Add 'drop_on_absent_certificate' listener option

halfgaar · halfgaar · commit 621cb5d591d5 · 2025-05-19T21:30:35.000+10:00
diff --git a/configfileparser.cpp b/configfileparser.cpp
@@ -250,6 +250,7 @@ ConfigFileParser::ConfigFileParser(const std::string &path) :
     validListenKeys.insert("minimum_tls_version");
     validListenKeys.insert("overload_mode");
     validListenKeys.insert("acme_redirect_url");
+    validListenKeys.insert("drop_on_absent_certificate");
 
     validBridgeKeys.insert("local_username");
     validBridgeKeys.insert("remote_username");
@@ -449,7 +450,20 @@ void ConfigFileParser::loadFile(bool test)
             if (curParseLevel == ConfigParseLevel::Listen)
             {
                 curListener->isValid();
-                tmpSettings.listeners.push_back(curListener);
+
+                if (curListener->dropListener())
+                {
+                    if (test)
+                    {
+                        Logger::getInstance()->log(LOG_NOTICE)
+                            << "Approved missing certificates: dropping " << curListener->getProtocolName()
+                            << " listener, port " << curListener->port;
+                    }
+                }
+                else
+                {
+                    tmpSettings.listeners.push_back(curListener);
+                }
                 curListener.reset();
             }
             else if (curParseLevel == ConfigParseLevel::Bridge)
@@ -495,12 +509,10 @@ void ConfigFileParser::loadFile(bool test)
                 }
                 else if (testKeyValidity(key, "fullchain", validListenKeys))
                 {
-                    checkFileExistsAndReadable("SSL fullchain", value, 1024*1024);
                     curListener->sslFullchain = value;
                 }
                 if (testKeyValidity(key, "privkey", validListenKeys))
                 {
-                    checkFileExistsAndReadable("SSL privkey", value, 1024*1024);
                     curListener->sslPrivkey = value;
                 }
                 if (testKeyValidity(key, "inet_protocol", validListenKeys))
@@ -578,6 +590,10 @@ void ConfigFileParser::loadFile(bool test)
                 {
                     curListener->acmeRedirectURL = valueTrimmed;
                 }
+                if (testKeyValidity(key, "drop_on_absent_certificate", validListenKeys))
+                {
+                    curListener->dropOnAbsentCertificates = stringTruthiness(value);
+                }
 
                 testCorrectNumberOfValues(key, number_of_expected_values, values);
                 continue;
diff --git a/configfileparser.h b/configfileparser.h
@@ -44,11 +44,12 @@ class ConfigFileParser
 
     void static testCorrectNumberOfValues(const std::string &key, size_t expected_values, const std::vector<std::string> &values);
     bool testKeyValidity(const std::string &key, const std::string &matchKey, const std::set<std::string> &validKeys) const;
+
+public:
     void static checkFileExistsAndReadable(const std::string &key, const std::string &pathToCheck, ssize_t max_size = std::numeric_limits<ssize_t>::max());
     void static checkFileOrItsDirWritable(const std::string &filepath);
     void static checkDirExists(const std::string &key, const std::string &dir);
 
-public:
     ConfigFileParser(const std::string &path);
     void loadFile(bool test);
     std::list<std::string> readFileRecursively(const std::string &path) const;
diff --git a/listener.cpp b/listener.cpp
@@ -15,6 +15,7 @@ See LICENSE for license details.
 #include "utils.h"
 #include "exceptions.h"
 #include "logger.h"
+#include "configfileparser.h"
 
 void Listener::isValid()
 {
@@ -33,7 +34,13 @@ void Listener::isValid()
             throw ConfigFileException("An SSL listener can't have an acme_redirect_url.");
         }
 
-        testSsl(sslFullchain, sslPrivkey);
+        if (!dropListener())
+        {
+            ConfigFileParser::checkFileExistsAndReadable("SSL fullchain", sslFullchain, 1024*1024);
+            ConfigFileParser::checkFileExistsAndReadable("SSL privkey", sslPrivkey, 1024*1024);
+            testSsl(sslFullchain, sslPrivkey);
+        }
+
         testSslVerifyLocations(clientVerificationCaFile, clientVerificationCaDir, "Loading client_verification_ca_dir/client_verification_ca_file failed.");
     }
     else
@@ -45,6 +52,11 @@ void Listener::isValid()
             else
                 port = 1883;
         }
+
+        if (dropOnAbsentCertificates)
+        {
+            throw ConfigFileException("Using drop_on_absent_certificate is only valid on SSL listeners; define privkey and fullchain.");
+        }
     }
 
     if ((!clientVerificationCaDir.empty() || !clientVerificationCaFile.empty()) && !isSsl())
@@ -168,6 +180,14 @@ X509ClientVerification Listener::getX509ClientVerficationMode() const
     return result;
 }
 
+bool Listener::dropListener() const
+{
+    if (!dropOnAbsentCertificates || !isSsl())
+        return false;
+
+    return access(sslPrivkey.c_str(), R_OK) != 0 && access(sslFullchain.c_str(), R_OK) != 0;
+}
+
 std::string Listener::getBindAddress(ListenerProtocol p)
 {
     if (p == ListenerProtocol::IPv4)
diff --git a/listener.h b/listener.h
@@ -50,6 +50,7 @@ struct Listener
     std::optional<std::string> acmeRedirectURL;
     TLSVersion minimumTlsVersion = TLSVersion::TLSv1_1;
     std::optional<OverloadMode> overloadMode;
+    bool dropOnAbsentCertificates = false;
 
     void isValid();
     bool isSsl() const;
@@ -58,6 +59,7 @@ struct Listener
     std::string getProtocolName() const;
     void loadCertAndKeyFromConfig();
     X509ClientVerification getX509ClientVerficationMode() const;
+    bool dropListener() const;
 
     std::string getBindAddress(ListenerProtocol p);
 };

Original file line number	Diff line number	Diff line change
`@@ -250,6 +250,7 @@ ConfigFileParser::ConfigFileParser(const std::string &path) :`
`250`	`250`	`validListenKeys.insert("minimum_tls_version");`
`251`	`251`	`validListenKeys.insert("overload_mode");`
`252`	`252`	`validListenKeys.insert("acme_redirect_url");`
	`253`	`+ validListenKeys.insert("drop_on_absent_certificate");`
`253`	`254`
`254`	`255`	`validBridgeKeys.insert("local_username");`
`255`	`256`	`validBridgeKeys.insert("remote_username");`
`@@ -449,7 +450,20 @@ void ConfigFileParser::loadFile(bool test)`
`449`	`450`	`if (curParseLevel == ConfigParseLevel::Listen)`
`450`	`451`	`{`
`451`	`452`	`curListener->isValid();`
`452`		`- tmpSettings.listeners.push_back(curListener);`
	`453`	`+`
	`454`	`+ if (curListener->dropListener())`
	`455`	`+ {`
	`456`	`+ if (test)`
	`457`	`+ {`
	`458`	`+ Logger::getInstance()->log(LOG_NOTICE)`
	`459`	`+ << "Approved missing certificates: dropping " << curListener->getProtocolName()`
	`460`	`+ << " listener, port " << curListener->port;`
	`461`	`+ }`
	`462`	`+ }`
	`463`	`+ else`
	`464`	`+ {`
	`465`	`+ tmpSettings.listeners.push_back(curListener);`
	`466`	`+ }`
`453`	`467`	`curListener.reset();`
`454`	`468`	`}`
`455`	`469`	`else if (curParseLevel == ConfigParseLevel::Bridge)`
`@@ -495,12 +509,10 @@ void ConfigFileParser::loadFile(bool test)`
`495`	`509`	`}`
`496`	`510`	`else if (testKeyValidity(key, "fullchain", validListenKeys))`
`497`	`511`	`{`
`498`		`- checkFileExistsAndReadable("SSL fullchain", value, 1024*1024);`
`499`	`512`	`curListener->sslFullchain = value;`
`500`	`513`	`}`
`501`	`514`	`if (testKeyValidity(key, "privkey", validListenKeys))`
`502`	`515`	`{`
`503`		`- checkFileExistsAndReadable("SSL privkey", value, 1024*1024);`
`504`	`516`	`curListener->sslPrivkey = value;`
`505`	`517`	`}`
`506`	`518`	`if (testKeyValidity(key, "inet_protocol", validListenKeys))`
`@@ -578,6 +590,10 @@ void ConfigFileParser::loadFile(bool test)`
`578`	`590`	`{`
`579`	`591`	`curListener->acmeRedirectURL = valueTrimmed;`
`580`	`592`	`}`
	`593`	`+ if (testKeyValidity(key, "drop_on_absent_certificate", validListenKeys))`
	`594`	`+ {`
	`595`	`+ curListener->dropOnAbsentCertificates = stringTruthiness(value);`
	`596`	`+ }`
`581`	`597`
`582`	`598`	`testCorrectNumberOfValues(key, number_of_expected_values, values);`
`583`	`599`	`continue;`