This is necessary now client certificates are supported.
Without it, an attempt to resume a session fails with
"ssl_get_prev_session:session id context uninitialized".
Set SSL_VERIFY_PEER to request a client certificate from the server,
when available. Have to shim the certificate verification function or
else it will fail on self-signed client certs.
In serve_cgi retrieve client certificate, create a fingerprint, and set
proper environment variables. It's pretty barebones, it doesn't parse
the certificate to give any other useful info like the common name, but
it's acceptable IMO. For most CGI uses the fingerprint is the only
thing that is needed anyways.
This fixes an issue where rustls failed to validate the X509v1 certificate.
Tested with Amfora, av-98, and titan (https://github.com/mkeeter/titan)
This requires fresh certificates, which could break clients with strict
trust-on-first-use policies; unfortunately, it doesn't appear to be possible
to migrate v1 certificates to v3.
The open syscall will return a negative value if the call fails. Switch
the check to look for this instead of 0.
before:
[gmnisrv] generating certificate for localhost
gmnisrv: src/tls.c:68: tls_host_gencert: Assertion `pf' failed.
abort (core dumped) ./gmnisrv -C config.ini
after:
[gmnisrv] generating certificate for localhost
[gmnisrv] opening private key for writing failed: No such file or directory
[gmnisrv] TLS initialization failed
Signed-off-by: William Casarin <jb55@jb55.com>
We'll later want to set these on the SSL object (rather than SSL_CTX),
so move these into the host struct for later access.
We'll prefer to set it on the SSL object so that we can automatically
use an up-to-date certificate, per ~sircmpwn/gmni#26.