tls: migrated to the runtime cfg framework

- moved all the module params to runtime config. Most of the
  variables are read-only (for now) with the following exceptions:
    config - can be changed at runtime and if followed by a
             tls.realod, the configuration from the new file will
             be loaded.
    log
    connection_timeout
    low_mem_threshold1
    low_mem_threshold2
- renamed tls_fix_cfg() to tls_fix_domains_cfg() to avoid
  confusion with the runtime cfg (named tls_cfg).

modules/tls/tls_cfg.c

@@ -0,0 +1,222 @@
+/* 
+ * $Id$
+ * 
+ * Copyright (C) 2010 iptelorg GmbH
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/** tls runtime configuration.
+ * @file tls_cfg.c
+ * @ingroup: @tls
+ * Module: @ref tls
+ */
+/*
+ * History:
+ * --------
+ *  2010-05-27  initial version (andrei)
+*/
+
+#include "tls_cfg.h"
+#include "../../config.h"
+#include "../../str.h"
+#include "../../ut.h"
+#include "../../pt.h"
+#include "../../mem/shm_mem.h"
+
+struct cfg_group_tls default_tls_cfg = {
+	0, /* tls_force_run */
+	STR_STATIC_INIT("TLSv1"), /* method */
+	0, /* verify_certificate */
+	9, /* verify_depth */
+	0, /* require_certificate */
+	STR_STATIC_INIT(TLS_PKEY_FILE), /* private_key */
+	STR_STATIC_INIT(TLS_CA_FILE),   /* ca_list */
+	STR_STATIC_INIT(TLS_CERT_FILE), /* certificate */
+	STR_NULL, /* cipher_list */
+	0, /* session_cache */
+	STR_STATIC_INIT("sip-router-tls-3.1"), /* session_id */
+	STR_NULL, /* config_file */
+	3, /* log */
+	600, /* con_lifetime (s)*/
+	1, /* disable_compression */
+	-1, /* ssl_release_buffers (use the default: off) */
+	-1, /* ssl_freelist_max  (use the default: 32) */
+	-1, /* ssl_max_send_fragment (use the default: 16k)*/
+	1, /* ssl_read_ahead (set, use -1 for the openssl default value)*/
+	-1, /* low_mem_treshold1 */
+	-1, /* low_mem_treshold2 */
+};
+
+void* tls_cfg = &default_tls_cfg;
+
+
+/* if *to<0 to=default_val, else if to>max_val to=max_val */
+static void fix_timeout(char* name, int* to, int default_val, unsigned max_val)
+{
+	if (*to < 0) *to=default_val;
+	else if ((unsigned)*to > max_val){
+		WARN("%s: timeout too big (%u), the maximum value is %u\n",
+				name, *to, max_val);
+		*to=max_val;
+	}
+}
+
+
+static int fix_con_lt(void* cfg_h, str* gname, str* name, void** val)
+{
+	int v;
+	v=S_TO_TICKS((int)(long)*val);
+	fix_timeout("tls.connection_timeout", &v,
+					MAX_TLS_CON_LIFETIME, MAX_TLS_CON_LIFETIME);
+	*val=(void*)(long)v;
+	return 0;
+}
+
+
+
+/** cfg framework callback for fixing pathnames. */
+static int fix_rel_pathname(void* cfg_h, str* gname, str* name, void** val)
+{
+	str* f;
+	str new_f;
+	/* the cfg framework will immediately "clone" the value so
+	   we can pass a pointer to a temporary static buffer to it
+	   (using a dyn. alloc'd buffer would introduce the additional
+	    problem of having to free it somehow) */
+	static char path_buf[MAX_PATH_SIZE];
+
+	f = *val;
+	if (f && f->s) {
+		new_f.s = get_abs_pathname(0, f);
+		if (new_f.s == 0)
+			return -1;
+		new_f.len = strlen(new_f.s);
+		if (new_f.len >= MAX_PATH_SIZE) {
+			ERR("%.*s.%.*s path too long (%d bytes): \"%.*s\"\n",
+					gname->len, gname->s, name->len, name->s,
+					new_f.len, new_f.len, new_f.s);
+			pkg_free(new_f.s);
+			return -1;
+		}
+		memcpy(path_buf, new_f.s, new_f.len);
+		pkg_free(new_f.s);
+		new_f.s = path_buf;
+		*f = new_f;
+	}
+	return 0;
+}
+
+
+
+cfg_def_t	tls_cfg_def[] = {
+	{"force_run", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
+		"force loading the tls module even when initial sanity checks fail"},
+	{"method",   CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
+		"TLS method used (TLSv1, SSLv3, SSLv2, SSLv23)"},
+	{"verify_certificate", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
+		"if enabled the certificates will be verified" },
+	{"verify_depth", CFG_VAR_INT | CFG_READONLY, 0, 100, 0, 0,
+		"sets how far up the certificate chain will the certificate"
+		" verification go in the search for a trusted CA" },
+	{"require_certificate", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
+		"if enabled a certificate will be required from clients" },
+	{"private_key", CFG_VAR_STR | CFG_READONLY, 0, 0, fix_rel_pathname, 0,
+		"name of the file containing the private key (pem format), if not"
+		" contained in the certificate file" },
+	{"ca_list", CFG_VAR_STR | CFG_READONLY, 0, 0, fix_rel_pathname, 0,
+		"name of the file containing the trusted CA list (pem format)" },
+	{"certificate", CFG_VAR_STR | CFG_READONLY, 0, 0, fix_rel_pathname, 0,
+		"name of the file containing the certificate (pem format)" },
+	{"cipher_list", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
+		"list of the accepted ciphers (strings separated by colons)" },
+	{"session_cache", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
+		"enables or disables the session cache" },
+	{"session_id", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
+		"string used for the session id" },
+	{"config", CFG_VAR_STR, 0, 0, fix_rel_pathname, 0,
+		"tls config file name (used for the per domain options)" },
+	{"log", CFG_VAR_INT | CFG_ATOMIC, 0, 1000, 0, 0,
+		"tls info messages log level" },
+	{"connection_timeout", CFG_VAR_INT | CFG_ATOMIC,
+							-1, MAX_TLS_CON_LIFETIME, fix_con_lt, 0,
+		"initial connection lifetime (in s) (obsolete)" },
+	{"disable_compression", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
+		"if set disable the built-in OpenSSL compression" },
+	{"ssl_release_buffers", CFG_VAR_INT | CFG_READONLY, -1, 1, 0, 0,
+		"quickly release internal OpenSSL read or write buffers."
+	    " Works only for OpenSSL >= 1.0."},
+	{"ssl_free_list_max", CFG_VAR_INT | CFG_READONLY, -1, 1<<30, 0, 0,
+		"maximum number of free/cached memory chunks that OpenSSL"
+		" will keep per connection. Works only for OpenSSL >= 1.0."},
+	{"ssl_max_send_fragment", CFG_VAR_INT | CFG_READONLY, -1, 65536, 0, 0,
+		"sets the maximum number of bytes (clear text) send into one TLS"
+		" record. Valid values are between 512 and 16384."
+		" Works only for OpenSSL >= 0.9.9"},
+	{"ssl_read_ahead", CFG_VAR_INT | CFG_READONLY, -1, 1, 0, 0,
+		"Enables read ahead, reducing the number of BIO read calls done"
+		" internally by the OpenSSL library" },
+	{"low_mem_threshold1", CFG_VAR_INT | CFG_ATOMIC, -1, 1<<30, 0, 0,
+		"sets the minimum amount of free memory for accepting new TLS"
+		" connections (KB)"},
+	{"low_mem_threshold2", CFG_VAR_INT | CFG_ATOMIC, -1, 1<<30, 0, 0,
+		"sets the minimum amount of free memory after which no more TLS"
+		" operations will be attempted (even on existing connections)" },
+	{0, 0, 0, 0, 0, 0}
+};
+
+
+
+/* to be used on start-up, with pkg_alloc'ed path names  (path->s)*/
+static int fix_initial_pathname(str* path)
+{
+	str new_path;
+	if (path->s) {
+		new_path.s = get_abs_pathname(0, path);
+		if (new_path.s == 0) return -1;
+		new_path.len = strlen(new_path.s);
+		pkg_free(path->s);
+		*path = new_path;
+	}
+	return 0;
+}
+
+
+
+/** fix the tls cfg, prior to registering.
+  * @return < 0 on error, 0 on success
+  */
+int fix_tls_cfg(struct cfg_group_tls* cfg)
+{
+	cfg->con_lifetime = S_TO_TICKS(cfg->con_lifetime);
+	fix_timeout("tls_connection_timeout", &cfg->con_lifetime, 
+						MAX_TLS_CON_LIFETIME, MAX_TLS_CON_LIFETIME);
+	/* Update relative paths of files configured through modparams, relative
+	 * pathnames will be converted to absolute and the directory of the main
+	 * SER configuration file will be used as reference.
+	 */
+	if (fix_initial_pathname(&cfg->config_file) < 0)
+		return -1;
+	if (fix_initial_pathname(&cfg->private_key) < 0)
+		return -1;
+	if (fix_initial_pathname(&cfg->ca_list) < 0 )
+		return -1;
+	if (fix_initial_pathname(&cfg->certificate) < 0)
+		return -1;
+	
+	return 0;
+}
+
+
+
+
+/* vi: set ts=4 sw=4 tw=79:ai:cindent: */

modules/tls/tls_cfg.h

@@ -0,0 +1,102 @@
+/* 
+ * $Id$
+ * 
+ * Copyright (C) 2010 iptelorg GmbH
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/** tls runtime configuration.
+ * @filetls_cfg.h
+ * @ingroup: tls
+ * Module: @ref tls
+ */
+/*
+ * History:
+ * --------
+ *  2010-05-27  initial version (andrei)
+*/
+
+#ifndef __tls_cfg_h
+#define __tls_cfg_h
+
+#include "../../str.h"
+#include "../../cfg/cfg.h"
+
+
+/* maximum accepted lifetime (maximum possible is  ~ MAXINT/2)
+ *  (it should be kept in sync w/ MAX_TCP_CON_LIFETIME from tcp_main.c:
+ *   MAX_TLS_CON_LIFETIME <= MAX_TCP_CON_LIFETIME )*/
+#define MAX_TLS_CON_LIFETIME	(1U<<(sizeof(ticks_t)*8-1))
+
+
+
+struct cfg_group_tls {
+	int force_run;
+	str method;
+	int verify_cert;
+	int verify_depth;
+	int require_cert;
+	str private_key;
+	str ca_list;
+	str certificate;
+	str cipher_list;
+	int session_cache;
+	str session_id;
+	str config_file;
+	int log;
+	int con_lifetime;
+	int disable_compression;
+	/* release internal openssl read or write buffer when they are no longer
+	 * used (complete read or write that does not have to buffer anything).
+	 * Should be used together with tls_free_list_max_len. Might have some
+	 * performance impact (and extra *malloc pressure), but has also the
+	 * potential of saving a lot of memory (at least 32k/idle connection in the
+	 * default config, or ~ 16k+tls_max_send_fragment)) */
+	int ssl_release_buffers;
+	/* maximum length of free/unused memory buffers/chunks per connection.
+	 * Setting it to 0 would cause any unused buffers to be immediately freed
+	 * and hence a lower memory footprint (at the cost of a possible
+	 * performance decrease and more *malloc pressure).
+	 * Too large value would result in extra memory consumption.
+	 * The default is 32 in openssl.
+	 * For lowest memory usage set it to 0 and tls_mode_release_buffers to 1
+	 */
+	int ssl_freelist_max;
+	/* maximum number of bytes (clear text) sent into one record.
+	 * The default and maximum value are ~16k. Lower values would lead to a
+	 * lower  memory footprint.
+	 * Values lower then the typical  app. write size might decrease
+	 * performance (extra write() syscalls), so it should be kept ~2k for ser.
+	 */
+	int ssl_max_send_fragment;
+	/* enable read ahead. Should increase performance (1 less syscall when
+	 * enabled, else openssl makes 1 read() for each record header and another
+	 * for the content), but might interact with SSL_pending() (not used right
+	 * now)
+	 */
+	int ssl_read_ahead;
+	int low_mem_threshold1;
+	int low_mem_threshold2;
+};
+
+
+extern struct cfg_group_tls default_tls_cfg;
+extern void* tls_cfg;
+extern cfg_def_t tls_cfg_def[];
+
+
+extern int fix_tls_cfg(struct cfg_group_tls* cfg);
+
+#endif /*__tls_cfg_h*/
+
+/* vi: set ts=4 sw=4 tw=79:ai:cindent: */

modules/tls/tls_config.c

@@ -44,6 +44,7 @@
 #include "../../dprint.h"
 #include "../../trim.h"
 #include "../../ut.h"
+#include "../../cfg/cfg.h"
 
 static tls_domains_cfg_t* cfg = NULL;
 static tls_domain_t* domain = NULL;

modules/tls/tls_domain.c

@@ -39,11 +39,13 @@
 #include "../../ut.h"
 #include "../../mem/shm_mem.h"
 #include "../../pt.h"
+#include "../../cfg/cfg.h"
 #include "tls_server.h"
 #include "tls_util.h"
 #include "tls_mod.h"
 #include "tls_init.h"
 #include "tls_domain.h"
+#include "tls_cfg.h"
 
 
 /*
@@ -529,17 +531,21 @@ static int set_session_cache(tls_domain_t* d)
 {
 	int i;
 	int procs_no;
+	str tls_session_id;
 	
 	procs_no=get_max_procs();
+	tls_session_id=cfg_get(tls, tls_cfg, session_id);
 	for(i = 0; i < procs_no; i++) {
-		     /* janakj: I am not sure if session cache makes sense in ser, session 
-		      * cache is stored in SSL_CTX and we have one SSL_CTX per process, thus 
-		      * sessions among processes will not be reused
-		      */
-		SSL_CTX_set_session_cache_mode(d->ctx[i], 
-				   tls_session_cache ? SSL_SESS_CACHE_SERVER : SSL_SESS_CACHE_OFF);
-		SSL_CTX_set_session_id_context(d->ctx[i], 
-					       (unsigned char*)tls_session_id.s, tls_session_id.len);
+		/* janakj: I am not sure if session cache makes sense in ser, session
+		 * cache is stored in SSL_CTX and we have one SSL_CTX per process,
+		 * thus sessions among processes will not be reused
+		 */
+		SSL_CTX_set_session_cache_mode(d->ctx[i],
+				cfg_get(tls, tls_cfg, session_cache) ? SSL_SESS_CACHE_SERVER :
+				SSL_SESS_CACHE_OFF);
+		/* not really needed is SSL_SESS_CACHE_OFF */
+		SSL_CTX_set_session_id_context(d->ctx[i],
+					(unsigned char*)tls_session_id.s, tls_session_id.len);
 	}
 	return 0;
 }
@@ -738,10 +744,14 @@ static int load_private_key(tls_domain_t* d)
  * Initialize attributes of all domains from default domains
  * if necessary
  */
-int tls_fix_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
+int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
 				tls_domain_t* cli_defaults)
 {
 	tls_domain_t* d;
+	int ssl_mode_release_buffers;
+	int ssl_freelist_max_len;
+	int ssl_max_send_fragment;
+	int ssl_read_ahead;
 
 	if (!cfg->cli_default) {
 		cfg->cli_default = tls_new_domain(TLS_DOMAIN_DEF | TLS_DOMAIN_CLI, 0, 0);
@@ -785,6 +795,10 @@ int tls_fix_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
 	/* set various global per CTX options
 	 * (done here to show possible missing features messages only once)
 	 */
+	ssl_mode_release_buffers = cfg_get(tls, tls_cfg, ssl_release_buffers);
+	ssl_freelist_max_len = cfg_get(tls, tls_cfg, ssl_freelist_max);
+	ssl_max_send_fragment = cfg_get(tls, tls_cfg, ssl_max_send_fragment);
+	ssl_read_ahead = cfg_get(tls, tls_cfg, ssl_read_ahead);
 #if OPENSSL_VERSION_NUMBER >= 0x01000000L
 	/* set SSL_MODE_RELEASE_BUFFERS if ssl_mode_release_buffers !=0,
 	   reset if == 0 and ignore if < 0 */

modules/tls/tls_domain.h

@@ -143,7 +143,7 @@ int tls_add_domain(tls_domains_cfg_t* cfg, tls_domain_t* d);
 /*
  * Fill in missing parameters
  */
-int tls_fix_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
+int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
 				tls_domain_t* cli_defaults);
 
 

modules/tls/tls_dump_vf.c

@@ -35,11 +35,15 @@
 #include <openssl/ssl.h>
 #include "../../dprint.h"
 #include "tls_mod.h"
+#include "tls_cfg.h"
 
 /** log the verification failure reason.
  */
 void tls_dump_verification_failure(long verification_result)
 {
+	int tls_log;
+	
+	tls_log = cfg_get(tls, tls_cfg, log);
 	switch(verification_result) {
 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
 		LOG(tls_log, "verification failure: unable to get issuer certificate\n");

modules/tls/tls_init.c

@@ -63,6 +63,8 @@
 #include "../../tcp_init.h"
 #include "../../socket_info.h"
 #include "../../pt.h"
+#include "../../cfg/cfg.h"
+#include "../../cfg/cfg_ctx.h"
 #include "tls_verify.h"
 #include "tls_domain.h"
 #include "tls_util.h"
@@ -70,6 +72,7 @@
 #include "tls_init.h"
 #include "tls_locking.h"
 #include "tls_ct_wrq.h"
+#include "tls_cfg.h"
 
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
 #    warning ""
@@ -125,12 +128,6 @@ to compile on the  _target_ system)"
 #ifdef TLS_KSSL_WORKARROUND
 int openssl_kssl_malloc_bug=0; /* is openssl bug #1467 present ? */
 #endif
-int openssl_mem_threshold1=-1; /* low memory threshold for connect/accept */
-int openssl_mem_threshold2=-1; /* like above but for other tsl operations */
-int tls_disable_compression = 1; /* by default disabled due to high memory
-									use (~10x then without compression) */
-int tls_force_run = 0; /* ignore some start-up sanity checks, use it
-						  at your own risk */
 
 const SSL_METHOD* ssl_methods[TLS_USE_SSLv23 + 1];
 
@@ -372,7 +369,7 @@ static int init_tls_compression(void)
 		LOG(L_INFO, "tls: init_tls: compression support disabled in the"
 					" openssl lib\n");
 		goto end; /* nothing to do, exit */
-	} else if (tls_disable_compression){
+	} else if (cfg_get(tls, tls_cfg, disable_compression)){
 		LOG(L_INFO, "tls: init_tls: disabling compression...\n");
 		sk_SSL_COMP_zero(comp_methods);
 	}else{
@@ -457,6 +454,11 @@ int init_tls_h(void)
 	int kerberos_support;
 	int comp_support;
 	const char* lib_cflags;
+	int low_mem_threshold1;
+	int low_mem_threshold2;
+	str tls_grp;
+	str s;
+	cfg_ctx_t* cfg_ctx;
 
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
 	WARN("You are using an old version of OpenSSL (< 0.9.7). Upgrade!\n");
@@ -473,7 +475,7 @@ int init_tls_h(void)
 				" (tls_force_run in ser.cfg will override this check)\n",
 				SSLeay_version(SSLEAY_VERSION), ssl_version,
 				OPENSSL_VERSION_TEXT, (long)OPENSSL_VERSION_NUMBER);
-		if (tls_force_run)
+		if (cfg_get(tls, tls_cfg, force_run))
 			LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, ignoring "
 						" openssl version mismatch\n");
 		else
@@ -525,7 +527,7 @@ int init_tls_h(void)
 						lib_kerberos?"enabled":"disabled",
 						kerberos_support?"enabled":"disabled"
 				);
-			if (tls_force_run)
+			if (cfg_get(tls, tls_cfg, force_run))
 				LOG(L_WARN, "tls: init_tls_h: tls_force_run turned on, "
 						"ignoring kerberos support mismatch\n");
 			else
@@ -562,54 +564,65 @@ int init_tls_h(void)
 			" kerberos support will be disabled...\n");
 	}
 	#endif
-	 /* set free memory threshold for openssl bug #1491 workaround */
-	if (openssl_mem_threshold1<0){
+	/* set free memory threshold for openssl bug #1491 workaround */
+	low_mem_threshold1 = cfg_get(tls, tls_cfg, low_mem_threshold1);
+	low_mem_threshold2 = cfg_get(tls, tls_cfg, low_mem_threshold2);
+	if (low_mem_threshold1<0){
 		/* default */
-		openssl_mem_threshold1=512*1024*get_max_procs();
+		low_mem_threshold1=512*1024*get_max_procs();
 	}else
-		openssl_mem_threshold1*=1024; /* KB */
-	if (openssl_mem_threshold2<0){
+		low_mem_threshold1*=1024; /* KB */
+	if (low_mem_threshold2<0){
 		/* default */
-		openssl_mem_threshold2=256*1024*get_max_procs();
+		low_mem_threshold2=256*1024*get_max_procs();
 	}else
-		openssl_mem_threshold2*=1024; /* KB */
-	if ((openssl_mem_threshold1==0) || (openssl_mem_threshold2==0))
+		low_mem_threshold2*=1024; /* KB */
+	if ((low_mem_threshold1==0) || (low_mem_threshold2==0))
 		LOG(L_WARN, "tls: openssl bug #1491 (crash/mem leaks on low memory)"
 					" workarround disabled\n");
 	else
 		LOG(L_WARN, "tls: openssl bug #1491 (crash/mem leaks on low memory)"
 				" workaround enabled (on low memory tls operations will fail"
 				" preemptively) with free memory thresholds %d and %d bytes\n",
-				openssl_mem_threshold1, openssl_mem_threshold2);
+				low_mem_threshold1, low_mem_threshold2);
 	
 	if (shm_available()==(unsigned long)(-1)){
 		LOG(L_WARN, "tls: ser compiled without MALLOC_STATS support:"
 				" the workaround for low mem. openssl bugs will _not_ "
 				"work\n");
-		openssl_mem_threshold1=0;
-		openssl_mem_threshold2=0;
+		low_mem_threshold1=0;
+		low_mem_threshold2=0;
 	}
-	SSL_library_init();
-	SSL_load_error_strings();
-	init_ssl_methods();
-#if 0
-	/* OBSOLETE: we are using the tls_h_init_si callback */
-	     /* Now initialize TLS sockets */
-	for(si = tls_listen; si; si = si->next) {
-		if (tls_h_init_si(si) < 0)  return -1;
-		     /* get first ipv4/ipv6 socket*/
-		if ((si->address.af == AF_INET) &&
-		    ((sendipv4_tls == 0) || (sendipv4_tls->flags & SI_IS_LO))) {
-			sendipv4_tls = si;
+	if ((low_mem_threshold1 != cfg_get(tls, tls_cfg, low_mem_threshold1)) ||
+	    (low_mem_threshold2 != cfg_get(tls, tls_cfg, low_mem_threshold2))) {
+		/* ugly hack to set the initial values for the mem tresholds */
+		if (cfg_register_ctx(&cfg_ctx, 0)) {
+			ERR("failed to register cfg context\n");
+			return -1;
 		}
-#ifdef USE_IPV6
-		if ((sendipv6_tls == 0) && (si->address.af == AF_INET6)) {
-			sendipv6_tls = si;
+		tls_grp.s = "tls";
+		tls_grp.len = strlen(tls_grp.s);
+		s.s = "low_mem_threshold1";
+		s.len = strlen(s.s);
+		if (low_mem_threshold1 != cfg_get(tls, tls_cfg, low_mem_threshold1) &&
+				cfg_set_now_int(cfg_ctx, &tls_grp, &s, low_mem_threshold1)) {
+			ERR("failed to set tls.low_mem_threshold1 to %d\n",
+					low_mem_threshold1);
+			return -1;
+		}
+		s.s = "low_mem_threshold2";
+		s.len = strlen(s.s);
+		if (low_mem_threshold2 != cfg_get(tls, tls_cfg, low_mem_threshold2) &&
+				cfg_set_now_int(cfg_ctx, &tls_grp, &s, low_mem_threshold2)) {
+			ERR("failed to set tls.low_mem_threshold1 to %d\n",
+					low_mem_threshold2);
+			return -1;
 		}
-#endif
 	}
-#endif
-
+	
+	SSL_library_init();
+	SSL_load_error_strings();
+	init_ssl_methods();
 	return 0;
 }
 

modules/tls/tls_init.h

@@ -55,13 +55,8 @@
 #define TLS_KSSL_WORKARROUND
 extern int openssl_kssl_malloc_bug; /* is openssl bug #1467 present ? */
 #endif
-extern int openssl_mem_threshold1; /* low memory threshold for connect */
-extern int openssl_mem_threshold2; /* like above but for other tsl operations */
 
 
-extern int tls_disable_compression; /* by default enabled */
-extern int tls_force_run; /* by default disabled */
-
 extern const SSL_METHOD* ssl_methods[];
 
 

modules/tls/tls_mod.c

@@ -36,6 +36,7 @@
  * 2010-03-19  new parameters to control advanced openssl lib options
  *              (mostly work on 1.0.0+): ssl_release_buffers, ssl_read_ahead,
  *              ssl_freelist_max_len, ssl_max_send_fragment   (andrei)
+ * 2010-05-27  migrated to the runtime cfg framework (andrei)
  */
 /** SIP-router TLS support :: Module interface.
  * @file
@@ -57,6 +58,7 @@
 #include "../../tls_hooks.h"
 #include "../../ut.h"
 #include "../../rpc_lookup.h"
+#include "../../cfg/cfg.h"
 #include "tls_init.h"
 #include "tls_server.h"
 #include "tls_domain.h"
@@ -65,6 +67,7 @@
 #include "tls_rpc.h"
 #include "tls_util.h"
 #include "tls_mod.h"
+#include "tls_cfg.h"
 
 #ifndef TLS_HOOKS
 	#error "TLS_HOOKS must be defined, or the tls module won't work"
@@ -74,12 +77,6 @@
 #endif
 
 
-/* maximum accepted lifetime (maximum possible is  ~ MAXINT/2)
- *  (it should be kept in sync w/ MAX_TCP_CON_LIFETIME from tcp_main.c:
- *   MAX_TLS_CON_LIFETIME <= MAX_TCP_CON_LIFETIME )*/
-#define MAX_TLS_CON_LIFETIME	(1U<<(sizeof(ticks_t)*8-1))
-
-
 
 /*
  * FIXME:
@@ -166,48 +163,6 @@ tls_domain_t cli_defaults = {
 };
 
 
-/*
- * Defaults for client and server domains when using modparams
- */
-static str tls_method = STR_STATIC_INIT("TLSv1");
-
-
-int tls_send_timeout = 30;
-int tls_con_lifetime = 600; /* this value will be adjusted to ticks later */
-int tls_log = 3;
-int tls_session_cache = 0;
-str tls_session_id = STR_STATIC_INIT("ser-tls-2.1.0");
-/* release internal openssl read or write buffer when they are no longer used
- * (complete read or write that does not have to buffer anything).
- * Should be used together with tls_free_list_max_len. Might have some
- * performance impact (and extra *malloc pressure), but has also the potential
- * of saving a lot of memory (at least 32k/idle connection in the default
- * config, or ~ 16k+tls_max_send_fragment)) */
-int ssl_mode_release_buffers = -1; /* don't set, leave the default (off) */
-/* maximum length of free/unused memory buffers/chunks per connection.
- * Setting it to 0 would cause any unused buffers to be immediately freed
- * and hence a lower memory footprint (at the cost of a possible performance
- * decrease and more *malloc pressure).
- * Too large value would result in extra memory consumption.
- * The default is 32 in openssl.
- * For lowest memory usage set it to 0 and tls_mode_release_buffers to 1
- */
-int ssl_freelist_max_len = -1;   /* don't set, leave the default value (32) */
-/* maximum number of bytes (clear text) sent into one record.
- * The default and maximum value are ~16k. Lower values would lead to a lower
- *  memory footprint. 
- * Values lower then the typical  app. write size might decrease performance 
- * (extra write() syscalls), so it should be kept ~2k for ser.
- */
-int ssl_max_send_fragment = -1;  /* don't set, leave the default (16k) */
-/* enable read ahead. Should increase performance (1 less syscall when
- * enabled, else openssl makes 1 read() for each record header and another
- * for the content), but might interact with SSL_pending() (not used right now)
- */
-int ssl_read_ahead = 1; /* set (use -1 for the default value) */
-
-str tls_domains_cfg_file = STR_NULL;
-
 
 /* Current TLS configuration */
 tls_domains_cfg_t** tls_domains_cfg = NULL;
@@ -230,27 +185,29 @@ static cmd_export_t cmds[] = {
  * Exported parameters
  */
 static param_export_t params[] = {
-	{"tls_method",          PARAM_STR,    &tls_method             },
-	{"verify_certificate",  PARAM_INT,    &mod_params.verify_cert },
-	{"verify_depth",        PARAM_INT,    &mod_params.verify_depth},
-	{"require_certificate", PARAM_INT,    &mod_params.require_cert},
-	{"private_key",         PARAM_STR,    &mod_params.pkey_file   },
-	{"ca_list",             PARAM_STR,    &mod_params.ca_file     },
-	{"certificate",         PARAM_STR,    &mod_params.cert_file   },
-	{"cipher_list",         PARAM_STR,    &mod_params.cipher_list },
-	{"connection_timeout",  PARAM_INT,    &tls_con_lifetime       },
-	{"tls_log",             PARAM_INT,    &tls_log                },
-	{"session_cache",       PARAM_INT,    &tls_session_cache      },
-	{"session_id",          PARAM_STR,    &tls_session_id         },
-	{"config",              PARAM_STR,    &tls_domains_cfg_file   },
-	{"tls_disable_compression", PARAM_INT,&tls_disable_compression},
-	{"ssl_release_buffers",   PARAM_INT, &ssl_mode_release_buffers},
-	{"ssl_freelist_max_len",  PARAM_INT,    &ssl_freelist_max_len},
-	{"ssl_max_send_fragment", PARAM_INT,    &ssl_max_send_fragment},
-	{"ssl_read_ahead",        PARAM_INT,    &ssl_read_ahead},
-	{"tls_force_run",       PARAM_INT,    &tls_force_run},
-	{"low_mem_threshold1",  PARAM_INT,    &openssl_mem_threshold1},
-	{"low_mem_threshold2",  PARAM_INT,    &openssl_mem_threshold2},
+	{"tls_method",          PARAM_STR,    &default_tls_cfg.method       },
+	{"verify_certificate",  PARAM_INT,    &default_tls_cfg.verify_cert  },
+	{"verify_depth",        PARAM_INT,    &default_tls_cfg.verify_depth },
+	{"require_certificate", PARAM_INT,    &default_tls_cfg.require_cert },
+	{"private_key",         PARAM_STR,    &default_tls_cfg.private_key  },
+	{"ca_list",             PARAM_STR,    &default_tls_cfg.ca_list      },
+	{"certificate",         PARAM_STR,    &default_tls_cfg.certificate  },
+	{"cipher_list",         PARAM_STR,    &default_tls_cfg.cipher_list  },
+	{"connection_timeout",  PARAM_INT,    &default_tls_cfg.con_lifetime },
+	{"tls_log",             PARAM_INT,    &default_tls_cfg.log      },
+	{"session_cache",       PARAM_INT,    &default_tls_cfg.session_cache},
+	{"session_id",          PARAM_STR,    &default_tls_cfg.session_id   },
+	{"config",              PARAM_STR,    &default_tls_cfg.config_file  },
+	{"tls_disable_compression", PARAM_INT,
+										 &default_tls_cfg.disable_compression},
+	{"ssl_release_buffers",   PARAM_INT, &default_tls_cfg.ssl_release_buffers},
+	{"ssl_freelist_max_len",  PARAM_INT,  &default_tls_cfg.ssl_freelist_max},
+	{"ssl_max_send_fragment", PARAM_INT,
+									   &default_tls_cfg.ssl_max_send_fragment},
+	{"ssl_read_ahead",        PARAM_INT,    &default_tls_cfg.ssl_read_ahead},
+	{"tls_force_run",       PARAM_INT,    &default_tls_cfg.force_run},
+	{"low_mem_threshold1",  PARAM_INT,    &default_tls_cfg.low_mem_threshold1},
+	{"low_mem_threshold2",  PARAM_INT,    &default_tls_cfg.low_mem_threshold2},
 	{0, 0, 0}
 };
 
@@ -259,7 +216,7 @@ static param_export_t params[] = {
  * Module interface
  */
 struct module_exports exports = {
-	"tls", 
+	"tls",
 	DEFAULT_DLFLAGS, /* dlopen flags */
 	cmds,        /* Exported functions */
 	params,      /* Exported parameters */
@@ -305,34 +262,6 @@ static tls_domains_cfg_t* tls_use_modparams(void)
 #endif
 
 
-static int fix_rel_pathnames(void)
-{
-	if (tls_domains_cfg_file.s) {
-		tls_domains_cfg_file.s = get_abs_pathname(NULL, &tls_domains_cfg_file);
-		if (tls_domains_cfg_file.s == NULL) return -1;
-		tls_domains_cfg_file.len = strlen(tls_domains_cfg_file.s);
-	}
-	
-	if (mod_params.pkey_file.s) {
-		mod_params.pkey_file.s = get_abs_pathname(NULL, &mod_params.pkey_file);
-		if (mod_params.pkey_file.s == NULL) return -1;
-		mod_params.pkey_file.len = strlen(mod_params.pkey_file.s);
-	}
-	
-	if (mod_params.ca_file.s) {
-		mod_params.ca_file.s = get_abs_pathname(NULL, &mod_params.ca_file);
-		if (mod_params.ca_file.s == NULL) return -1;
-		mod_params.ca_file.len = strlen(mod_params.ca_file.s);
-	}
-	
-	if (mod_params.cert_file.s) {
-		mod_params.cert_file.s = get_abs_pathname(NULL, &mod_params.cert_file);
-		if (mod_params.cert_file.s == NULL) return -1;
-		mod_params.cert_file.len = strlen(mod_params.cert_file.s);
-	}
-	
-	return 0;
-}
 
 static int mod_init(void)
 {
@@ -343,30 +272,34 @@ static int mod_init(void)
 				"(set enable_tls=1 in the config to enable it)\n");
 		return 0;
 	}
-
-/*
-	if (cfg_get(tcp, tcp_cfg, async) && !tls_force_run){
-		ERR("tls does not support tcp in async mode, please use"
-				" tcp_async=no in the config file\n");
+	if (fix_tls_cfg(&default_tls_cfg) < 0 ) {
+		ERR("initial tls configuration fixup failed\n");
 		return -1;
 	}
-*/
-	     /* Convert tls_method parameter to integer */
-	method = tls_parse_method(&tls_method);
+	/* declare configuration */
+	if (cfg_declare("tls", tls_cfg_def, &default_tls_cfg,
+							cfg_sizeof(tls), &tls_cfg)) {
+		ERR("failed to register the configuration\n");
+		return -1;
+	}
+	/* Convert tls_method parameter to integer */
+	method = tls_parse_method(&cfg_get(tls, tls_cfg, method));
 	if (method < 0) {
 		ERR("Invalid tls_method parameter value\n");
 		return -1;
 	}
+	/* fill mod_params */
 	mod_params.method = method;
-
-	/* Update relative paths of files configured through modparams, relative
-	 * pathnames will be converted to absolute and the directory of the main
-	 * SER configuration file will be used as reference.
-	 */
-	if (fix_rel_pathnames() < 0) return -1;
-
-	tls_domains_cfg = 
-		(tls_domains_cfg_t**)shm_malloc(sizeof(tls_domains_cfg_t*));
+	mod_params.verify_cert = cfg_get(tls, tls_cfg, verify_cert);
+	mod_params.verify_depth = cfg_get(tls, tls_cfg, verify_depth);
+	mod_params.require_cert = cfg_get(tls, tls_cfg, require_cert);
+	mod_params.pkey_file = cfg_get(tls, tls_cfg, private_key);
+	mod_params.ca_file = cfg_get(tls, tls_cfg, ca_list);
+	mod_params.cert_file = cfg_get(tls, tls_cfg, certificate);
+	mod_params.cipher_list = cfg_get(tls, tls_cfg, cipher_list);
+
+	tls_domains_cfg =
+			(tls_domains_cfg_t**)shm_malloc(sizeof(tls_domains_cfg_t*));
 	if (!tls_domains_cfg) {
 		ERR("Not enough shared memory left\n");
 		goto error;
@@ -397,8 +330,9 @@ static int mod_init(void)
 		ERR("Unable to initialize TLS buffering\n");
 		goto error;
 	}
-	if (tls_domains_cfg_file.s) {
-		*tls_domains_cfg = tls_load_config(&tls_domains_cfg_file);
+	if (cfg_get(tls, tls_cfg, config_file).s) {
+		*tls_domains_cfg = 
+			tls_load_config(&cfg_get(tls, tls_cfg, config_file));
 		if (!(*tls_domains_cfg)) goto error;
 	} else {
 		*tls_domains_cfg = tls_new_cfg();
@@ -408,21 +342,6 @@ static int mod_init(void)
 	if (tls_check_sockets(*tls_domains_cfg) < 0)
 		goto error;
 
-	/* fix the timeouts from s to ticks */
-	if (tls_con_lifetime<0){
-		/* set to max value (~ 1/2 MAX_INT) */
-		tls_con_lifetime=MAX_TLS_CON_LIFETIME;
-	}else{
-		if ((unsigned)tls_con_lifetime > 
-				(unsigned)TICKS_TO_S(MAX_TLS_CON_LIFETIME)){
-			LOG(L_WARN, "tls: mod_init: tls_con_lifetime too big (%u s), "
-					" the maximum value is %u\n", tls_con_lifetime,
-					TICKS_TO_S(MAX_TLS_CON_LIFETIME));
-			tls_con_lifetime=MAX_TLS_CON_LIFETIME;
-		}else{
-			tls_con_lifetime=S_TO_TICKS(tls_con_lifetime);
-		}
-	}
 	return 0;
 error:
 	destroy_tls_h();
@@ -437,12 +356,13 @@ static int mod_child(int rank)
 	/* fix tls config only from the main proc/PROC_INIT., when we know 
 	 * the exact process number and before any other process starts*/
 	if (rank == PROC_INIT){
-		if (tls_domains_cfg_file.s){
-			if (tls_fix_cfg(*tls_domains_cfg, &srv_defaults,
-							&cli_defaults) < 0)
+		if (cfg_get(tls, tls_cfg, config_file).s){
+			if (tls_fix_domains_cfg(*tls_domains_cfg,
+									&srv_defaults, &cli_defaults) < 0)
 				return -1;
 		}else{
-			if (tls_fix_cfg(*tls_domains_cfg, &mod_params, &mod_params) < 0)
+			if (tls_fix_domains_cfg(*tls_domains_cfg,
+									&mod_params, &mod_params) < 0)
 				return -1;
 		}
 	}
@@ -472,7 +392,8 @@ static int is_peer_verified(struct sip_msg* msg, char* foo, char* foo2)
 
 	DBG("trying to find TCP connection of received message...\n");
 
-	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0, tls_con_lifetime);
+	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0,
+					cfg_get(tls, tls_cfg, con_lifetime));
 	if (c && c->type != PROTO_TLS) {
 		ERR("Connection found but is not TLS\n");
 		tcpconn_put(c);

modules/tls/tls_mod.h

@@ -43,14 +43,6 @@
 #include "../../locking.h"
 #include "tls_domain.h"
 
-extern int tls_con_lifetime;
-extern int tls_log;
-extern int tls_session_cache;
-extern str tls_session_id;
-extern int ssl_mode_release_buffers;
-extern int ssl_freelist_max_len;
-extern int ssl_max_send_fragment;
-extern int ssl_read_ahead;
 
 /* Current TLS configuration */
 extern tls_domains_cfg_t** tls_domains_cfg;

modules/tls/tls_rpc.c

@@ -33,6 +33,7 @@
 #include "../../rpc.h"
 #include "../../tcp_conn.h"
 #include "../../timer.h"
+#include "../../cfg/cfg.h"
 #include "tls_init.h"
 #include "tls_mod.h"
 #include "tls_domain.h"
@@ -41,6 +42,7 @@
 #include "tls_server.h"
 #include "tls_ct_wrq.h"
 #include "tls_rpc.h"
+#include "tls_cfg.h"
 
 static const char* tls_reload_doc[2] = {
 	"Reload TLS configuration file",
@@ -50,7 +52,9 @@ static const char* tls_reload_doc[2] = {
 static void tls_reload(rpc_t* rpc, void* ctx)
 {
 	tls_domains_cfg_t* cfg;
+	str tls_domains_cfg_file;
 
+	tls_domains_cfg_file = cfg_get(tls, tls_cfg, config_file);
 	if (!tls_domains_cfg_file.s) {
 		rpc->fault(ctx, 500, "No TLS configuration file configured");
 		return;
@@ -66,7 +70,7 @@ static void tls_reload(rpc_t* rpc, void* ctx)
 		return;
 	}
 
-	if (tls_fix_cfg(cfg, &srv_defaults, &cli_defaults) < 0) {
+	if (tls_fix_domains_cfg(cfg, &srv_defaults, &cli_defaults) < 0) {
 		rpc->fault(ctx, 500, "Error while fixing TLS configuration"
 								" (consult server log)");
 		goto error;

modules/tls/tls_select.c

@@ -37,10 +37,12 @@
 #include "../../tcp_server.h"
 #include "../../tcp_conn.h"
 #include "../../ut.h"
+#include "../../cfg/cfg.h"
 #include "tls_server.h"
 #include "tls_select.h"
 #include "tls_mod.h"
 #include "tls_init.h" /* features macros */
+#include "tls_cfg.h"
 
 enum {
 	CERT_LOCAL = 1,   /* Select local certificate */
@@ -107,7 +109,8 @@ struct tcp_connection* get_cur_connection(struct sip_msg* msg)
 		return 0;
 	}
 
-	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0, tls_con_lifetime);
+	c = tcpconn_get(msg->rcv.proto_reserved1, 0, 0, 0,
+					cfg_get(tls, tls_cfg, con_lifetime));
 	if (c && c->type != PROTO_TLS) {
 		ERR("Connection found but is not TLS\n");
 		tcpconn_put(c);

modules/tls/tls_server.c

@@ -47,6 +47,7 @@
 #include "../../pt.h"
 #include "../../tcp_int_send.h"
 #include "../../tcp_read.h"
+#include "../../cfg/cfg.h"
 
 #include "tls_init.h"
 #include "tls_domain.h"
@@ -55,12 +56,15 @@
 #include "tls_server.h"
 #include "tls_bio.h"
 #include "tls_dump_vf.h"
+#include "tls_cfg.h"
 
 /* low memory treshold for openssl bug #1491 workaround */
 #define LOW_MEM_NEW_CONNECTION_TEST() \
-	((openssl_mem_threshold1) && (shm_available()<openssl_mem_threshold1))
+	(cfg_get(tls, tls_cfg, low_mem_threshold1) && \
+	  (shm_available() < cfg_get(tls, tls_cfg, low_mem_threshold1)))
 #define LOW_MEM_CONNECTED_TEST() \
-	((openssl_mem_threshold2) && (shm_available()<openssl_mem_threshold2))
+	(cfg_get(tls, tls_cfg, low_mem_threshold2) && \
+	  (shm_available() <  cfg_get(tls, tls_cfg, low_mem_threshold2)))
 
 #define TLS_RD_MBUF_SZ	65536
 #define TLS_WR_MBUF_SZ	65536
@@ -216,11 +220,11 @@ static void tls_dump_cert_info(char* s, X509* cert)
 	issuer = X509_NAME_oneline(X509_get_issuer_name(cert), 0 , 0);
 	
 	if (subj){
-		LOG(tls_log, "%s subject:%s\n", s ? s : "", subj);
+		LOG(cfg_get(tls, tls_cfg, log), "%s subject:%s\n", s ? s : "", subj);
 		OPENSSL_free(subj);
 	}
 	if (issuer){
-		LOG(tls_log, "%s issuer:%s\n", s ? s : "", issuer);
+		LOG(cfg_get(tls, tls_cfg, log), "%s issuer:%s\n", s ? s : "", issuer);
 		OPENSSL_free(issuer);
 	}
 }
@@ -243,6 +247,7 @@ static int tls_accept(struct tcp_connection *c, int* error)
 	SSL *ssl;
 	X509* cert;
 	struct tls_extra_data* tls_c;
+	int tls_log;
 
 	if (LOW_MEM_NEW_CONNECTION_TEST()){
 		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
@@ -262,6 +267,7 @@ static int tls_accept(struct tcp_connection *c, int* error)
 	if (unlikely(ret == 1)) {
 		DBG("TLS accept successful\n");
 		tls_c->state = S_TLS_ESTABLISHED;
+		tls_log = cfg_get(tls, tls_cfg, log);
 		LOG(tls_log, "tls_accept: new connection from %s:%d using %s %s %d\n",
 		    ip_addr2a(&c->rcv.src_ip), c->rcv.src_port,
 		    SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl), 
@@ -349,6 +355,7 @@ static int tls_connect(struct tcp_connection *c, int* error)
 	int ret, ssl_err;
 	X509* cert;
 	struct tls_extra_data* tls_c;
+	int tls_log;
 
 	if (LOW_MEM_NEW_CONNECTION_TEST()){
 		ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
@@ -369,6 +376,7 @@ static int tls_connect(struct tcp_connection *c, int* error)
 	if (unlikely(ret == 1)) {
 		DBG("TLS connect successful\n");
 		tls_c->state = S_TLS_ESTABLISHED;
+		tls_log = cfg_get(tls, tls_cfg, log);
 		LOG(tls_log, "tls_connect: new connection to %s:%d using %s %s %d\n", 
 		    ip_addr2a(&c->rcv.src_ip), c->rcv.src_port,
 		    SSL_get_cipher_version(ssl), SSL_get_cipher_name(ssl),
@@ -529,7 +537,7 @@ int tls_h_tcpconn_init(struct tcp_connection *c, int sock)
 {
 	c->type = PROTO_TLS;
 	c->rcv.proto = PROTO_TLS;
-	c->timeout = get_ticks_raw() + tls_con_lifetime;
+	c->timeout = get_ticks_raw() + cfg_get(tls, tls_cfg, con_lifetime);
 	c->extra_data = 0;
 	return 0;
 }