Lighttpd

RFC2817 describes how a client can request that an unencrypted connection can be upgraded to an encrypted connection.

The plugin architecture of lighttpd should allow a plugin to implement RFC2817. However, there are two limitations with how SSL connections are handled. Following are the two issues, and the two small patches I believe necessary to address the issues. If you have any questions, please let me know. I am not completly familiar with all of lighttpd, and may have missed something obvious.

1) The web server determines if SSL should be used for reading from
a socket based on the value of con->conf.is_ssl (a configuration
for a given socket) and writting is based on srv_socket->is_ssl
(the settings on the listening socket). These values should be
the same. However, if a connection is upgraded from unencrypted to
encrypted, the connection may change its state and the settings
for the listening socket should not. To fix this, all
writing decisions should be based on the con->conf.is_ssl variable.

--- a/src/src/network.c
+++ b/src/src/network.c
@ -877,7 +877,7 @ int network_write_chunkqueue(server *srv, connection *con, chunkqueue *cq) {
}
#endif

- if (srv_socket->is_ssl) {
+ if (con->conf.is_ssl) {
#ifdef USE_OPENSSL
ret = srv->network_ssl_backend_write(srv, con, con->ssl, cq);
#endif

2) On a typical web server configuration, unencrypted connections do
not have SSL enabled. That means that an unencrypted connection
will have difficulty upgrading to encrypted, as it has no where
to grab the SSL information from. If all connections are
set to SSL enabled (but not necessarily using SSL), there is one place
that unencrypted sockets are being improperly marked as encrypted.
This is in response.c:http_response_prepare. In this function,
config_setup_connection will mark an unencrypted socket as encrypted
if the server has SSL enabled for all connections.

--- a/src/src/response.c
+++ b/src/src/response.c
@ -237,6 +237,19 @ handler_t http_response_prepare(server srv, connection *con) {
config_cond_cache_reset(srv, con);
config_setup_connection(srv, con); / Perhaps this could be removed at other places. */

#ifdef USE_OPENSSL
/*
+ * patch con->conf.is_ssl, as it is overwritten by config_setup_connection.
+ * This is relevant, as if the server enabled SSL on all ports, but only
+ * some ports are actually using it, all connections can be upgraded
+ * from unencrypted to encrypted, and its state is based on the value
+ * of con->conf.is_ssl. However, config_setup_connection will set
+ * con->conf.is_ssl = 1 as the server allows ssl on the connection,
+ * not because ssl is used on the connection.
+ /
+ con->conf.is_ssl = ((server_socket)con->srv_socket)->is_ssl;
#endif

if (con->conf.log_condition_handling) {
log_error_write(srv, FILE, LINE, "s", "run condition");
}

For completeness, the following is added to my lighttpd.conf file to allow for a connection to upgrade from unencrypted to encrypted. It results in all connections receiving ssl information in con->conf. Connections can then use this information to make the upgrade. These additions to the conf file make point #2 above necessary. If there is a better way to do this, let me know!

ssl.engine = "enable",
ssl.pemfile = "/var/fs/security/certs/HttpsCred.pem",
ssl.use-sslv3 = "enable"