Disable RC4.

[tlsproxy/tlsproxy.git] / src / connection.c

diff --git a/src/connection.c b/src/connection.c
index 15eb321d811965d4f0b1a71c72659fb500a3d5ea..fb854da4536937ae43f136ff6f418cbbaf776698 100644 (file)
--- a/src/connection.c
+++ b/src/connection.c
@@ -1,7 +1,7 @@
 /*
  * Handle connections.
  *
- * Copyright (C) 2011-2013  Simon Ruderich
+ * Copyright (C) 2011-2014  Simon Ruderich
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -26,6 +26,7 @@
 #include <limits.h>
 #include <netdb.h>
 #include <poll.h>
+#include <sys/socket.h>
 #include <unistd.h>
 
 #include <gnutls/x509.h>
@@ -101,9 +102,9 @@ void handle_connection(int client_socket) {
     int version_minor; /* x in HTTP/1.x */
     int result;
 
-    /* client_x509_cred is used when talking to the client (acting as a TSL
+    /* client_x509_cred is used when talking to the client (acting as a TLS
      * server), server_x509_cred is used when talking to the server (acting as
-     * a TSL client). */
+     * a TLS client). */
     gnutls_certificate_credentials_t client_x509_cred, server_x509_cred;
 
     gnutls_session_t client_session, server_session;
@@ -206,7 +207,7 @@ void handle_connection(int client_socket) {
     LOG(DEBUG1, "connection to server established");
 
     /* If the -u option is used and we don't know this hostname's server
-     * certificate then just pass through the connection and let the client
+     * certificate, then just pass through the connection and let the client
      * verify the server certificate. */
     if (global_passthrough_unknown) {
         char path[TLSPROXY_MAX_PATH_LENGTH];
@@ -785,6 +786,22 @@ static int read_from_write_to_tls(gnutls_session_t from,
 
     size_read = gnutls_record_recv(from, buffer, buffer_size);
     if (size_read < 0) {
+        /* Allow rehandshakes. As handshakes might be insecure make sure that
+         * %SAFE_RENEGOTIATION is used in GnuTLS's priority string. */
+        if (size_read == GNUTLS_E_REHANDSHAKE) {
+            int result;
+
+            LOG(DEBUG1, "server requested TLS rehandshake");
+
+            result = gnutls_handshake(from);
+            if (result != GNUTLS_E_SUCCESS) {
+                LOG(WARNING, "server TLS rehandshake failed: %s",
+                             gnutls_strerror(result));
+                return -1;
+            }
+            return 0;
+        }
+
         LOG(WARNING, "read_from_write_to_tls(): gnutls_record_recv(): %s",
                      gnutls_strerror((int)size_read));
         return -1;
@@ -827,8 +844,10 @@ static int connect_to_host(const char *hostname, const char *port) {
     gai_hints.ai_socktype = SOCK_STREAM;
     gai_hints.ai_protocol = 0;
     gai_hints.ai_flags    = AI_NUMERICSERV /* given port is numeric */
+#ifdef AI_ADDRCONFIG
                           | AI_ADDRCONFIG  /* supported by this computer */
-                          | AI_V4MAPPED;   /* support IPv4 through IPv6 */
+#endif
+                          ;
     gai_return = getaddrinfo(hostname, port, &gai_hints, &gai_result);
     if (gai_return != 0) {
         if (gai_return == EAI_SYSTEM) {