Add native support for ssl. Fixes #28

examples/CA/cacert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxzCCAq+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJVUzEO
+MAwGA1UECgwFbG9jYWwxDTALBgNVBAsMBGFlcm8xCzAJBgNVBAMMAkNBMB4XDTEy
+MDExNDAwMTcyN1oXDTE3MDExMjAwMTcyN1owOTELMAkGA1UEBhMCVVMxDjAMBgNV
+BAoMBWxvY2FsMQ0wCwYDVQQLDARhZXJvMQswCQYDVQQDDAJDQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAN8bteVsrQxfKHzYuwP1vjH2r6qavPK/agCK
+bbPXZmWfUUGjL4ZT4jmnz/B6QNBBKTE/zWcuLXvyRR2FUCi8c5itUvraJVIuBPT/
+lvAZfbyIMpdHG1RPwA6jgTTXm7hnfZc0lCzsFRLk106XrjKeIkZOWffnVLNS2dyH
+X51/yZAS8wFyfx58gabC3hvzJLWw/fDSB/qQsOjp5XCCrP30ILPads/P2dEFNZ1M
+bjGNErVjmEWEorbUsh6Gu3OyElicVf9hgHspFYNwl1rc5IX7Z5eQM9Yd/Lm1mlvU
+iM839ZPn2UOtS9EDdeeZImTSALSUoFJjMdt8+synSDUuGPczUzECAwEAAaOB2TCB
+1jAPBgNVHRMBAf8EBTADAQH/MDEGCWCGSAGG+EIBDQQkFiJSdWJ5L09wZW5TU0wg
+R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBReztszntEK4mwESl/gPjc8
+VKU2ljAOBgNVHQ8BAf8EBAMCAQYwYQYDVR0jBFowWIAUXs7bM57RCuJsBEpf4D43
+PFSlNpahPaQ7MDkxCzAJBgNVBAYTAlVTMQ4wDAYDVQQKDAVsb2NhbDENMAsGA1UE
+CwwEYWVybzELMAkGA1UEAwwCQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBABC6pRY+
+c+MKGG6hWv9FKTW5drw/9bfKxl+dVcKPP5YWuoAMtStkCVnDleQ7K2oN4o7kwr7Q
+cU3mmYJZjqRu43JBebzupBGKqe/mNWGN0EuCMT7khFEXbO3bwpcL0fhCO7+RZccx
+GF/LKglLgQSE+/SKOHlHdJZlS3EgPghrtoSiptx9ytXzkgCoEKypbAEmcArWvzzF
+81ZYjkLAwCrrB/qNAKnI0AKXMCiqnZu+8a16p5z+HGCjpTLB3NQ3YlyFF0jbr/ow
+R1Fb07t0uO2o22nuua+iK8lKqWLE6eQUIu/YB6DMEgjk+D6of+WQ+38GC35QyPKA
+9nQ8kMf2RkiGN6M=
+-----END CERTIFICATE-----

examples/CA/newcerts/cert_1.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJVUzEO
+MAwGA1UECgwFbG9jYWwxDTALBgNVBAsMBGFlcm8xCzAJBgNVBAMMAkNBMB4XDTEy
+MDExNDAwMTcyN1oXDTEzMDExMzAwMTcyN1owSDELMAkGA1UEBhMCVVMxDjAMBgNV
+BAoMBWxvY2FsMQ0wCwYDVQQLDARhZXJvMQswCQYDVQQLDAJDQTENMAsGA1UEAwwE
+cHVtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxkKjXHIYV4CVFB4YZuVk
+sXqdb7X9+igKPSkxFZoyjwW+AGiN27OwTvETLQiPMaB1WiJtDF9NEmlwYXl4dHWz
+5QPVJtQ5ud7FdCJWBUc+K6LS4xwixwis/FNZVfVcyxkR+cm7mVwxwrxle1lJasoJ
+ouqtVePdt+j+9hcJfLIaZD8CAwEAAaOBhTCBgjAMBgNVHRMBAf8EAjAAMDEGCWCG
+SAGG+EIBDQQkFiJSdWJ5L09wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
+A1UdDgQWBBQDrltCvbaqNl/TvFNb/NEIEnbJ2jALBgNVHQ8EBAMCBaAwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAF8xrbIbIz7YW6ydjM6g
+gesu8T6q5RcJo9k2CWhd4RgJdfVJSZbCtAAMoRQTErX9Ng6afdlMWD1KnCfbP0IJ
+dq+Umh1BMfzhpYR35NPO/RZPR7Et0OMmmWCbwJBzgI6z8R8qiSuR/to6C7BjiWzo
+rp7S2fenkB6DfzZvHvIDojQ0OpnD2oYBOn/UyAma4I7XzXWe9IIUMARjS5CYZsv9
+HBU3B+e5F9ANi3lRc7x5jIAqVt292HaH+c1UCn0/r/73cW1Z/iNYA9PgS2QKdmYq
+b3oQRFk0wM5stNVsrn7xGftmOETv8pD6r4P8jyw7Ib+ypr10WrFOm7uOscPS4QE2
+Mf0=
+-----END CERTIFICATE-----

examples/CA/newcerts/cert_2.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIBAjANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJVUzEO
+MAwGA1UECgwFbG9jYWwxDTALBgNVBAsMBGFlcm8xCzAJBgNVBAMMAkNBMB4XDTEy
+MDExNDAwMjcyN1oXDTEzMDExMzAwMjcyN1owSDELMAkGA1UEBhMCVVMxDjAMBgNV
+BAoMBWxvY2FsMQ0wCwYDVQQLDARhZXJvMQswCQYDVQQLDAJDQTENMAsGA1UEAwwE
+cHVtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArxfNMp+g/pKhsDEkB3KR
+1MAkbfnN/UKMvfXwlnXpz7YX1LHHnMutiI/PqymAp6BPcu+umuW2qMHQyqqtyATm
+Z9jr3t837nhmxwG1noRaKRtsckn9FD43ZlpPg0Q5QnhS4oOsXwJzilqPjdDFYrKN
+3TSvIGM2+hVqpVoGYAHDKbMCAwEAAaOBhTCBgjAMBgNVHRMBAf8EAjAAMDEGCWCG
+SAGG+EIBDQQkFiJSdWJ5L09wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
+A1UdDgQWBBTyDyJlmYBDwfWdRj6lWGvoY43k9DALBgNVHQ8EBAMCBaAwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAIbBVfoVCG8RyVesPW+q
+5i0wAMbHZ1fwv1RKp17c68DYDs0YYPi0bA0ss8AgpU6thWmskxPiFaE6D5x8iv9f
+zkcHxgr1Mrbx6RLx9tLUVehSmRv3aiVO4k9Mp6vf+rJK1AYeaGBmvoqTBLwy7Jrt
+ytKMdqMJj5jKWkWgEGgTnjzbcOClmCQab9isigIzTxMyC/LjeKZe8pPeVX6OM8bY
+y8XGZp9B7uwdPzqt/g25IzTC0KsQwq8cB0raAtZzIyTNv42zcUjmQNVazAozCTcq
+MsEtK2z7TYBC3udTsdyS2qVqCpsk7IMOBGrw8vk4SNhO+coiDObW2K/HNvhl0tZC
+oQI=
+-----END CERTIFICATE-----

examples/CA/private/cakeypair.pem

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,8FE374A296255ED1
+
+g6YSW6TUA/9dSscxCWPm11bG6DedWJ6fanU6V7O2n9WbGOLE0ogz877D/5gPr94+
+WJHnCb0O4gyKQA307XA9nq+HAPTyJFKroEz1CPXVrITV8AO+vJ/PUc1y1LQ1ymMk
+fcvI3ZNdbDBr7OL7luYch7qoVULJ4kwJTU7WT9XzINiSnS3Ccqh6ZEPFyKIcxP2s
+11WkpxdDJ911nCXVUoa9Hd5tQk7mHZuf7XL01up08SDobx/imaU9VN8QQG6AFE55
+jVtfv7MxP+9gHmHQxuhYuDMnu5GIwuJPFHvI7Gi9jcwvee/GhcKBnKdpFc92fJJ8
++TIqR2D21EHDBoep1fMGgbPOl+9z1hdE78Sj6tHwjeRF93mhJWyYNQWQ5ViKLnoF
+j11idWOXwkOCFttRBMd74QG6GyxTvs8FNDOXmm361Muk94a4fbKRJvKvYZlBnYKu
+fOmJNFf2zEVVHjBCbvM4swAT09cWLxRMRTiFb5y7QAEmtFO4WLavlmnNCdMq/uC4
+CpFqGtoiaCimunjTfvkBaJngSfTYSrd4cStnx/c0XK++dni+bLXUHOyMxvihl5vn
+SiFlzWTmoWf1gxNZgOSKY432R6T1CQXfnAd3x/FCJjfPqFt+RAFXjlVFNA0FZyVE
+sCxhVx1eZsr7aMJ5H9RehUr6b9swUEm4UGX5H3/GG7GNCZU+fA+Wfi9cl1zqJFey
+Ho5UjjmRgdV1qapioqCd+Ce/mG0LxRPt/hYdA6G5h4zheRc3KZ7YbIwWRwlkm2w5
+is4ToZKwheycaaQnUfOdHUTtZ4Kv0kRof+LMcDUDTrsydWF4T4xGxGD7/CVJkH1G
+5OTVsfv6Tw7kEMYaXYBQPs0u3GSxY3CZ+k5wATr9PBBYcArSkt5WNQYCJfO/MnWF
+z/31hp/ziCIoesgo6uZMO4Dr5Pka54nc4O4KOblvUUMX07WkYGrc4nxBGvhQ5Jl4
+A8dJBPCK3OlsVCnHYrDQ0cemhLOYPuiyKTtCUIs2nHuiM4RwoCRJgsVBUnKK+tTx
+AkM9uQvYsrZ/DoBooBdXJQy3uiHH86zEskiy72H8Wgcu8GbLt2JgCyhXkwDzrIRf
+hnAN4FS2VNOt5dDTVHBWG1vIxxlM2+LrYpY/QqihNgotZ+C4VWHkoDwbF478JgxM
+5Yk+0X9kGvLQbZCJFXdAKAyr/AzRH+Hx1cDvSi7gypf8qOEZwD1rq7f0qw8jnqfG
+3QIFoN1/+xTAV8lTlGhvbQYz1XHVBH9l7TSQDLIrnwHTIv+PdZbTveGftCCnLdDo
+wBLBnw4mKVCtnHrEgXMQF62yuwueQ8zhdh8jf3osYV/COlRZwQQGgZtnQCeeyDIh
+8GJR9b4uv22QDNv7J2vcqTEWJdnpAZvIBFGuCBCAgev+URLGW2ELXfWQwNgc5+yP
+nGRXo+IwD1uhvEqtuin+cAn/sJhOa66g0ZcV/3AcrdQhbicn12YM71cMvA/XRKf5
+rpo8bAEwDqyoFoywH4IHM3HNV45rS+brskz6tZC5ELondCPVmUqgVu7ELHlJfPXx
+RbzbMPJEGr8WjWUiTDhrD2vWgoJ6NRKkDAUYm6KQb8Sbajd2JAAlYntLz5jKqNqN
+-----END RSA PRIVATE KEY-----

examples/CA/serial

@@ -0,0 +1 @@
+0003

examples/puma/cert_puma.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIBAjANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJVUzEO
+MAwGA1UECgwFbG9jYWwxDTALBgNVBAsMBGFlcm8xCzAJBgNVBAMMAkNBMB4XDTEy
+MDExNDAwMjcyN1oXDTEzMDExMzAwMjcyN1owSDELMAkGA1UEBhMCVVMxDjAMBgNV
+BAoMBWxvY2FsMQ0wCwYDVQQLDARhZXJvMQswCQYDVQQLDAJDQTENMAsGA1UEAwwE
+cHVtYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArxfNMp+g/pKhsDEkB3KR
+1MAkbfnN/UKMvfXwlnXpz7YX1LHHnMutiI/PqymAp6BPcu+umuW2qMHQyqqtyATm
+Z9jr3t837nhmxwG1noRaKRtsckn9FD43ZlpPg0Q5QnhS4oOsXwJzilqPjdDFYrKN
+3TSvIGM2+hVqpVoGYAHDKbMCAwEAAaOBhTCBgjAMBgNVHRMBAf8EAjAAMDEGCWCG
+SAGG+EIBDQQkFiJSdWJ5L09wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
+A1UdDgQWBBTyDyJlmYBDwfWdRj6lWGvoY43k9DALBgNVHQ8EBAMCBaAwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAIbBVfoVCG8RyVesPW+q
+5i0wAMbHZ1fwv1RKp17c68DYDs0YYPi0bA0ss8AgpU6thWmskxPiFaE6D5x8iv9f
+zkcHxgr1Mrbx6RLx9tLUVehSmRv3aiVO4k9Mp6vf+rJK1AYeaGBmvoqTBLwy7Jrt
+ytKMdqMJj5jKWkWgEGgTnjzbcOClmCQab9isigIzTxMyC/LjeKZe8pPeVX6OM8bY
+y8XGZp9B7uwdPzqt/g25IzTC0KsQwq8cB0raAtZzIyTNv42zcUjmQNVazAozCTcq
+MsEtK2z7TYBC3udTsdyS2qVqCpsk7IMOBGrw8vk4SNhO+coiDObW2K/HNvhl0tZC
+oQI=
+-----END CERTIFICATE-----

examples/puma/csr_puma.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBhzCB8QIBADBIMQswCQYDVQQGEwJVUzEOMAwGA1UECgwFbG9jYWwxDTALBgNV
+BAsMBGFlcm8xCzAJBgNVBAsMAkNBMQ0wCwYDVQQDDARwdW1hMIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQCvF80yn6D+kqGwMSQHcpHUwCRt+c39Qoy99fCWdenP
+thfUscecy62Ij8+rKYCnoE9y766a5baowdDKqq3IBOZn2Ove3zfueGbHAbWehFop
+G2xySf0UPjdmWk+DRDlCeFLig6xfAnOKWo+N0MViso3dNK8gYzb6FWqlWgZgAcMp
+swIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAmRsmIQ0pF9iPOO7V1NeHxrVpFz1B
+CZK0yAIGlCWqzpFO/OILN1hJfFnsFl7hZWipoARk15fN1sSXQF3Xb7/sc/8qVhyz
+oY38uu/8CE9CTdUutniLzP/4sUomXjslKNVV0qKtmfsFkj2tHtWjJkGAyZUcoKeG
+hDJxQlIHhZa7Xvw=
+-----END CERTIFICATE REQUEST-----

examples/puma/puma_keypair.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCvF80yn6D+kqGwMSQHcpHUwCRt+c39Qoy99fCWdenPthfUscec
+y62Ij8+rKYCnoE9y766a5baowdDKqq3IBOZn2Ove3zfueGbHAbWehFopG2xySf0U
+PjdmWk+DRDlCeFLig6xfAnOKWo+N0MViso3dNK8gYzb6FWqlWgZgAcMpswIDAQAB
+AoGAHv/UyZivdULas4oPue3T2dnm2T239ZXZuywW21ym96pij7ql/6Gj6KClgMVJ
+TOQ6DLxYqn3vF/OwlqEfQWF0tTUYY+xNbEDE1YsbrS5/FSzbaEYYOHzRl/vMmnsf
+aNgYaSjOIecin7L71Wzq0piMIxg8BLb6IVECBku9EQNzxuECQQDZsbRgg1XZGj+r
+XAu/qXTNKQ/r7k+iPN5bXON6ApBomG+4Q7VVITL3tkGzLOphRZ37Q28FrN4B4gtC
+Xb9il5lDAkEAzecTSopPi2VdcME4WWmwn1rbTp/jJNt4dGZLsNfj9RejVDd32i/L
+P7wCpoPDaaVcoF2HgvCs39qatyVg6ecu0QJBALN4q+q9nDMGTuNpWU5D2EWjyrqJ
+mCF66R6NcASQxJlWwxQ4zfBHFIvgOD4Nk5VqHZqet5MIN2d6AipOu4/+x50CQHDp
+jf+rd1GHBcXGf8MwnUXWCjvEnEhi/lw+mLVivsRx8QRG4rfIy9monX949Flj8DaU
+87IPj422kG9s1QeP2nECQQCkg+RUcoQm7SiM8OXuXNeHQlvQNp65geFRxzKAXxT/
++1Mbtwnd3AXXZBekFDDpE9U3ZQjahoe7oc1oUBuw5hXL
+-----END RSA PRIVATE KEY-----

examples/qc_config.rb

@@ -0,0 +1,13 @@
+  full_hostname = `hostname`.strip
+  domainname = full_hostname.split('.')[1..-1].join('.')
+  hostname = full_hostname.split('.')[0]
+
+  CA[:hostname] = hostname
+  CA[:domainname] = domainname
+  CA[:CA_dir] = File.join Dir.pwd, "CA"
+  CA[:password] = 'puma'
+  
+  CERTS << {
+    :type => 'server',
+    :hostname => 'puma'
+  }

lib/puma/cli.rb

@@ -6,6 +6,7 @@ require 'puma/const'
 require 'puma/configuration'
 
 require 'rack/commonlogger'
+require 'rack/utils'
 
 module Puma
   # Handles invoke a Puma::Server in a command line style.
@@ -243,6 +244,27 @@ module Puma
           path = "#{uri.host}#{uri.path}"
 
           server.add_unix_listener path
+        when "ssl"
+          log "* Listening on #{str}"
+          params = Rack::Utils.parse_query uri.query
+          require 'openssl'
+
+          ctx = OpenSSL::SSL::SSLContext.new
+          unless params['key']
+            error "Please specify the SSL key via 'key='"
+          end
+
+          ctx.key = OpenSSL::PKey::RSA.new File.read(params['key'])
+
+          unless params['cert']
+            error "Please specify the SSL cert via 'cert='"
+          end
+
+          ctx.cert = OpenSSL::X509::Certificate.new File.read(params['cert'])
+
+          ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+          server.add_ssl_listener uri.host, uri.port, ctx
         else
           error "Invalid URI: #{str}"
         end

lib/puma/configuration.rb

@@ -179,6 +179,15 @@ module Puma
         @options[:max_threads] = max
       end
 
+      def ssl_bind(host, port, opts)
+        o = [
+          "cert=#{opts[:cert]}",
+          "key=#{opts[:key]}"
+        ]
+
+        @options[:binds] << "ssl://#{host}:#{port}?#{o.join('&')}"
+      end
+
       # Use +path+ as the file to store the server info state. This is
       # used by pumactl to query and control the server.
       #

lib/puma/events.rb

@@ -33,7 +33,7 @@ module Puma
     # +server+ is the Server object, +env+ the request, +error+ an exception
     # object, and +kind+ some additional info.
     #
-    def unknown_error(server, env, error, kind="Unknown")
+    def unknown_error(server, error, kind="Unknown")
       if error.respond_to? :render
         error.render "#{Time.now}: #{kind} error", @stderr
       else

lib/puma/server.rb

@@ -108,6 +108,15 @@ module Puma
       @ios << s
     end
 
+    def add_ssl_listener(host, port, ctx, optimize_for_latency=true, backlog=1024)
+      s = TCPServer.new(host, port)
+      if optimize_for_latency
+        s.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+      end
+      s.listen backlog
+      @ios << OpenSSL::SSL::SSLServer.new(s, ctx)
+    end
+
     # Tell the server to listen on +path+ as a UNIX domain socket.
     #
     def add_unix_listener(path)
@@ -158,7 +167,7 @@ module Puma
               # client closed the socket even before accept
               client.close rescue nil
             rescue Object => e
-              @events.unknown_error self, env, e, "Listen loop"
+              @events.unknown_error self, e, "Listen loop"
             end
           end