/* Format string used to send HTTP/1.0 error responses to the client.
*
* %s is used 5 times, first is the error code, then additional headers, next
- * two are the error code (no %n$s!), the last is the message. */
+ * two are the error code (no %n$s which is not in C98!), the last is the
+ * message. */
#define HTTP_RESPONSE_FORMAT "HTTP/1.0 %s\r\n\
Content-Type: text/html; charset=US-ASCII\r\n\
%s\r\n\
size_t buffer_size) {
ssize_t size_read;
ssize_t size_written;
- char buffer[16384];
+ char buffer[16384]; /* GnuTLS default maximum */
if (buffer_size > sizeof(buffer)) {
LOG(WARNING, "read_from_write_to_tls(): reduced buffer size to %ld",
return -2;
}
- /* Check that the proxy certificate file exists and is readable for this
- * domain. This ensures we send an "invalid" certificate even if the proxy
- * certificate doesn't exist. */
+ /* Check that the proxy certificate file for this domain exists and is
+ * readable. This ensures we send an "invalid" certificate if the proxy
+ * certificate doesn't exist.
+ *
+ * If the file gets removed or becomes unreadable after the check we won't
+ * be able to establish a connection to the real server so this
+ * race-condition has no security issues and is only a convenience for the
+ * user. */
if (proxy_certificate_path(hostname, path, sizeof(path)) != 0) {
return -1;
}
ruderich.org/simon / tlsproxy / tlsproxy.git / commitdiff