You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@trafficserver.apache.org by GitBox <gi...@apache.org> on 2021/02/19 01:36:59 UTC
[GitHub] [trafficserver] shinrich opened a new pull request #7540: Remove extra verify-callback
shinrich opened a new pull request #7540:
URL: https://github.com/apache/trafficserver/pull/7540
Plus exercising the CI autest to figure out test failures.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] shinrich commented on pull request #7540: Remove extra verify-callback
Posted by GitBox <gi...@apache.org>.
shinrich commented on pull request #7540:
URL: https://github.com/apache/trafficserver/pull/7540#issuecomment-829643573
Perhaps we can go ahead and land this change, and track down additional potential redundant calls later. I tried to do a quick fix that seemed to match on the other side, but several of the tls_client_verify* autests fail. I doubt I will have much time to get back to this for some time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] zwoop commented on pull request #7540: Remove extra verify-callback
Posted by GitBox <gi...@apache.org>.
zwoop commented on pull request #7540:
URL: https://github.com/apache/trafficserver/pull/7540#issuecomment-842493389
Cherry-picked to v9.1.x branch.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] zwoop commented on pull request #7540: Remove extra verify-callback
Posted by GitBox <gi...@apache.org>.
zwoop commented on pull request #7540:
URL: https://github.com/apache/trafficserver/pull/7540#issuecomment-842493389
Cherry-picked to v9.1.x branch.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] maskit commented on pull request #7540: Remove extra verify-callback
Posted by GitBox <gi...@apache.org>.
maskit commented on pull request #7540:
URL: https://github.com/apache/trafficserver/pull/7540#issuecomment-781918903
```
$ git grep "set_verify("
iocore/net/SSLClientUtils.cc: SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback);
iocore/net/SSLNetVConnection.cc: SSL_set_verify(this->ssl, SSL_VERIFY_PEER, verify_callback);
iocore/net/SSLUtils.cc: SSL_set_verify(ssl, server_verify_client, ssl_verify_client_callback);
iocore/net/SSLUtils.cc: SSL_CTX_set_verify(ctx, server_verify_client, ssl_verify_client_callback);
tools/http_load/http_load.c: SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, cert_verify_callback);
```
I assume the other is the one in SSLNetVConnection.cc. Do we want to set the callback function to `SSL` rather than `SSL_CTX`?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] shinrich commented on pull request #7540: Remove extra verify-callback
Posted by GitBox <gi...@apache.org>.
shinrich commented on pull request #7540:
URL: https://github.com/apache/trafficserver/pull/7540#issuecomment-781763645
[approve ci autest]
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] shinrich commented on pull request #7540: Remove extra verify-callback
Posted by GitBox <gi...@apache.org>.
shinrich commented on pull request #7540:
URL: https://github.com/apache/trafficserver/pull/7540#issuecomment-782143709
Good point. Should review the client side as well. I noticed double prints from the server verify callback when looking at the debug statements from the autest failures. I had figured that with multiple calls to SSL_*_set_verify, the last one in would be the only one called. But for openssl at least, it appears that there is a slot for the SSL_CTX and a slot for the SSL object itself.
Originally we just had the SSL_CTX version. I added the SSL object version to deal with dynamic updates I believe. Need to review some git history.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] shinrich merged pull request #7540: Remove extra verify-callback
Posted by GitBox <gi...@apache.org>.
shinrich merged pull request #7540:
URL: https://github.com/apache/trafficserver/pull/7540
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org