You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2018/02/16 19:52:23 UTC
[trafficserver] branch master updated (08b9ade -> 25ccc06)
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git.
from 08b9ade Don't read DNS responses until we get at least two bytes
new eceff01 Remove all references to TS_USE_TLS_SNI
new 25ccc06 Removed checks for SNI support for autoconf
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
build/crypto.m4 | 47 +++-------------------
cmd/traffic_layout/info.cc | 1 -
configure.ac | 4 --
doc/admin-guide/files/records.config.en.rst | 4 +-
.../admin-guide/files/records.config.en.po | 4 +-
iocore/net/SSLNetVConnection.cc | 21 +---------
iocore/net/SSLUtils.cc | 5 ---
lib/ts/ink_config.h.in | 1 -
.../ssl_cert_loader/ssl-cert-loader.cc | 12 ------
tests/README.md | 1 -
10 files changed, 9 insertions(+), 91 deletions(-)
--
To stop receiving notification emails like this one, please contact
bcall@apache.org.
[trafficserver] 01/02: Remove all references to TS_USE_TLS_SNI
Posted by bc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit eceff01d49d6958b67d47189ff3e43b31602e112
Author: David Calavera <da...@gmail.com>
AuthorDate: Fri Feb 16 10:13:47 2018 -0800
Remove all references to TS_USE_TLS_SNI
---
build/crypto.m4 | 3 +--
cmd/traffic_layout/info.cc | 1 -
doc/admin-guide/files/records.config.en.rst | 4 +---
.../admin-guide/files/records.config.en.po | 4 +---
iocore/net/SSLNetVConnection.cc | 21 +--------------------
iocore/net/SSLUtils.cc | 5 -----
lib/ts/ink_config.h.in | 1 -
.../experimental/ssl_cert_loader/ssl-cert-loader.cc | 12 ------------
tests/README.md | 1 -
9 files changed, 4 insertions(+), 48 deletions(-)
diff --git a/build/crypto.m4 b/build/crypto.m4
index 3a3b03b..9c85b2c 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -119,14 +119,13 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
enable_tls_sni=no
])
- AC_CHECK_FUNCS(SSL_get_servername, [], [enable_tls_sni=no])
+ AC_CHECK_FUNCS(SSL_get_servername, [], [enable_tls_sni])
LIBS=$_sni_saved_LIBS
AC_MSG_CHECKING(whether to enable ServerNameIndication TLS extension support)
AC_MSG_RESULT([$enable_tls_sni])
TS_ARG_ENABLE_VAR([use], [tls-sni])
- AC_SUBST(use_tls_sni)
])
AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [
diff --git a/cmd/traffic_layout/info.cc b/cmd/traffic_layout/info.cc
index eeca485..94528b1 100644
--- a/cmd/traffic_layout/info.cc
+++ b/cmd/traffic_layout/info.cc
@@ -90,7 +90,6 @@ produce_features(bool json)
print_feature("TS_USE_HWLOC", TS_USE_HWLOC, json);
print_feature("TS_USE_TLS_NPN", TS_USE_TLS_NPN, json);
print_feature("TS_USE_TLS_ALPN", TS_USE_TLS_ALPN, json);
- print_feature("TS_USE_TLS_SNI", TS_USE_TLS_SNI, json);
print_feature("TS_USE_CERT_CB", TS_USE_CERT_CB, json);
print_feature("TS_USE_SET_RBIO", TS_USE_SET_RBIO, json);
print_feature("TS_USE_TLS_ECKEY", TS_USE_TLS_ECKEY, json);
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index a430347..119fa4c 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3349,9 +3349,7 @@ SSL Termination
.. ts:cv:: CONFIG proxy.config.ssl.wire_trace_server_name STRING NULL
- This specifies the server name for which wire_traces should be
- printed. This only works if traffic_server is built with
- TS_USE_TLS_SNI flag set to true.
+ This specifies the server name for which wire_traces should be printed.
Client-Related Configuration
----------------------------
diff --git a/doc/locale/ja/LC_MESSAGES/admin-guide/files/records.config.en.po b/doc/locale/ja/LC_MESSAGES/admin-guide/files/records.config.en.po
index e929c45..be917bf 100644
--- a/doc/locale/ja/LC_MESSAGES/admin-guide/files/records.config.en.po
+++ b/doc/locale/ja/LC_MESSAGES/admin-guide/files/records.config.en.po
@@ -4830,9 +4830,7 @@ msgstr ""
#: ../../../admin-guide/files/records.config.en.rst:3117
msgid ""
-"This specifies the server name for which wire_traces should be printed. "
-"This only works if traffic_server is built with TS_USE_TLS_SNI flag set to "
-"true."
+"This specifies the server name for which wire_traces should be printed."
msgstr ""
#: ../../../admin-guide/files/records.config.en.rst:3122
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 9c2a513..cb96af0 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -956,15 +956,6 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
// to negotiate a SSL session, but it's enough to trampoline us into the SNI callback where we
// can select the right server certificate.
this->ssl = make_ssl_connection(lookup->defaultContext(), this);
-
-#if !(TS_USE_TLS_SNI)
- // set SSL trace
- if (SSLConfigParams::ssl_wire_trace_enabled) {
- bool trace = computeSSLTrace();
- Debug("ssl", "sslnetvc. setting trace to=%s", trace ? "true" : "false");
- setSSLTrace(trace);
- }
-#endif
}
if (this->ssl == nullptr) {
@@ -1017,7 +1008,6 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
}
SSL_set_verify(this->ssl, clientVerify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, verify_callback);
-#if TS_USE_TLS_SNI
if (this->options.sni_servername) {
if (SSL_set_tlsext_host_name(this->ssl, this->options.sni_servername)) {
Debug("ssl", "using SNI name '%s' for client handshake", this->options.sni_servername.get());
@@ -1026,7 +1016,6 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
SSL_INCREMENT_DYN_STAT(ssl_sni_name_set_failure);
}
}
-#endif
}
return sslClientHandShakeEvent(err);
@@ -1470,16 +1459,12 @@ SSLNetVConnection::reenable(NetHandler *nh)
bool
SSLNetVConnection::sslContextSet(void *ctx)
{
-#if TS_USE_TLS_SNI
bool zret = true;
if (ssl) {
SSL_set_SSL_CTX(ssl, static_cast<SSL_CTX *>(ctx));
} else {
zret = false;
}
-#else
- bool zret = false;
-#endif
return zret;
}
@@ -1585,8 +1570,7 @@ SSLNetVConnection::callHooks(TSEvent eventId)
bool
SSLNetVConnection::computeSSLTrace()
{
-// this has to happen before the handshake or else sni_servername will be nullptr
-#if TS_USE_TLS_SNI
+ // this has to happen before the handshake or else sni_servername will be nullptr
bool sni_trace;
if (ssl) {
const char *ssl_servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
@@ -1596,9 +1580,6 @@ SSLNetVConnection::computeSSLTrace()
} else {
sni_trace = false;
}
-#else
- bool sni_trace = false;
-#endif
// count based on ip only if they set an IP value
const sockaddr *remote_addr = get_remote_addr();
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index ae964eb..12c0532 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -317,7 +317,6 @@ ssl_rm_cached_session(SSL_CTX *ctx, SSL_SESSION *sess)
session_cache->removeSession(sid);
}
-#if TS_USE_TLS_SNI
int
set_context_cert(SSL *ssl)
{
@@ -330,7 +329,6 @@ set_context_cert(SSL *ssl)
int retval = 1;
Debug("ssl", "set_context_cert ssl=%p server=%s handshake_complete=%d", ssl, servername, netvc->getSSLHandShakeComplete());
- // set SSL trace (we do this a little later in the USE_TLS_SNI case so we can get the servername
if (SSLConfigParams::ssl_wire_trace_enabled) {
bool trace = netvc->computeSSLTrace();
Debug("ssl", "sslnetvc. setting trace to=%s", trace ? "true" : "false");
@@ -495,7 +493,6 @@ done:
return retval;
}
#endif
-#endif /* TS_USE_TLS_SNI */
#if TS_USE_GET_DH_2048_256 == 0
/* Build 2048-bit MODP Group with 256-bit Prime Order Subgroup from RFC 5114 */
@@ -1492,7 +1489,6 @@ ssl_callback_info(const SSL *ssl, int where, int ret)
static void
ssl_set_handshake_callbacks(SSL_CTX *ctx)
{
-#if TS_USE_TLS_SNI
// Make sure the callbacks are set
#if TS_USE_CERT_CB
SSL_CTX_set_cert_cb(ctx, ssl_cert_callback, nullptr);
@@ -1500,7 +1496,6 @@ ssl_set_handshake_callbacks(SSL_CTX *ctx)
#else
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_and_cert_callback);
#endif
-#endif
}
void
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 0d104de..037b619 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -71,7 +71,6 @@
#define TS_USE_HWLOC @use_hwloc@
#define TS_USE_TLS_NPN @use_tls_npn@
#define TS_USE_TLS_ALPN @use_tls_alpn@
-#define TS_USE_TLS_SNI @use_tls_sni@
#define TS_USE_CERT_CB @use_cert_cb@
#define TS_USE_SET_RBIO @use_set_rbio@
#define TS_USE_GET_DH_2048_256 @use_dh_get_2048_256@
diff --git a/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc b/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc
index 685df7d..c3aacff 100644
--- a/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc
+++ b/plugins/experimental/ssl_cert_loader/ssl-cert-loader.cc
@@ -43,8 +43,6 @@ using ts::config::Value;
#define PN "ssl-cert-loader"
#define PCP "[" PN " Plugin] "
-#if TS_USE_TLS_SNI
-
namespace
{
class CertLookup
@@ -554,13 +552,3 @@ TSPluginInit(int argc, const char *argv[])
return;
}
-
-#else // ! TS_USE_TLS_SNI
-
-void
-TSPluginInit(int, const char *[])
-{
- TSError(PCP "requires TLS SNI which is not available");
-}
-
-#endif // TS_USE_TLS_SNI
diff --git a/tests/README.md b/tests/README.md
index 2d5f714..4fc365d 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -295,7 +295,6 @@ ts.Disk.remap_config.AddLine(
* TS_USE_HWLOC
* TS_USE_TLS_NPN
* TS_USE_TLS_ALPN
- * TS_USE_TLS_SNI
* TS_USE_CERT_CB
* TS_USE_SET_RBIO
* TS_USE_TLS_ECKEY
--
To stop receiving notification emails like this one, please contact
bcall@apache.org.
[trafficserver] 02/02: Removed checks for SNI support for autoconf
Posted by bc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 25ccc06c8b5ec027bc0a3a401d9f25c6087009a2
Author: Bryan Call <bc...@apache.org>
AuthorDate: Fri Feb 16 10:21:34 2018 -0800
Removed checks for SNI support for autoconf
---
build/crypto.m4 | 46 ++++++----------------------------------------
configure.ac | 4 ----
2 files changed, 6 insertions(+), 44 deletions(-)
diff --git a/build/crypto.m4 b/build/crypto.m4
index 9c85b2c..4cef872 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -43,6 +43,7 @@ dnl
AC_DEFUN([TS_CHECK_CRYPTO_EC_KEYS], [
_eckeys_saved_LIBS=$LIBS
+
TS_ADDTO(LIBS, [$OPENSSL_LIBS])
AC_CHECK_HEADERS(openssl/ec.h)
AC_CHECK_FUNCS(EC_KEY_new_by_curve_name, [enable_tls_eckey=yes], [enable_tls_eckey=no])
@@ -57,6 +58,7 @@ AC_DEFUN([TS_CHECK_CRYPTO_EC_KEYS], [
AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [
enable_tls_npn=yes
_npn_saved_LIBS=$LIBS
+
TS_ADDTO(LIBS, [$OPENSSL_LIBS])
AC_CHECK_FUNCS(SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_proto_select_cb SSL_select_next_proto SSL_get0_next_proto_negotiated,
[], [enable_tls_npn=no]
@@ -72,6 +74,7 @@ AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [
AC_DEFUN([TS_CHECK_CRYPTO_ALPN], [
enable_tls_alpn=yes
_alpn_saved_LIBS=$LIBS
+
TS_ADDTO(LIBS, [$OPENSSL_LIBS])
AC_CHECK_FUNCS(SSL_CTX_set_alpn_protos SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_select_next_proto,
[], [enable_tls_alpn=no]
@@ -84,9 +87,9 @@ AC_DEFUN([TS_CHECK_CRYPTO_ALPN], [
AC_SUBST(use_tls_alpn)
])
-AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
- _sni_saved_LIBS=$LIBS
- enable_tls_sni=yes
+AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [
+ _cert_saved_LIBS=$LIBS
+ enable_cert_cb=yes
TS_ADDTO(LIBS, [$OPENSSL_LIBS])
AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h)
@@ -96,43 +99,6 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
#include <openssl/tls1.h>
#endif ])
- # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
- # macro, so AC_CHECK_FUNCS is not going to do the business.
- AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
- AC_COMPILE_IFELSE(
- [
- AC_LANG_PROGRAM([[
-#if HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
-#if HAVE_OPENSSL_TLS1_H
-#include <openssl/tls1.h>
-#endif
- ]],
- [[SSL_CTX_set_tlsext_servername_callback(NULL, NULL);]])
- ],
- [
- AC_MSG_RESULT([yes])
- ],
- [
- AC_MSG_RESULT([no])
- enable_tls_sni=no
- ])
-
- AC_CHECK_FUNCS(SSL_get_servername, [], [enable_tls_sni])
-
- LIBS=$_sni_saved_LIBS
-
- AC_MSG_CHECKING(whether to enable ServerNameIndication TLS extension support)
- AC_MSG_RESULT([$enable_tls_sni])
- TS_ARG_ENABLE_VAR([use], [tls-sni])
-])
-
-AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [
- _cert_saved_LIBS=$LIBS
- enable_cert_cb=yes
-
- TS_ADDTO(LIBS, [$OPENSSL_LIBS])
AC_MSG_CHECKING([for SSL_CTX_set_cert_cb])
AC_LINK_IFELSE(
[
diff --git a/configure.ac b/configure.ac
index b434d77..e994801 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1160,10 +1160,6 @@ TS_CHECK_CRYPTO_ALPN
TS_CHECK_CRYPTO_EC_KEYS
#
-# Check for ServerNameIndication TLS extension support.
-TS_CHECK_CRYPTO_SNI
-
-#
# Check for the presense of the certificate callback in the ssl library
TS_CHECK_CRYPTO_CERT_CB
--
To stop receiving notification emails like this one, please contact
bcall@apache.org.