X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fconnection.c;h=1d94d79654323dec4875aa4e7f9724f2d49208c5;hb=64bfebde76d568808b6fa8a8d09b4b5afe13dc15;hp=af14477cb71592c9dd1dcc90d75ef71d37e75db2;hpb=1e4972b997cbdd2b287f60d197c33f38d8ec324d;p=tlsproxy%2Ftlsproxy.git diff --git a/src/connection.c b/src/connection.c index af14477..1d94d79 100644 --- a/src/connection.c +++ b/src/connection.c @@ -87,7 +87,7 @@ void handle_connection(int client_socket) { char host[MAX_REQUEST_LINE]; char port[5 + 1]; - int version_minor; + int version_minor; /* HTTP/1.x */ int result; /* client_x509_cred is used when talking to the client (acting as a TSL @@ -208,7 +208,7 @@ void handle_connection(int client_socket) { LOG(LOG_DEBUG, "transferring data"); - /* Proxy data between client and server until one suite is done + /* Proxy data between client and server until one side is done * (EOF or error). */ transfer_data(client_socket, server_socket); @@ -222,9 +222,9 @@ void handle_connection(int client_socket) { } } + /* Initialize TLS client credentials to talk to the server. */ result = initialize_tls_session_server(server_socket, &server_session, &server_x509_cred); - /* Initialize TLS client credentials to talk to the server. */ if (0 != result) { LOG(LOG_WARNING, "initialize_tls_session_server() failed"); send_forwarding_failure(client_fd); @@ -250,7 +250,8 @@ void handle_connection(int client_socket) { if (0 != verify_tls_connection(server_session, host)) { LOG(LOG_ERROR, "server certificate validation failed!"); /* We send the error message over our TLS connection to the client, - * but with an invalid certificate. */ + * but with an invalid certificate. No data is transfered from/to the + * target server. */ validation_failed = 1; } @@ -298,7 +299,7 @@ void handle_connection(int client_socket) { LOG(LOG_DEBUG, "transferring TLS data"); - /* Proxy data between client and server until one suite is done (EOF or + /* Proxy data between client and server until one side is done (EOF or * error). */ transfer_data_tls(client_socket, server_socket, client_session, server_session); @@ -386,18 +387,17 @@ gnutls_certificate_allocate_credentials(): %s", result = gnutls_certificate_set_x509_trust_file(*x509_cred, PROXY_CA_FILE, GNUTLS_X509_FMT_PEM); + if (0 >= result) { + LOG(LOG_ERROR, + "initialize_tls_session_client(): can't read CA file: '%s'", + PROXY_CA_FILE); + gnutls_certificate_free_credentials(*x509_cred); + return -1; + } + } /* If the invalid hostname was specified do nothing, we use a self-signed * certificate in this case. */ - } else { - result = 1; - } - if (0 >= result) { - LOG(LOG_ERROR, - "initialize_tls_session_client(): can't read CA file: '%s'", - PROXY_CA_FILE); - gnutls_certificate_free_credentials(*x509_cred); - return -1; - } + /* And certificate for this website and proxy's private key. */ if (!use_invalid_cert) { result = gnutls_certificate_set_x509_key_file(*x509_cred, @@ -421,7 +421,7 @@ can't read server certificate ('%s') or key file ('%s'): %s", return -2; } - gnutls_certificate_set_dh_params(*x509_cred, tls_dh_params); + gnutls_certificate_set_dh_params(*x509_cred, global_tls_dh_params); result = gnutls_init(session, GNUTLS_SERVER); if (GNUTLS_E_SUCCESS != result) { @@ -431,7 +431,7 @@ can't read server certificate ('%s') or key file ('%s'): %s", gnutls_certificate_free_credentials(*x509_cred); return -1; } - result = gnutls_priority_set(*session, tls_priority_cache); + result = gnutls_priority_set(*session, global_tls_priority_cache); if (GNUTLS_E_SUCCESS != result) { LOG(LOG_ERROR, "initialize_tls_session_client(): gnutls_priority_set(): %s", @@ -477,7 +477,7 @@ gnutls_certificate_allocate_credentials(): %s", gnutls_certificate_free_credentials(*x509_cred); return -1; } - gnutls_priority_set(*session, tls_priority_cache); + gnutls_priority_set(*session, global_tls_priority_cache); if (GNUTLS_E_SUCCESS != result) { LOG(LOG_ERROR, "initialize_tls_session_server(): gnutls_priority_set(): %s",