Correct minor issues with recent SSL change

tool/net/counters.inc

@@ -84,6 +84,7 @@ C(sslcantciphers)
 C(sslhandshakefails)
 C(sslhandshakes)
 C(sslnociphers)
+C(sslnoversion)
 C(sslshakemacs)
 C(ssltimeouts)
 C(sslunknownca)

tool/net/net.mk

@@ -144,7 +144,7 @@ o/$(MODE)/tool/net/redbean-demo.com:				\
 	@$(COMPILE) -AZIP -T$@ o/$(MODE)/host/third_party/infozip/zip.com -qj $@ tool/net/demo/404.html tool/net/favicon.ico tool/net/redbean.png tool/net/demo/redbean-form.lua tool/net/demo/redbean-xhr.lua
 	@echo Uncompressed for HTTP Range requests | $(COMPILE) -AZIP -T$@ o/$(MODE)/host/third_party/infozip/zip.com -cqj0 $@ tool/net/demo/seekable.txt
 	@$(COMPILE) -AZIP -T$@ o/$(MODE)/host/third_party/infozip/zip.com -q $@ tool/net/ tool/net/demo/ tool/net/demo/index.html tool/net/demo/redbean.css tool/net/redbean.c net/http/parsehttprequest.c net/http/parseurl.c net/http/encodeurl.c test/net/http/parsehttprequest_test.c test/net/http/parseurl_test.c
-	@printf "<p>This is a live instance of <a href=https://justine.lol/redbean/>redbean</a>: a tiny multiplatform webserver that <a href=https://news.ycombinator.com/item?id=26271117>went viral</a> on hacker news a few months ago.\r\nSince then, we've added Lua dynamic serving, which also goes as fast as 1,000,000 requests per second on a core i9 (rather than a cheap virtual machine like this). the text you're reading now is a PKZIP End Of Central Directory comment.\r\n<p>redbean aims to be production worthy across six operating systems, using a single executable file (this demo is hosted on FreeBSD 13). redbean has been enhanced to restore the APE header after startup.\r\nIt automatically generates this listing page based on your O/$(MODE)/THIRD_PARTY/INFOZIP/ZIP.COM contents. If you use redbean as an application server / web development environment,\r\nthen you'll find other new and useful features like function call logging so you can get that sweet sweet microsecond scale latency." | $(COMPILE) -AZIP -T$@ o/$(MODE)/host/third_party/infozip/zip.com -z $@
+	@printf "<p>This is a live instance of <a href=https://justine.lol/redbean/>redbean</a>: a tiny multiplatform webserver that <a href=https://news.ycombinator.com/item?id=26271117>went viral</a> on hacker news a few months ago.\r\nSince then, we've added Lua dynamic serving, which also goes as fast as 1,000,000 requests per second on a core i9 (rather than a cheap virtual machine like this)\nin addition to SQLite and SSL. The text you're reading now is a PKZIP End Of Central Directory comment.\r\n<p>redbean aims to be production worthy across six operating systems, using a single executable file (this demo is hosted on FreeBSD 13). redbean has been enhanced to restore the APE header after startup.\r\nIt automatically generates this listing page based on your zip contents. If you use redbean as an application server / web development environment,\r\nthen you'll find other new and useful features like function call logging so you can get that sweet sweet microsecond scale latency." | $(COMPILE) -AZIP -T$@ o/$(MODE)/host/third_party/infozip/zip.com -z $@
 	@$(COMPILE) -AMKDIR -T$@ mkdir -p o/$(MODE)/tool/net/virtualbean.justine.lol/
 	@$(COMPILE) -ACP -T$@ cp tool/net/redbean.png o/$(MODE)/tool/net/virtualbean.justine.lol/redbean.png
 	@$(COMPILE) -ACP -T$@ cp tool/net/demo/virtualbean.html o/$(MODE)/tool/net/virtualbean.justine.lol/index.html

tool/net/redbean.c

@@ -140,6 +140,7 @@ STATIC_YOINK("usr/share/ssl/root/geotrust.pem");
 STATIC_YOINK("usr/share/ssl/root/globalsign.pem");
 STATIC_YOINK("usr/share/ssl/root/godaddy.pem");
 STATIC_YOINK("usr/share/ssl/root/google.pem");
+STATIC_YOINK("usr/share/ssl/root/isrg.pem");
 STATIC_YOINK("usr/share/ssl/root/quovadis.pem");
 STATIC_YOINK("usr/share/ssl/root/redbean.pem");
 STATIC_YOINK("usr/share/ssl/root/starfield.pem");
@@ -720,7 +721,6 @@ static bool VerifyCertificate(mbedtls_x509_crt *cert, int depth) {
 }
 
 static void UseCertificate(mbedtls_x509_crt *cert, mbedtls_pk_context *key) {
-  LogCertificate("using certificate", cert);
   if (VerifyCertificate(cert, 0)) {
     if (!dontupgradeinsecurerequests) {
       DEBUGF("enabling conditional https redirects");
@@ -1442,6 +1442,10 @@ static bool TlsSetup(void) {
           LockInc(&shared->c.sslcantciphers);
           WARNF("%s SSL can't ciphersuite", DescribeClient());
           return false;
+        case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION:
+          LockInc(&shared->c.sslnoversion);
+          WARNF("%s SSL version mismatch", DescribeClient());
+          return false;
         case MBEDTLS_ERR_SSL_INVALID_MAC:
           LockInc(&shared->c.sslshakemacs);
           WARNF("%s SSL handshake failed bad mac", DescribeClient());
@@ -1580,7 +1584,7 @@ static struct Cert *GetKeySigningKey(void) {
   return NULL;
 }
 
-static struct Cert *GenerateEcpCertificate(struct Cert *ca) {
+static struct Cert GenerateEcpCertificate(struct Cert *ca) {
   int i, n;
   unsigned char *p;
   mbedtls_x509_crt *cert;
@@ -1616,14 +1620,12 @@ static struct Cert *GenerateEcpCertificate(struct Cert *ca) {
   mbedtls_ctr_drbg_free(&kr);
   free(p);
   CHECK_EQ(0, mbedtls_pk_check_pair(&cert->pk, key));
+  LogCertificate("generated nist elliptic curve certificate", cert);
   UseCertificate(cert, key);
-  certs.p = realloc(certs.p, ++certs.n * sizeof(*certs.p));
-  certs.p[certs.n - 1].cert = cert;
-  certs.p[certs.n - 1].key = key;
-  return certs.p + certs.n - 1;
+  return (struct Cert){cert, key};
 }
 
-static struct Cert *GenerateRsaCertificate(struct Cert *ca) {
+static struct Cert GenerateRsaCertificate(struct Cert *ca) {
   int i, n, rc;
   unsigned char *p;
   mbedtls_x509_crt *cert;
@@ -1663,17 +1665,15 @@ static struct Cert *GenerateRsaCertificate(struct Cert *ca) {
     fprintf(stderr, "error: generate key (grep -0x%04x)\n", -rc);
     exit(1);
   }
+  LogCertificate("generated rivest–shamir–adleman certificate", cert);
   UseCertificate(cert, key);
-  certs.p = realloc(certs.p, ++certs.n * sizeof(*certs.p));
-  certs.p[certs.n - 1].cert = cert;
-  certs.p[certs.n - 1].key = key;
-  return certs.p + certs.n - 1;
+  return (struct Cert){cert, key};
 }
 
 static void LoadCertificates(void) {
   size_t i;
   bool havecert;
-  struct Cert *ksk, *cert;
+  struct Cert *ksk, ecp, rsa;
   havecert = false;
   for (i = 0; i < certs.n; ++i) {
     if (certs.p[i].key && certs.p[i].cert && !certs.p[i].cert->ca_istrue &&
@@ -1682,6 +1682,7 @@ static void LoadCertificates(void) {
         !mbedtls_x509_crt_check_extended_key_usage(
             certs.p[i].cert, MBEDTLS_OID_SERVER_AUTH,
             MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH))) {
+      LogCertificate("using certificate", certs.p[i].cert);
       UseCertificate(certs.p[i].cert, certs.p[i].key);
       havecert = true;
     }
@@ -1699,12 +1700,18 @@ static void LoadCertificates(void) {
       WARNF("generating self-signed ssl certificates");
     }
 #ifdef MBEDTLS_ECP_C
-    cert = GenerateEcpCertificate(ksk);
-    LogCertificate("generated nist elliptic curve certificate", cert->cert);
+    ecp = GenerateEcpCertificate(ksk);
 #endif
 #ifdef MBEDTLS_RSA_C
-    cert = GenerateRsaCertificate(ksk);
-    LogCertificate("generated rivest–shamir–adleman certificate", cert->cert);
+    rsa = GenerateRsaCertificate(ksk);
+#endif
+#ifdef MBEDTLS_ECP_C
+    certs.p = realloc(certs.p, ++certs.n * sizeof(*certs.p));
+    certs.p[certs.n - 1] = ecp;
+#endif
+#ifdef MBEDTLS_RSA_C
+    certs.p = realloc(certs.p, ++certs.n * sizeof(*certs.p));
+    certs.p[certs.n - 1] = rsa;
 #endif
   }
 }
@@ -4897,7 +4904,7 @@ static char *SendHttpsRedirect(void) {
       url.port.n = 2;
     }
     neu = FreeLater(EncodeUrl(&url, 0));
-    LOGF("REDIRECT %s %.*s → %.*s", DescribeClient(), old, neu);
+    LOGF("REDIRECT %s from %s → %s", DescribeClient(), old, neu);
     p = SetStatus(307, "Temporary Redirect");
     p = AppendHeader(p, "Location", neu);
     return p;

usr/share/ssl/root/isrg.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----