Adding upstream version 1.40.0.upstream/1.40.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2023-06-14 19:20:33 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2023-06-14 19:20:33 +0000
commit: 6cf8f2d5174a53f582e61d715edbb88d6e3367cc (patch)
tree: 78cec0fd8d09c4a6a052461d42f4b2be3af6d396 /web/server/static
parent: Adding upstream version 1.39.1. (diff)
download: netdata-0ec47d31b6dd5f591027e49c7110a800fc070a86.tar.xz
netdata-0ec47d31b6dd5f591027e49c7110a800fc070a86.zip
1 files changed, 20 insertions, 39 deletions
diff --git a/web/server/static/static-threaded.c b/web/server/static/static-threaded.c
index 52bb56cd6..4cb3dcd92 100644
--- a/web/server/static/static-threaded.c
+++ b/web/server/static/static-threaded.c
@@ -211,58 +211,32 @@ static void *web_server_add_callback(POLLINFO *pi, short int *events, void *data
     }
 
 #ifdef ENABLE_HTTPS
-    if ((!web_client_check_unix(w)) && (netdata_ssl_srv_ctx)) {
-        if( sock_delnonblock(w->ifd) < 0 ){
-            error("Web server cannot remove the non-blocking flag from socket %d",w->ifd);
-        }
+    if ((!web_client_check_unix(w)) && (netdata_ssl_web_server_ctx)) {
+        sock_delnonblock(w->ifd);
 
         //Read the first 7 bytes from the message, but the message
         //is not removed from the queue, because we are using MSG_PEEK
         char test[8];
-        if ( recv(w->ifd,test, 7,MSG_PEEK) == 7 ) {
-            test[7] = 0x00;
+        if ( recv(w->ifd,test, 7, MSG_PEEK) == 7 ) {
+            test[7] = '\0';
         }
         else {
-            //Case I do not have success to read 7 bytes,
-            //this means that the mensage was not completely read, so
-            //I cannot identify it yet.
+            // we couldn't read 7 bytes
             sock_setnonblock(w->ifd);
             goto cleanup;
         }
 
-        //The next two ifs are not together because I am reusing SSL structure
-        if (!w->ssl.conn)
-        {
-            w->ssl.conn = SSL_new(netdata_ssl_srv_ctx);
-            if ( w->ssl.conn ) {
-                SSL_set_accept_state(w->ssl.conn);
-            } else {
-                error("Failed to create SSL context on socket fd %d.", w->ifd);
-                if (test[0] < 0x18){
-                    WEB_CLIENT_IS_DEAD(w);
-                    sock_setnonblock(w->ifd);
-                    goto cleanup;
-                }
-            }
+        if(test[0] > 0x17) {
+            // no SSL
+            netdata_ssl_close(&w->ssl); // free any previous SSL data
         }
-
-        if (w->ssl.conn) {
-            if (SSL_set_fd(w->ssl.conn, w->ifd) != 1) {
-                error("Failed to set the socket to the SSL on socket fd %d.", w->ifd);
-                //The client is not set dead, because I received a normal HTTP request
-                //instead a Client Hello(HTTPS).
-                if ( test[0] < 0x18 ){
-                    WEB_CLIENT_IS_DEAD(w);
-                }
-            }
-            else{
-                w->ssl.flags = security_process_accept(w->ssl.conn, (int)test[0]);
-            }
+        else {
+            // SSL
+            if(!netdata_ssl_open(&w->ssl, netdata_ssl_web_server_ctx, w->ifd) || !netdata_ssl_accept(&w->ssl))
+                WEB_CLIENT_IS_DEAD(w);
         }
 
         sock_setnonblock(w->ifd);
-    } else{
-        w->ssl.flags = NETDATA_SSL_NO_HANDSHAKE;
     }
 #endif
 
@@ -525,9 +499,15 @@ void *socket_listen_main_static_threaded(void *ptr) {
     if(!api_sockets.opened)
         fatal("LISTENER: no listen sockets available.");
 
+    netdata_ssl_validate_certificate = !config_get_boolean(CONFIG_SECTION_WEB, "ssl skip certificate verification", !netdata_ssl_validate_certificate);
+
+    if(!netdata_ssl_validate_certificate_sender)
+        info("SSL: web server will skip SSL certificates verification.");
+
 #ifdef ENABLE_HTTPS
-    security_start_ssl(NETDATA_SSL_CONTEXT_SERVER);
+    netdata_ssl_initialize_ctx(NETDATA_SSL_WEB_SERVER_CTX);
 #endif
+
     // 6 threads is the optimal value
     // since 6 are the parallel connections browsers will do
     // so, if the machine has more CPUs, avoid using resources unnecessarily
@@ -541,6 +521,7 @@ void *socket_listen_main_static_threaded(void *ptr) {
     static_threaded_workers_count = config_get_number(CONFIG_SECTION_WEB, "web server threads", def_thread_count);
 
     if (static_threaded_workers_count < 1) static_threaded_workers_count = 1;
+
 #ifdef ENABLE_HTTPS
     // See https://github.com/netdata/netdata/issues/11081#issuecomment-831998240 for more details
     if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) {
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2023-06-14 19:20:33 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2023-06-14 19:20:33 +0000
commit	6cf8f2d5174a53f582e61d715edbb88d6e3367cc (patch)
tree	78cec0fd8d09c4a6a052461d42f4b2be3af6d396 /web/server/static
parent	Adding upstream version 1.39.1. (diff)
download	netdata-0ec47d31b6dd5f591027e49c7110a800fc070a86.tar.xz netdata-0ec47d31b6dd5f591027e49c7110a800fc070a86.zip