Project

General

Profile

lighttpd_1.4.x_tls_server_name_indication_and_client_verify.patch

oleg.smirnov, 2009-09-30 13:07

View differences:

src/base.h 2009-06-11 12:44:17.000000000 +0300 → src/base.h 2009-09-29 22:20:46.000000000 +0300
31 31
#if defined HAVE_LIBSSL && defined HAVE_OPENSSL_SSL_H
32 32
# define USE_OPENSSL
33 33
# include <openssl/ssl.h>
34
# if ! defined OPENSSL_NO_TLSEXT && ! defined SSL_CTRL_SET_TLSEXT_HOSTNAME
35
#  define OPENSSL_NO_TLSEXT
36
# endif
34 37
#endif
35 38

  
36 39
#ifdef HAVE_FAM_H
......
272 275
	buffer *ssl_ca_file;
273 276
	buffer *ssl_cipher_list;
274 277
	unsigned short ssl_use_sslv2;
278
        unsigned short ssl_verifyclient;
279
        unsigned short ssl_verifyclient_enforce;
280
        unsigned short ssl_verifyclient_depth;
281
        buffer *ssl_verifyclient_username;   
275 282

  
276 283
	unsigned short use_ipv6;
277 284
	unsigned short defer_accept;
......
422 429
#ifdef USE_OPENSSL
423 430
	SSL *ssl;
424 431
	buffer *ssl_error_want_reuse_buffer;
432
#ifndef OPENSSL_NO_TLSEXT
433
	buffer *tlsext_server_name;
434
#endif
425 435
#endif
426 436
	/* etag handling */
427 437
	etag_flags_t etag_flags;
src/configfile-glue.c 2009-04-09 18:18:48.000000000 +0300 → src/configfile-glue.c 2009-09-29 22:16:53.000000000 +0300
289 289
			default:
290 290
				break;
291 291
			}
292
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
293
		} else if (!buffer_is_empty(con->tlsext_server_name)) {
294
			l = con->tlsext_server_name;
295
#endif
292 296
		} else {
293 297
			l = srv->empty_string;
294 298
		}
src/configfile.c 2009-04-26 20:51:55.000000000 +0300 → src/configfile.c 2009-09-29 22:30:01.000000000 +0300
97 97
		{ "server.reject-expect-100-with-417",  NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 52 */
98 98
		{ "debug.log-timeouts",          NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 53 */
99 99
		{ "server.defer-accept",         NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION },     /* 54 */
100
		{ "ssl.verifyclient.activate",   NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 55 */
101
		{ "ssl.verifyclient.enforce",    NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 56 */
102
		{ "ssl.verifyclient.depth",      NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_SERVER }, /* 57 */
103
		{ "ssl.verifyclient.username",   NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER }, /* 58 */
104
												  
100 105
		{ "server.host",                 "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
101 106
		{ "server.docroot",              "use server.document-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
102 107
		{ "server.virtual-root",         "load mod_simple_vhost and use simple-vhost.server-root instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET },
......
180 185
		s->global_bytes_per_second_cnt = 0;
181 186
		s->global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
182 187

  
188
		s->ssl_verifyclient = 0;
189
		s->ssl_verifyclient_enforce = 1;
190
		s->ssl_verifyclient_username = buffer_init();
191
		s->ssl_verifyclient_depth = 9;
192

  
183 193
		cv[2].destination = s->errorfile_prefix;
184 194

  
185 195
		cv[7].destination = s->server_tag;
......
225 235
		cv[50].destination = &(s->etag_use_mtime);
226 236
		cv[51].destination = &(s->etag_use_size);
227 237

  
238
		/* ssl.verify */
239
		cv[55].destination = &(s->ssl_verifyclient);
240
		cv[56].destination = &(s->ssl_verifyclient_enforce);
241
		cv[57].destination = &(s->ssl_verifyclient_depth);
242
		cv[58].destination = s->ssl_verifyclient_username;
243

  
228 244
		srv->config_storage[i] = s;
229 245

  
230 246
		if (0 != (ret = config_insert_values_global(srv, ((data_config *)srv->config_context->data[i])->value, cv))) {
......
296 312
	PATCH(is_ssl);
297 313

  
298 314
	PATCH(ssl_pemfile);
315
	PATCH(ssl_ctx);
299 316
	PATCH(ssl_ca_file);
300 317
	PATCH(ssl_cipher_list);
301 318
	PATCH(ssl_use_sslv2);
302 319
	PATCH(etag_use_inode);
303 320
	PATCH(etag_use_mtime);
304 321
	PATCH(etag_use_size);
305
 
322

  
323
	PATCH(ssl_verifyclient);
324
	PATCH(ssl_verifyclient_enforce);
325
	PATCH(ssl_verifyclient_depth);
326
	PATCH(ssl_verifyclient_username);
327

  
306 328
	return 0;
307 329
}
308 330

  
......
351 373
				PATCH(etag_use_size);
352 374
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
353 375
				PATCH(ssl_pemfile);
376
				PATCH(ssl_ctx);
354 377
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
355 378
				PATCH(ssl_ca_file);
356 379
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) {
......
391 414
				PATCH(global_kbytes_per_second);
392 415
				PATCH(global_bytes_per_second_cnt);
393 416
				con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
417
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.activate"))) {
418
			        PATCH(ssl_verifyclient);
419
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.enforce"))) {
420
			        PATCH(ssl_verifyclient_enforce);
421
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.depth"))) {
422
			       PATCH(ssl_verifyclient_depth);
423
			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.verifyclient.username"))) {
424
			       PATCH(ssl_verifyclient_username);
394 425
			}
395 426
		}
396 427
	}
src/connections.c 2009-06-11 16:54:30.000000000 +0300 → src/connections.c 2009-09-29 22:16:53.000000000 +0300
667 667
	CLEAN(server_name);
668 668
	CLEAN(error_handler);
669 669
	CLEAN(dst_addr_buf);
670
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
671
	CLEAN(tlsext_server_name);
672
#endif
670 673

  
671 674
#undef CLEAN
672 675
	con->write_queue = chunkqueue_init();
......
731 734
		CLEAN(server_name);
732 735
		CLEAN(error_handler);
733 736
		CLEAN(dst_addr_buf);
737
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
738
		CLEAN(tlsext_server_name);
739
#endif
734 740
#undef CLEAN
735 741
		free(con->plugin_ctx);
736 742
		free(con->cond_cache);
......
1341 1347
				return NULL;
1342 1348
			}
1343 1349

  
1350
#ifndef OPENSSL_NO_TLSEXT
1351
			SSL_set_app_data(con->ssl, con);
1352
#endif
1344 1353
			SSL_set_accept_state(con->ssl);
1345 1354
			con->conf.is_ssl=1;
1346 1355

  
src/network.c 2009-04-26 20:51:55.000000000 +0300 → src/network.c 2009-09-30 15:51:25.000000000 +0300
62 62
	return HANDLER_GO_ON;
63 63
}
64 64

  
65
#if defined USE_OPENSSL && ! defined OPENSSL_NO_TLSEXT
66
int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
67
	const char *servername;
68
	connection *con = (connection *) SSL_get_app_data(ssl);
69
	specific_config *s = &con->conf;
70

  
71
	buffer_copy_string(con->uri.scheme, "https");
72

  
73
	if (NULL == (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
74
		log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
75
				"failed to get TLS server name");
76
		return SSL_TLSEXT_ERR_NOACK;
77
	}
78
	buffer_copy_string(con->tlsext_server_name, servername);
79
	buffer_to_lower(con->tlsext_server_name);
80

  
81
	config_cond_cache_reset(srv, con);
82
	config_setup_connection(srv, con);
83

  
84
	config_patch_connection(srv, con, COMP_SERVER_SOCKET);
85
	config_patch_connection(srv, con, COMP_HTTP_SCHEME);
86
	config_patch_connection(srv, con, COMP_HTTP_HOST);
87

  
88
	if (NULL == con->conf.ssl_ctx) {
89
		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
90
				"null SSL_CTX for TLS server name", con->tlsext_server_name);
91
		return SSL_TLSEXT_ERR_ALERT_FATAL;
92
	}
93

  
94
	/* switch to new SSL_CTX in reaction to a client's server_name extension */
95
	if (con->conf.ssl_ctx != SSL_set_SSL_CTX(ssl, con->conf.ssl_ctx)) {
96
		log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
97
				"failed to set SSL_CTX for TLS server name", con->tlsext_server_name);
98
		return SSL_TLSEXT_ERR_ALERT_FATAL;
99
	}
100

  
101
	SSL_set_options(ssl, SSL_CTX_get_options(con->conf.ssl_ctx));
102

  
103
	if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
104
            (SSL_num_renegotiations(ssl) == 0)) {
105
		SSL_set_verify(ssl, SSL_CTX_get_verify_mode(con->conf.ssl_ctx),
106
			 SSL_CTX_get_verify_callback(con->conf.ssl_ctx));
107
        }
108

  
109
	return SSL_TLSEXT_ERR_OK;
110
}
111
#endif
112

  
65 113
static int network_server_init(server *srv, buffer *host_token, specific_config *s) {
66 114
	int val;
67 115
	socklen_t addr_len;
......
308 356

  
309 357
	if (s->is_ssl) {
310 358
#ifdef USE_OPENSSL
311
		if (srv->ssl_is_init == 0) {
312
			SSL_load_error_strings();
313
			SSL_library_init();
314
			srv->ssl_is_init = 1;
315

  
316
			if (0 == RAND_status()) {
317
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
318
						"not enough entropy in the pool");
319
				return -1;
320
			}
321
		}
322

  
323
		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
324
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
325
					ERR_error_string(ERR_get_error(), NULL));
326
			return -1;
327
		}
328

  
329
		if (!s->ssl_use_sslv2) {
330
			/* disable SSLv2 */
331
			if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
332
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
333
						ERR_error_string(ERR_get_error(), NULL));
334
				return -1;
335
			}
336
		}
337

  
338
		if (!buffer_is_empty(s->ssl_cipher_list)) {
339
			/* Disable support for low encryption ciphers */
340
			if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
341
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
342
						ERR_error_string(ERR_get_error(), NULL));
343
				return -1;
344
			}
345
		}
346

  
347
		if (buffer_is_empty(s->ssl_pemfile)) {
359
		if (NULL == (srv_socket->ssl_ctx = s->ssl_ctx)) {
348 360
			log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
349 361
			return -1;
350 362
		}
351

  
352
		if (!buffer_is_empty(s->ssl_ca_file)) {
353
			if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
354
				log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
355
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
356
				return -1;
357
			}
358
		}
359

  
360
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
361
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
362
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
363
			return -1;
364
		}
365

  
366
		if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
367
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
368
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
369
			return -1;
370
		}
371

  
372
		if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
373
			log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
374
					"Private key does not match the certificate public key, reason:",
375
					ERR_error_string(ERR_get_error(), NULL),
376
					s->ssl_pemfile);
377
			return -1;
378
		}
379
		SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
380
		SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
381

  
382
		srv_socket->ssl_ctx = s->ssl_ctx;
383 363
#else
384 364

  
385 365
		buffer_free(srv_socket->srv_token);
......
492 472
		{ NETWORK_BACKEND_UNSET,        	NULL }
493 473
	};
494 474

  
475
#ifdef USE_OPENSSL
476
	/* load SSL certificates */
477
	for (i = 0; i < srv->config_context->used; i++) {
478
		data_config *dc = (data_config *)srv->config_context->data[i];
479
		specific_config *s = srv->config_storage[i];
480

  
481
		if (buffer_is_empty(s->ssl_pemfile)) continue;
482

  
483
#ifdef OPENSSL_NO_TLSEXT
484
		if (COMP_HTTP_HOST == dc->comp) {
485
		    log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
486
				    "can't use ssl.pemfile with $HTTP[\"host\"], openssl version does not support TLS extensions");
487
		    return -1;
488
		}
489
#endif
490

  
491
		if (srv->ssl_is_init == 0) {
492
			SSL_load_error_strings();
493
			SSL_library_init();
494
			srv->ssl_is_init = 1;
495

  
496
			if (0 == RAND_status()) {
497
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
498
						"not enough entropy in the pool");
499
				return -1;
500
			}
501
		}
502

  
503
		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
504
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
505
					ERR_error_string(ERR_get_error(), NULL));
506
			return -1;
507
		}
508

  
509
		if (!s->ssl_use_sslv2) {
510
			/* disable SSLv2 */
511
			if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) {
512
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
513
						ERR_error_string(ERR_get_error(), NULL));
514
				return -1;
515
			}
516
		}
517

  
518
		if (!buffer_is_empty(s->ssl_cipher_list)) {
519
			/* Disable support for low encryption ciphers */
520
			if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
521
				log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
522
						ERR_error_string(ERR_get_error(), NULL));
523
				return -1;
524
			}
525
		}
526

  
527
		if (SSL_CTX_use_certificate_file(s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
528
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
529
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
530
			return -1;
531
		}
532

  
533
		if (SSL_CTX_use_PrivateKey_file (s->ssl_ctx, s->ssl_pemfile->ptr, SSL_FILETYPE_PEM) < 0) {
534
			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
535
					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
536
			return -1;
537
		}
538

  
539
		if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
540
			log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
541
					"Private key does not match the certificate public key, reason:",
542
					ERR_error_string(ERR_get_error(), NULL),
543
					s->ssl_pemfile);
544
			return -1;
545
		}
546
		SSL_CTX_set_default_read_ahead(s->ssl_ctx, 1);
547
		SSL_CTX_set_mode(s->ssl_ctx, SSL_CTX_get_mode(s->ssl_ctx) | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
548

  
549
		if (!buffer_is_empty(s->ssl_ca_file)) {
550
			if (1 != SSL_CTX_load_verify_locations(s->ssl_ctx, s->ssl_ca_file->ptr, NULL)) {
551
				log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
552
						ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
553
				return -1;
554
			}
555
			if (s->ssl_verifyclient) { 			  
556
				STACK_OF(X509_NAME) *certs = SSL_load_client_CA_file(s->ssl_ca_file->ptr);
557
				if (!certs) {
558
					log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
559
							ERR_error_string(ERR_get_error(), NULL), s->ssl_ca_file);
560
				}
561
				if (!buffer_is_empty(s->server_name)) {
562
					if (SSL_CTX_set_session_id_context(s->ssl_ctx, (unsigned const char*)CONST_BUF_LEN(s->server_name)) != 1) { 
563
						log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 
564
							ERR_error_string(ERR_get_error(), NULL)); 
565
							return -1; 
566
					}
567
				} else {
568
					log_error_write(
569
						srv, __FILE__, __LINE__, "s",
570
						"SSL: You specified ssl.verifyclient.activate but no server.name"
571
					);
572
				}
573
				SSL_CTX_set_client_CA_list(s->ssl_ctx, certs);
574
				SSL_CTX_set_verify(
575
					s->ssl_ctx,
576
					SSL_VERIFY_PEER | (s->ssl_verifyclient_enforce ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0),
577
					NULL
578
				); 
579
				SSL_CTX_set_verify_depth(s->ssl_ctx, s->ssl_verifyclient_depth);
580
				}
581
		} else if (s->ssl_verifyclient) {
582
			log_error_write(
583
				srv, __FILE__, __LINE__, "s",
584
				"SSL: You specified ssl.verifyclient.activate but no ca_file"
585
				);
586
		}
587

  
588
#ifndef OPENSSL_NO_TLSEXT
589
		if (!SSL_CTX_set_tlsext_servername_callback(s->ssl_ctx, network_ssl_servername_callback) ||
590
		    !SSL_CTX_set_tlsext_servername_arg(s->ssl_ctx, srv)) {
591
			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
592
					"failed to initialize TLS servername callback, openssl library does not support TLS servername extension");
593
			return -1;
594
		}
595
#endif
596
	}
597
#endif
598

  
495 599
	b = buffer_init();
496 600

  
497 601
	buffer_copy_string_buffer(b, srv->srvconf.bindhost);
src/response.c 2009-06-19 20:22:37.000000000 +0300 → src/response.c 2009-09-29 22:34:08.000000000 +0300
129 129
	return 0;
130 130
}
131 131

  
132

  
132
#ifdef USE_OPENSSL
133
static void https_add_ssl_entries(connection *con) {
134
	X509 *xs;
135
	X509_NAME *xn;
136
	X509_NAME_ENTRY *xe;
137
	data_string *envcv;
138

  
139
    if (NULL == (envcv = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
140
		envcv = data_string_init();
141
    }
142
	buffer_copy_string_len(envcv->key, CONST_STR_LEN("SSL_CLIENT_VERIFY"));
143

  
144
	if (
145
		SSL_get_verify_result(con->ssl) != X509_V_OK
146
		|| !(xs = SSL_get_peer_certificate(con->ssl))
147
	) {
148
		buffer_copy_string_len(envcv->value, CONST_STR_LEN("FAILED:"));
149
		array_insert_unique(con->environment, (data_unset *)envcv);
150
		return;
151
	} else {
152
		buffer_copy_string_len(envcv->value, CONST_STR_LEN("SUCCESS"));
153
		array_insert_unique(con->environment, (data_unset *)envcv);
154
    }
155
	
156
	xn = X509_get_subject_name(xs);
157
	for (int i = 0, nentries = X509_NAME_entry_count(xn); i < nentries; ++i) {
158
		int xobjnid;
159
		const char * xobjsn;
160
		data_string *envds;
161

  
162
		if (!(xe = X509_NAME_get_entry(xn, i))) {
163
			continue;
164
		}
165
		xobjnid = OBJ_obj2nid((ASN1_OBJECT*)X509_NAME_ENTRY_get_object(xe));
166
		xobjsn = OBJ_nid2sn(xobjnid);
167
		if (!xobjsn) {
168
			continue;
169
		}
170
		
171
		if (NULL == (envds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
172
			envds = data_string_init();
173
		}
174
		buffer_copy_string_len(envds->key, CONST_STR_LEN("SSL_CLIENT_S_DN_"));
175
		buffer_append_string(envds->key, xobjsn);
176
		buffer_copy_string(
177
			envds->value,
178
			(const char *)xe->value->data
179
		);
180
		if (buffer_is_equal(con->conf.ssl_verifyclient_username, envds->key)) {
181
			buffer_copy_string_buffer(con->authed_user, envds->value);
182
		}
183
		array_insert_unique(con->environment, (data_unset *)envds);
184
	}
185
	X509_free(xs);
186
}
187
#endif
133 188

  
134 189
handler_t http_response_prepare(server *srv, connection *con) {
135 190
	handler_t r;
......
328 383
		 *
329 384
		 */
330 385

  
331

  
332

  
386
#ifdef USE_OPENSSL
387
		if (con->conf.is_ssl && con->conf.ssl_verifyclient) {
388
			https_add_ssl_entries(con);
389
		}
390
#endif
333 391

  
334 392
		/* 1. stat()
335 393
		 * ... ISREG() -> ok, go on
src/server.c 2009-06-11 12:44:17.000000000 +0300 → src/server.c 2009-09-29 22:35:26.000000000 +0300
304 304
			buffer_free(s->ssl_cipher_list);
305 305
			buffer_free(s->error_handler);
306 306
			buffer_free(s->errorfile_prefix);
307
			buffer_free(s->ssl_verifyclient_username);
307 308
			array_free(s->mimetypes);
308 309
#ifdef USE_OPENSSL
309 310
			SSL_CTX_free(s->ssl_ctx);