summaryrefslogtreecommitdiffstats
path: root/web/server/static
diff options
context:
space:
mode:
Diffstat (limited to 'web/server/static')
-rw-r--r--web/server/static/static-threaded.c59
1 files changed, 20 insertions, 39 deletions
diff --git a/web/server/static/static-threaded.c b/web/server/static/static-threaded.c
index 52bb56cd6..4cb3dcd92 100644
--- a/web/server/static/static-threaded.c
+++ b/web/server/static/static-threaded.c
@@ -211,58 +211,32 @@ static void *web_server_add_callback(POLLINFO *pi, short int *events, void *data
}
#ifdef ENABLE_HTTPS
- if ((!web_client_check_unix(w)) && (netdata_ssl_srv_ctx)) {
- if( sock_delnonblock(w->ifd) < 0 ){
- error("Web server cannot remove the non-blocking flag from socket %d",w->ifd);
- }
+ if ((!web_client_check_unix(w)) && (netdata_ssl_web_server_ctx)) {
+ sock_delnonblock(w->ifd);
//Read the first 7 bytes from the message, but the message
//is not removed from the queue, because we are using MSG_PEEK
char test[8];
- if ( recv(w->ifd,test, 7,MSG_PEEK) == 7 ) {
- test[7] = 0x00;
+ if ( recv(w->ifd,test, 7, MSG_PEEK) == 7 ) {
+ test[7] = '\0';
}
else {
- //Case I do not have success to read 7 bytes,
- //this means that the mensage was not completely read, so
- //I cannot identify it yet.
+ // we couldn't read 7 bytes
sock_setnonblock(w->ifd);
goto cleanup;
}
- //The next two ifs are not together because I am reusing SSL structure
- if (!w->ssl.conn)
- {
- w->ssl.conn = SSL_new(netdata_ssl_srv_ctx);
- if ( w->ssl.conn ) {
- SSL_set_accept_state(w->ssl.conn);
- } else {
- error("Failed to create SSL context on socket fd %d.", w->ifd);
- if (test[0] < 0x18){
- WEB_CLIENT_IS_DEAD(w);
- sock_setnonblock(w->ifd);
- goto cleanup;
- }
- }
+ if(test[0] > 0x17) {
+ // no SSL
+ netdata_ssl_close(&w->ssl); // free any previous SSL data
}
-
- if (w->ssl.conn) {
- if (SSL_set_fd(w->ssl.conn, w->ifd) != 1) {
- error("Failed to set the socket to the SSL on socket fd %d.", w->ifd);
- //The client is not set dead, because I received a normal HTTP request
- //instead a Client Hello(HTTPS).
- if ( test[0] < 0x18 ){
- WEB_CLIENT_IS_DEAD(w);
- }
- }
- else{
- w->ssl.flags = security_process_accept(w->ssl.conn, (int)test[0]);
- }
+ else {
+ // SSL
+ if(!netdata_ssl_open(&w->ssl, netdata_ssl_web_server_ctx, w->ifd) || !netdata_ssl_accept(&w->ssl))
+ WEB_CLIENT_IS_DEAD(w);
}
sock_setnonblock(w->ifd);
- } else{
- w->ssl.flags = NETDATA_SSL_NO_HANDSHAKE;
}
#endif
@@ -525,9 +499,15 @@ void *socket_listen_main_static_threaded(void *ptr) {
if(!api_sockets.opened)
fatal("LISTENER: no listen sockets available.");
+ netdata_ssl_validate_certificate = !config_get_boolean(CONFIG_SECTION_WEB, "ssl skip certificate verification", !netdata_ssl_validate_certificate);
+
+ if(!netdata_ssl_validate_certificate_sender)
+ info("SSL: web server will skip SSL certificates verification.");
+
#ifdef ENABLE_HTTPS
- security_start_ssl(NETDATA_SSL_CONTEXT_SERVER);
+ netdata_ssl_initialize_ctx(NETDATA_SSL_WEB_SERVER_CTX);
#endif
+
// 6 threads is the optimal value
// since 6 are the parallel connections browsers will do
// so, if the machine has more CPUs, avoid using resources unnecessarily
@@ -541,6 +521,7 @@ void *socket_listen_main_static_threaded(void *ptr) {
static_threaded_workers_count = config_get_number(CONFIG_SECTION_WEB, "web server threads", def_thread_count);
if (static_threaded_workers_count < 1) static_threaded_workers_count = 1;
+
#ifdef ENABLE_HTTPS
// See https://github.com/netdata/netdata/issues/11081#issuecomment-831998240 for more details
if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) {