Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
120 Commits
12 Branches
27 Tags
2.2 MiB
Tree: d897e015c5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd897e015c5'
${ noResults }
acmed/tacd/src/openssl_server.rs

55 lines
1.9 KiB
Raw Normal View History

Create an abstraction around the certificate As for public and private keys, the certificate should also be abstracted. rel #2
6 years ago
Add tacd, a daemon for the tls-alpn-01 challenge ACMEd should and will remain as simple as possible and let the user alone take care of the challenge validation. However, this philosophy does not forbid the project itself to distribute additional tools that are designed to improve the user experience. Because the TLS-ALPN ecosystem is currently very slim, adding tacd is really benefic to ACMEd.
6 years ago
Support OpenSSL 1.0 AlpnError::ALERT_FATAL has been added in OpenSSL 1.1.0, hence build will fail on any previous version. This commit allows older versions to fall back to AlpnError::NOACK instead.
6 years ago
Add tacd, a daemon for the tls-alpn-01 challenge ACMEd should and will remain as simple as possible and let the user alone take care of the challenge validation. However, this philosophy does not forbid the project itself to distribute additional tools that are designed to improve the user experience. Because the TLS-ALPN ecosystem is currently very slim, adding tacd is really benefic to ACMEd.
6 years ago
Allow tacd to listen on a unix socket
6 years ago
Support OpenSSL 1.0 AlpnError::ALERT_FATAL has been added in OpenSSL 1.1.0, hence build will fail on any previous version. This commit allows older versions to fall back to AlpnError::NOACK instead.
6 years ago
Allow tacd to listen on a unix socket
6 years ago
Create an abstraction around the certificate As for public and private keys, the certificate should also be abstracted. rel #2
6 years ago
Add tacd, a daemon for the tls-alpn-01 challenge ACMEd should and will remain as simple as possible and let the user alone take care of the challenge validation. However, this philosophy does not forbid the project itself to distribute additional tools that are designed to improve the user experience. Because the TLS-ALPN ecosystem is currently very slim, adding tacd is really benefic to ACMEd.
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Add tacd, a daemon for the tls-alpn-01 challenge ACMEd should and will remain as simple as possible and let the user alone take care of the challenge validation. However, this philosophy does not forbid the project itself to distribute additional tools that are designed to improve the user experience. Because the TLS-ALPN ecosystem is currently very slim, adding tacd is really benefic to ACMEd.
6 years ago
Create an abstraction around public and private keys Since it is planned to add a "standalone" feature that will replace OpenSSL by crates not linking to any external library, it is required to abstract all the OpenSSL specific types. This is a huge work and therefore is divided in several steps. This first one is dedicated to public and private keys. rel #2
6 years ago
Create an abstraction around the certificate As for public and private keys, the certificate should also be abstracted. rel #2
6 years ago
Add tacd, a daemon for the tls-alpn-01 challenge ACMEd should and will remain as simple as possible and let the user alone take care of the challenge validation. However, this philosophy does not forbid the project itself to distribute additional tools that are designed to improve the user experience. Because the TLS-ALPN ecosystem is currently very slim, adding tacd is really benefic to ACMEd.
6 years ago
Allow tacd to listen on a unix socket
6 years ago
Add tacd, a daemon for the tls-alpn-01 challenge ACMEd should and will remain as simple as possible and let the user alone take care of the challenge validation. However, this philosophy does not forbid the project itself to distribute additional tools that are designed to improve the user experience. Because the TLS-ALPN ecosystem is currently very slim, adding tacd is really benefic to ACMEd.
6 years ago
  1. use acme_common::crypto::{PrivateKey, X509Certificate};
  2. use acme_common::error::Error;
  3. use log::debug;
  4. use openssl::ssl::{self, AlpnError, SslAcceptor, SslMethod};
  5. use std::net::TcpListener;
  6. use std::sync::Arc;
  7. use std::thread;
  9. #[cfg(target_family = "unix")]
  10. use std::os::unix::net::UnixListener;
  12. #[cfg(ossl110)]
  13. const ALPN_ERROR: AlpnError = AlpnError::ALERT_FATAL;
  14. #[cfg(not(ossl110))]
  15. const ALPN_ERROR: AlpnError = AlpnError::NOACK;
  17. macro_rules! listen_and_accept {
  18. ($lt: ident, $addr: ident, $acceptor: ident) => {
  19. let listener = $lt::bind($addr)?;
  20. for stream in listener.incoming() {
  21. if let Ok(stream) = stream {
  22. let acceptor = $acceptor.clone();
  23. thread::spawn(move || {
  24. debug!("New client");
  25. let _ = acceptor.accept(stream).unwrap();
  26. });
  27. };
  28. }
  29. };
  30. }
  32. pub fn start(
  33. listen_addr: &str,
  34. certificate: &X509Certificate,
  35. private_key: &PrivateKey,
  36. ) -> Result<(), Error> {
  37. let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?;
  38. acceptor.set_alpn_select_callback(|_, client| {
  39. debug!("ALPN negociation");
  40. ssl::select_next_proto(crate::ALPN_ACME_PROTO_NAME, client).ok_or(ALPN_ERROR)
  41. });
  42. acceptor.set_private_key(&private_key.inner_key)?;
  43. acceptor.set_certificate(&certificate.inner_cert)?;
  44. acceptor.check_private_key()?;
  45. let acceptor = Arc::new(acceptor.build());
  46. if cfg!(unix) && listen_addr.starts_with("unix:") {
  47. let listen_addr = &listen_addr[5..];
  48. debug!("Listening on unix socket {}", listen_addr);
  49. listen_and_accept!(UnixListener, listen_addr, acceptor);
  50. } else {
  51. debug!("Listening on {}", listen_addr);
  52. listen_and_accept!(TcpListener, listen_addr, acceptor);
  53. }
  54. Err("Main thread loop unexpectedly exited".into())
  55. }