From 0aa4b1fb04dafb9767309afa5d6ad6805391670f Mon Sep 17 00:00:00 2001 From: venaas Date: Tue, 23 Sep 2008 15:21:50 +0000 Subject: make clientwr not try to connect (left to reader), changed some timing stuff, issue with statusserver and connection down..., added optional cacheexpiry option for tls blocks git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@398 e88ac4ed-0b26-0410-9574-a7f39faa03bf --- tls.c | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) (limited to 'tls.c') diff --git a/tls.c b/tls.c index 8ff92f9..836f3aa 100644 --- a/tls.c +++ b/tls.c @@ -36,6 +36,7 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t struct timeval now; time_t elapsed; X509 *cert; + SSL_CTX *ctx = NULL; unsigned long error; debug(DBG_DBG, "tlsconnect: called from %s", text); @@ -81,7 +82,14 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t } SSL_free(server->ssl); - server->ssl = SSL_new(server->conf->ssl_ctx); + server->ssl = NULL; + ctx = tlsgetctx(RAD_TLS, server->conf->tlsconf); + if (!ctx) + continue; + server->ssl = SSL_new(ctx); + if (!server->ssl) + continue; + SSL_set_fd(server->ssl, server->sock); if (SSL_connect(server->ssl) <= 0) { while ((error = ERR_get_error())) @@ -98,6 +106,7 @@ int tlsconnect(struct server *server, struct timeval *when, int timeout, char *t X509_free(cert); } debug(DBG_WARN, "tlsconnect: TLS connection to %s port %s up", server->conf->host, server->conf->port); + server->connectionok = 1; gettimeofday(&server->lastconnecttry, NULL); pthread_mutex_unlock(&server->lock); return 1; @@ -186,21 +195,17 @@ int clientradputtls(struct server *server, unsigned char *rad) { int cnt; size_t len; unsigned long error; - struct timeval lastconnecttry; struct clsrvconf *conf = server->conf; - + + if (!server->connectionok) + return 0; len = RADLEN(rad); - lastconnecttry = server->lastconnecttry; - while ((cnt = SSL_write(server->ssl, rad, len)) <= 0) { + if ((cnt = SSL_write(server->ssl, rad, len)) <= 0) { while ((error = ERR_get_error())) debug(DBG_ERR, "clientradputtls: TLS: %s", ERR_error_string(error, NULL)); - if (server->dynamiclookuparg) - return 0; - tlsconnect(server, &lastconnecttry, 0, "clientradputtls"); - lastconnecttry = server->lastconnecttry; + return 0; } - server->connectionok = 1; debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->host); return 1; } @@ -325,6 +330,7 @@ void *tlsservernew(void *arg) { struct list_node *cur = NULL; SSL *ssl = NULL; X509 *cert = NULL; + SSL_CTX *ctx = NULL; unsigned long error; struct client *client; @@ -337,7 +343,12 @@ void *tlsservernew(void *arg) { conf = find_clconf(RAD_TLS, (struct sockaddr *)&from, &cur); if (conf) { - ssl = SSL_new(conf->ssl_ctx); + ctx = tlsgetctx(RAD_TLS, conf->tlsconf); + if (!ctx) + goto exit; + ssl = SSL_new(ctx); + if (!ssl) + goto exit; SSL_set_fd(ssl, s); if (SSL_accept(ssl) <= 0) { -- cgit v1.2.3