/*
* Handle connections.
*
- * Copyright (C) 2011-2013 Simon Ruderich
+ * Copyright (C) 2011-2014 Simon Ruderich
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
#include <limits.h>
#include <netdb.h>
#include <poll.h>
+#include <sys/socket.h>
#include <unistd.h>
#include <gnutls/x509.h>
int version_minor; /* x in HTTP/1.x */
int result;
- /* client_x509_cred is used when talking to the client (acting as a TSL
+ /* client_x509_cred is used when talking to the client (acting as a TLS
* server), server_x509_cred is used when talking to the server (acting as
- * a TSL client). */
+ * a TLS client). */
gnutls_certificate_credentials_t client_x509_cred, server_x509_cred;
gnutls_session_t client_session, server_session;
LOG(DEBUG1, "connection to server established");
/* If the -u option is used and we don't know this hostname's server
- * certificate then just pass through the connection and let the client
+ * certificate, then just pass through the connection and let the client
* verify the server certificate. */
if (global_passthrough_unknown) {
char path[TLSPROXY_MAX_PATH_LENGTH];
size_read = gnutls_record_recv(from, buffer, buffer_size);
if (size_read < 0) {
+ /* Allow rehandshakes. As handshakes might be insecure make sure that
+ * %SAFE_RENEGOTIATION is used in GnuTLS's priority string. */
+ if (size_read == GNUTLS_E_REHANDSHAKE) {
+ int result;
+
+ LOG(DEBUG1, "server requested TLS rehandshake");
+
+ result = gnutls_handshake(from);
+ if (result != GNUTLS_E_SUCCESS) {
+ LOG(WARNING, "server TLS rehandshake failed: %s",
+ gnutls_strerror(result));
+ return -1;
+ }
+ return 0;
+ }
+
LOG(WARNING, "read_from_write_to_tls(): gnutls_record_recv(): %s",
gnutls_strerror((int)size_read));
return -1;
gai_hints.ai_socktype = SOCK_STREAM;
gai_hints.ai_protocol = 0;
gai_hints.ai_flags = AI_NUMERICSERV /* given port is numeric */
+#ifdef AI_ADDRCONFIG
| AI_ADDRCONFIG /* supported by this computer */
- | AI_V4MAPPED; /* support IPv4 through IPv6 */
+#endif
+ ;
gai_return = getaddrinfo(hostname, port, &gai_hints, &gai_result);
if (gai_return != 0) {
if (gai_return == EAI_SYSTEM) {