Fixes a memory leak in SSL_get_peer_certificate.
Fixes a memory leak (finalizer closure refers to obj) in create-ssl
for _SSL* obj. Correcting the finalizer to run caused mem corruption
(possibly due to double-freeing in mzssl-release, despite cancel box)
but changing to allocator/deallocator seems to avoid the problem.
This change causes the abandoned output port to be properly shutdown,
when the `shutdown-on-close' option is set, and decrements the mzssl
struct reference count when a port is abandoned.
Previously, the `*-[im]pure-port' methods from `net/url' would fail to
close the SSL socket associated with the connection when
`close-input-port' was called on the port object returned. This patch
causes the underlying socket to be closed when `close-input-port' is
called on SSL-based ports returned by functions in `net/url'.
There are many SSL_() functions that produce return codes with more
information from SLL_get_error() and/or ERR_get_error(). Those need
to be grouped in an atomic section to ensure thread safety at the
level of Racket threads.
Using the functions on a port triggers renegotiation of the
connection, which s useful for cases such as a web server that
requires a certificate only for certain paths. This functionality
also allows better testing of the SSL library.
Read and write actions on an SSL port can trigger internal write
and read actions (i.e., the opposite direction). On the read side,
write pumping was performed too early before returning a "wait
for new input" event; SSL operations between the pumping and
return could trigger the need for pumping, but it never happened
because the socket was waiting for new input before taking any
new actions.
The problem would shows up specifically when Apache renegotiates
a connection to demand certificates from a client after first
determining the target of the request (i.e., when a certificate
is required ony for specific locations on the server).
Thenks to Sergey Pinaev, Timur Sufiev, and Neil Van Dyke.
This enables an ssl server the option to communicate with both verified and unverified peers with the same listener.
Supporting API calls...
ssl-peer-verified? -> returns #t if an ssl-port's peer has presented a valid and verified certificate
ssl-peer-subject-name -> returns the subject field of the certificate presented by an ssl-port's peer
ssl-peer-issuer-name -> returns the issuer field of the certificate presented by an ssl-port's peer
