string>(certFiles);
auto keyFile = boost::get<std::string>(keyFiles);
- frontend->d_certKeyPairs.clear();
- frontend->d_certKeyPairs.push_back({certFile, keyFile});
+ pairs.clear();
+ pairs.push_back({certFile, keyFile});
}
else if (certFiles.type() == typeid(std::vector<std::pair<int,std::string>>) && keyFiles.type() == typeid(std::vector<std::pair<int,std::string>>))
{
auto certFilesVect = boost::get<std::vector<std::pair<int,std::string>>>(certFiles);
auto keyFilesVect = boost::get<std::vector<std::pair<int,std::string>>>(keyFiles);
if (certFilesVect.size() == keyFilesVect.size()) {
- frontend->d_certKeyPairs.clear();
+ pairs.clear();
for (size_t idx = 0; idx < certFilesVect.size(); idx++) {
- frontend->d_certKeyPairs.push_back({certFilesVect.at(idx).second, keyFilesVect.at(idx).second});
+ pairs.push_back({certFilesVect.at(idx).second, keyFilesVect.at(idx).second});
}
}
else {
- errlog("Error, mismatching number of certificates and keys in call to addTLSLocal()!");
- g_outputBuffer="Error, mismatching number of certificates and keys in call to addTLSLocal()!";
+ errlog("Error, mismatching number of certificates and keys in call to %s()!", context);
+ g_outputBuffer="Error, mismatching number of certificates and keys in call to " + context + "()!";
return false;
}
}
else {
- errlog("Error, mismatching number of certificates and keys in call to addTLSLocal()!");
- g_outputBuffer="Error, mismatching number of certificates and keys in call to addTLSLocal()!";
+ errlog("Error, mismatching number of certificates and keys in call to %s()!", context);
+ g_outputBuffer="Error, mismatching number of certificates and keys in call to " + context + "()!";
return false;
}
return true;
}
-#endif /* HAVE_DNS_OVER_TLS */
void setupLuaConfig(bool client)
{
setSyslogFacility(facility);
});
- g_lua.writeFunction("addDOHLocal", [client](const std::string& addr, const std::string& certFile, const std::string& keyFile, boost::optional<vector<pair<int, std::string> > > urls, boost::optional<localbind_t> vars) {
+ g_lua.writeFunction("addDOHLocal", [client](const std::string& addr, boost::variant<std::string, std::vector<std::pair<int,std::string>>> certFiles, boost::variant<std::string, std::vector<std::pair<int,std::string>>> keyFiles, boost::optional<vector<pair<int, std::string> > > urls, boost::optional<localbind_t> vars) {
if (client) {
return;
}
return;
}
auto frontend = std::make_shared<DOHFrontend>();
- frontend->d_certFile = certFile;
- frontend->d_keyFile = keyFile;
+
+ if (!loadTLSCertificateAndKeys("addDOHLocal", frontend->d_certKeyPairs, certFiles, keyFiles)) {
+ return;
+ }
+
frontend->d_local = ComboAddress(addr, 443);
if(urls && !urls->empty()) {
for(const auto& p : *urls) {
}
shared_ptr<TLSFrontend> frontend = std::make_shared<TLSFrontend>();
- if (!loadTLSCertificateAndKeys(frontend, certFiles, keyFiles)) {
+ if (!loadTLSCertificateAndKeys("addTLSLocal", frontend->d_certKeyPairs, certFiles, keyFiles)) {
return;
}
g_lua.registerFunction<void(std::shared_ptr<TLSFrontend>::*)(boost::variant<std::string, std::vector<std::pair<int,std::string>>> certFiles, boost::variant<std::string, std::vector<std::pair<int,std::string>>> keyFiles)>("loadNewCertificatesAndKeys", [](std::shared_ptr<TLSFrontend>& frontend, boost::variant<std::string, std::vector<std::pair<int,std::string>>> certFiles, boost::variant<std::string, std::vector<std::pair<int,std::string>>> keyFiles) {
#ifdef HAVE_DNS_OVER_TLS
- if (loadTLSCertificateAndKeys(frontend, certFiles, keyFiles)) {
+ if (loadTLSCertificateAndKeys("loadNewCertificatesAndKeys", frontend->d_certKeyPairs, certFiles, keyFiles)) {
frontend->setupTLS();
}
#endif
//#include <h2o/http1.h>
#include <h2o/http2.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
#include "base64.hh"
#include "dnsname.hh"
#undef CERT
return 0;
}
-static std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> getTLSContext(const std::string& cert_file, const std::string& key_file, const std::string& ciphers, const std::string& ciphers13)
+static std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> getTLSContext(const std::vector<std::pair<std::string, std::string>>& pairs, const std::string& ciphers, const std::string& ciphers13)
{
auto ctx = std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(SSL_CTX_new(SSLv23_server_method()), SSL_CTX_free);
#endif
/* load certificate and private key */
- if (SSL_CTX_use_certificate_chain_file(ctx.get(), cert_file.c_str()) != 1) {
- throw std::runtime_error("Failed to setup SSL/TLS for DoH listener, an error occurred while trying to load the DOH server certificate file: " + cert_file);
- }
- if (SSL_CTX_use_PrivateKey_file(ctx.get(), key_file.c_str(), SSL_FILETYPE_PEM) != 1) {
- throw std::runtime_error("Failed to setup SSL/TLS for DoH listener, an error occurred while trying to load the DOH server private key file: " + key_file);
+ for (const auto& pair : pairs) {
+ if (SSL_CTX_use_certificate_chain_file(ctx.get(), pair.first.c_str()) != 1) {
+ ERR_print_errors_fp(stderr);
+ throw std::runtime_error("Failed to setup SSL/TLS for DoH listener, an error occurred while trying to load the DOH server certificate file: " + pair.first);
+ }
+ if (SSL_CTX_use_PrivateKey_file(ctx.get(), pair.second.c_str(), SSL_FILETYPE_PEM) != 1) {
+ ERR_print_errors_fp(stderr);
+ throw std::runtime_error("Failed to setup SSL/TLS for DoH listener, an error occurred while trying to load the DOH server private key file: " + pair.second);
+ }
}
if (SSL_CTX_set_cipher_list(ctx.get(), ciphers.empty() == false ? ciphers.c_str() : DOH_DEFAULT_CIPHERS) != 1) {
nativeCtx->ctx = &dsc.h2o_ctx;
nativeCtx->hosts = dsc.h2o_config.hosts;
if (setupTLS) {
- auto tlsCtx = getTLSContext(dsc.df->d_certFile, dsc.df->d_keyFile,
+ auto tlsCtx = getTLSContext(dsc.df->d_certKeyPairs,
dsc.df->d_ciphers,
dsc.df->d_ciphers13);
d_dsc = std::make_shared<DOHServerConfig>(d_idleTimeout);
- auto tlsCtx = getTLSContext(d_certFile, d_keyFile,
+ auto tlsCtx = getTLSContext(d_certKeyPairs,
d_ciphers,
d_ciphers13);