starttls

Author: lws-team

include/libwebsockets/lws-client.h

@@ -113,6 +113,23 @@ enum lws_client_connect_ssl_connection_flags {
 	 * http cookies in a Netscape Cookie Jar on this connection */
 };
 
+/*
+ * All lws_tls...() functions must return this type, converting the
+ * native backend result and doing the extra work to determine which one
+ * as needed.
+ *
+ * Native TLS backend return codes are NOT ALLOWED outside the backend.
+ *
+ * Non-SSL mode also uses these types.
+ */
+enum lws_ssl_capable_status {
+	LWS_SSL_CAPABLE_ERROR			= -1, /* it failed */
+	LWS_SSL_CAPABLE_DONE			= 0,  /* it succeeded */
+	LWS_SSL_CAPABLE_MORE_SERVICE_READ	= -2, /* retry WANT_READ */
+	LWS_SSL_CAPABLE_MORE_SERVICE_WRITE	= -3, /* retry WANT_WRITE */
+	LWS_SSL_CAPABLE_MORE_SERVICE		= -4, /* general retry */
+};
+
 /** struct lws_client_connect_info - parameters to connect with when using
  *				    lws_client_connect_via_info() */
 
@@ -500,4 +517,32 @@ lws_http_basic_auth_gen2(const char *user, const void *pw, size_t pwd_len,
 LWS_VISIBLE LWS_EXTERN int
 lws_tls_session_is_reused(struct lws *wsi);
 
+/**
+ * lws_tls_client_connect() - perform/progress TLS handshake on client connection
+ *
+ * \param wsi: client connection
+ * \param errbuf: buffer for error string
+ * \param len: length of errbuf
+ *
+ * This is usually handled automatically by lws if LCCSCF_USE_SSL was set on
+ * the connection. However for STARTTLS type protocols, the connection
+ * starts in cleartext and this can be called manually later to perform the
+ * TLS handshake.
+ */
+LWS_VISIBLE LWS_EXTERN enum lws_ssl_capable_status
+lws_tls_client_connect(struct lws *wsi, char *errbuf, size_t len);
+
+/**
+ * lws_tls_client_upgrade() - upgrade a non-TLS client connection to TLS
+ *
+ * \param wsi: client connection
+ * \param ssl_flags: LCCSCF_ flags to apply
+ *
+ * For STARTTLS type protocols, this can be called to transition a RAW
+ * connection to TLS. It handles structure initialization and starts the
+ * handshake.
+ */
+LWS_VISIBLE LWS_EXTERN int
+lws_tls_client_upgrade(struct lws *wsi, int ssl_flags);
+
 ///@}

lib/core/private-lib-core.h

@@ -255,22 +255,9 @@ struct lws_tx_credit {
 
 #undef X509_NAME
 
-/*
- * All lws_tls...() functions must return this type, converting the
- * native backend result and doing the extra work to determine which one
- * as needed.
- *
- * Native TLS backend return codes are NOT ALLOWED outside the backend.
- *
- * Non-SSL mode also uses these types.
- */
-enum lws_ssl_capable_status {
-	LWS_SSL_CAPABLE_ERROR			= -1, /* it failed */
-	LWS_SSL_CAPABLE_DONE			= 0,  /* it succeeded */
-	LWS_SSL_CAPABLE_MORE_SERVICE_READ	= -2, /* retry WANT_READ */
-	LWS_SSL_CAPABLE_MORE_SERVICE_WRITE	= -3, /* retry WANT_WRITE */
-	LWS_SSL_CAPABLE_MORE_SERVICE		= -4, /* general retry */
-};
+ /*
+  * the rest is managed per-context, that includes
+  */
 
 enum lws_context_destroy {
 	LWSCD_NO_DESTROY,		/* running */

lib/tls/private-network.h

@@ -185,8 +185,6 @@ lws_tls_server_abort_connection(struct lws *wsi);
 enum lws_ssl_capable_status
 __lws_tls_shutdown(struct lws *wsi);
 
-enum lws_ssl_capable_status
-lws_tls_client_connect(struct lws *wsi, char *errbuf, size_t len);
 int
 lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, size_t ebuf_len);
 int

lib/tls/tls-client.c

@@ -236,3 +236,16 @@ lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1)
 
 	return CCTLS_RETURN_DONE; /* OK */
 }
+
+int
+lws_tls_client_upgrade(struct lws *wsi, int ssl_flags)
+{
+	const char *cce = NULL;
+
+	wsi->tls.use_ssl = (unsigned int)ssl_flags;
+
+	if (lws_client_create_tls(wsi, &cce, 1) == CCTLS_RETURN_ERROR)
+		return -1;
+
+	return 0;
+}

plugins/protocol_lws_dht_dnssec_monitor/assets/monitor.js

@@ -233,6 +233,9 @@ function connect() {
     };
 }
 
+window.activeTls = [];
+window.certStatusCache = {};
+
 function sendReq(obj) {
     if (ws && ws.readyState === WebSocket.OPEN) {
         ws.send(JSON.stringify(obj));
@@ -325,6 +328,7 @@ function handleResponse(data) {
             // We don't fetch get_tls again because we update window.activeTls synchronously.
             break;
         case 'cert_status':
+            window.certStatusCache[data.subdomain + ':' + data.port] = data;
             let span = document.getElementById(`cert-status-${data.subdomain}`);
             if (certCheckTimers[data.subdomain]) {
                 clearTimeout(certCheckTimers[data.subdomain]);
@@ -419,9 +423,6 @@ function renderZoneTable() {
     if (!currentZone) return;
 
     certCheckQueue = [];
-    Object.values(certCheckTimers).forEach(t => clearTimeout(t));
-    certCheckTimers = {};
-    concurrentChecks = 0;
     window.renderedTlsFqdns = new Set();
     const records = currentZone.records.filter(r => r.type !== 'comment' && r.type !== 'macro');
 
@@ -457,10 +458,22 @@ function renderZoneTable() {
             window.renderedTlsFqdns.add(fqdn);
             let activeConfig = window.activeTls ? window.activeTls.find(t => t.fqdn === fqdn) : null;
             let portVal = activeConfig ? activeConfig.port : '';
+            let cacheKey = fqdn + ':' + portVal;
+            let cached = window.certStatusCache[cacheKey];
+            let initStatus = '';
+            let initColor = '#aaa';
+            if (cached) {
+                initStatus = cached.msg;
+                initColor = (cached.status === 'ok') ? '#34d399' : '#f87171';
+            } else if (certCheckTimers[fqdn]) {
+                initStatus = 'Checking...';
+            }
+
             tlsTd = `<td class="ext-tls-cell">
-                         <div style="display:flex; align-items:center; justify-content:flex-start; gap: 0.5rem">
+                         <div style="display:block; text-align: right;">
                              <input type="number" class="tls-port ext-port" data-fqdn="${fqdn}" value="${portVal}" maxlength="5" placeholder="Port" style="width:70px; background: rgba(0,0,0,0.2); color:#fff; border:1px solid #444; border-radius:4px; padding:2px;">
-                             <span id="cert-status-${fqdn}" class="cert-status" style="font-size:0.8em; color:#aaa;"></span>
+                             <br>
+                             <span id="cert-status-${fqdn}" class="cert-status" style="font-size:0.8em; color:${initColor};">${initStatus}</span>
                          </div>
                      </td>`;
         }
@@ -483,21 +496,32 @@ function renderZoneTable() {
                     sendReq({ req: 'delete_tls', domain: currentDomain, subdomain: fqdn });
                     if (window.activeTls) window.activeTls = window.activeTls.filter(x => x.fqdn !== fqdn);
                     document.getElementById(`cert-status-${fqdn}`).innerText = '';
+                    Object.keys(window.certStatusCache).forEach(k => {
+                        if (k.startsWith(fqdn + ':')) delete window.certStatusCache[k];
+                    });
                 } else {
                     sendReq({ req: 'create_tls', domain: currentDomain, subdomain: fqdn, port: pnum });
                     if (!window.activeTls) window.activeTls = [];
                     let exist = window.activeTls.find(x => x.fqdn === fqdn);
                     if (exist) exist.port = pnum;
                     else window.activeTls.push({fqdn: fqdn, port: pnum});
-                    
+
+                    if (certCheckTimers[fqdn]) {
+                        clearTimeout(certCheckTimers[fqdn]);
+                        delete certCheckTimers[fqdn];
+                        concurrentChecks = Math.max(0, concurrentChecks - 1);
+                    }
+                    delete window.certStatusCache[fqdn + ':' + pnum];
                     certCheckQueue.push({fqdn: fqdn, port: pnum});
                     processCertQueue();
                 }
             };
 
             if (portInput.value) {
                 let pnum = parseInt(portInput.value, 10);
-                certCheckQueue.push({fqdn: fqdn, port: pnum});
+                if (!window.certStatusCache[fqdn + ':' + pnum] && !certCheckTimers[fqdn]) {
+                    certCheckQueue.push({fqdn: fqdn, port: pnum});
+                }
             }
         }