You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by am...@apache.org on 2022/09/26 23:01:00 UTC
[trafficserver] branch master updated: Fix outbound client (local) override for disable. (#9104)
This is an automated email from the ASF dual-hosted git repository.
amc pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 0b3b1c0a7 Fix outbound client (local) override for disable. (#9104)
0b3b1c0a7 is described below
commit 0b3b1c0a796d21799d1630728ae177d137ba50c1
Author: Alan M. Carroll <am...@apache.org>
AuthorDate: Mon Sep 26 18:00:53 2022 -0500
Fix outbound client (local) override for disable. (#9104)
---
iocore/net/SSLConfig.cc | 2 +-
iocore/net/SSLNetVConnection.cc | 21 +++++++++++++++------
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 6857915f9..336c084cc 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -784,7 +784,7 @@ SSLConfigParams::getCTX(const std::string &client_cert, const std::string &key_f
ctx_key = client_cert;
ts::bwprint(top_level_key, "{}:{}", ca_bundle_file, ca_bundle_path);
- Debug("ssl_client_ctx", "Look for client cert %s %s", top_level_key.c_str(), ctx_key.c_str());
+ Debug("ssl_client_ctx", "Look for client cert \"%s\" \"%s\"", top_level_key.c_str(), ctx_key.c_str());
ink_mutex_acquire(&ctxMapLock);
auto ctx_map_iter = top_level_ctx_map.find(top_level_key);
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index b9401165b..5b612e1bb 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -1109,15 +1109,24 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
SSL_CTX *clientCTX = nullptr;
// First Look to see if there are override parameters
+ Debug("ssl", "Checking for outbound client cert override [%p]", options.ssl_client_cert_name.get());
if (options.ssl_client_cert_name) {
- std::string certFilePath = Layout::get()->relative_to(params->clientCertPathOnly, options.ssl_client_cert_name.get());
+ std::string certFilePath;
std::string keyFilePath;
- if (options.ssl_client_private_key_name) {
- keyFilePath = Layout::get()->relative_to(params->clientKeyPathOnly, options.ssl_client_private_key_name);
- }
std::string caCertFilePath;
- if (options.ssl_client_ca_cert_name) {
- caCertFilePath = Layout::get()->relative_to(params->clientCACertPath, options.ssl_client_ca_cert_name);
+ // Enable override to explicitly disable the client certificate. That is, don't fill
+ // in any of the cert paths if the cert file name is empty or "NULL".
+ if (*options.ssl_client_cert_name != '\0' && 0 != strcasecmp("NULL", options.ssl_client_cert_name)) {
+ certFilePath = Layout::get()->relative_to(params->clientCertPathOnly, options.ssl_client_cert_name.get());
+ if (options.ssl_client_private_key_name) {
+ keyFilePath = Layout::get()->relative_to(params->clientKeyPathOnly, options.ssl_client_private_key_name);
+ }
+ if (options.ssl_client_ca_cert_name) {
+ caCertFilePath = Layout::get()->relative_to(params->clientCACertPath, options.ssl_client_ca_cert_name);
+ }
+ Debug("ssl", "Using outbound client cert `%s'", options.ssl_client_cert_name.get());
+ } else {
+ Debug("ssl", "Clearing outbound client cert");
}
sharedCTX =
params->getCTX(certFilePath, keyFilePath, caCertFilePath.empty() ? params->clientCACertFilename : caCertFilePath.c_str(),