README.md: add maintenance notice
Close some files when too many are open
notify clients about malformed requests
I think this has been broken for a while and I came across it while
implementing my own client. The server should notify the client that the
request is malformed but wasn't sending the response when SSL_read
returned SSL_ERROR_WANT_READ.
set session id context
This is necessary now client certificates are supported.
Without it, an attempt to resume a session fails with
"ssl_get_prev_session:session id context uninitialized".
Check index before serving autoindex
if a directory is being served.
Support REMOTE_USER in CGI
Support TLS_CLIENT_SERIAL_NUMBER in CGI
Use strncpy to build TLS_CLIENT_HASH
strncat on an uninitialized array leads to issues.
disconnect_client: fix index calculation
This was sometimes causing a gmnisrv_client to be overwritten by the
deinitialized client, which occasionally lead to a segfault when we
later tried to use it.
Create certificates which last 68 years (INT32_MAX seconds)
This avoids integer overflow on 32-bit architectures.
Fix integer overflow error in tls.c
Move certificate expiration into the far future
Send client certificate hash for CGI scripts.
Set SSL_VERIFY_PEER to request a client certificate from the server,
when available. Have to shim the certificate verification function or
else it will fail on self-signed client certs.
In serve_cgi retrieve client certificate, create a fingerprint, and set
proper environment variables. It's pretty barebones, it doesn't parse
the certificate to give any other useful info like the common name, but
it's acceptable IMO. For most CGI uses the fingerprint is the only
thing that is needed anyways.
ignore SIGCHLD to prevent CGI zombies
with nothing waiting on the forked processes there is no reason not to
reap the CGI process on exit
intended to address issue from mailing list "gmnisrv uses too many
tasks" <163806E8-A16A-463E-8C62-43E903EF1E35@librem.one>
Use v3 X509 certificate
This fixes an issue where rustls failed to validate the X509v1 certificate.
Tested with Amfora, av-98, and titan (https://github.com/mkeeter/titan)
This requires fresh certificates, which could break clients with strict
trust-on-first-use policies; unfortunately, it doesn't appear to be possible
to migrate v1 certificates to v3.
implement handling of ROUTE_EXACT definitions
This patchset implements the handling of exact routes
as described in gmnisrvini(5).
Routing: Fix non-ascii paths
autoindex: fix off-by-one buffer size