You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2012/03/14 04:43:32 UTC
[3/4] git commit: TS-462: Configure checks for ServerNameIndication
TS-462: Configure checks for ServerNameIndication
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/cad0e9b5
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/cad0e9b5
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/cad0e9b5
Branch: refs/heads/master
Commit: cad0e9b529337ee70b52235be9065e73820c157e
Parents: f67290f
Author: James Peach <jp...@apache.org>
Authored: Wed Feb 29 22:11:40 2012 -0800
Committer: James Peach <jp...@apache.org>
Committed: Tue Mar 13 20:33:15 2012 -0700
----------------------------------------------------------------------
build/crypto.m4 | 39 +++++++++++++++++++++++++++++++++++++++
configure.ac | 4 ++++
lib/ts/ink_config.h.in | 1 +
3 files changed, 44 insertions(+), 0 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cad0e9b5/build/crypto.m4
----------------------------------------------------------------------
diff --git a/build/crypto.m4 b/build/crypto.m4
index 5cdc80a..3cee32f 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -124,3 +124,42 @@ AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [
TS_ARG_ENABLE_VAR([use], [tls-npn])
AC_SUBST(use_tls_npn)
])
+
+AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
+ _sni_saved_LIBS=$LIBS
+ enable_tls_sni=yes
+
+ TS_ADDTO(LIBS, [$LIBSSL])
+ AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h)
+ # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a
+ # macro, so AC_CHECK_FUNCS is not going to do the business.
+ AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
+ AC_COMPILE_IFELSE(
+ [
+ AC_LANG_PROGRAM([[
+#if HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#if HAVE_OPENSSL_TLS1_H
+#include <openssl/tls1.h>
+#endif
+ ]],
+ [[SSL_CTX_set_tlsext_servername_callback(NULL, NULL);]])
+ ],
+ [
+ AC_MSG_RESULT([yes])
+ ],
+ [
+ AC_MSG_RESULT([no])
+ enable_tls_sni=no
+ ])
+
+ AC_CHECK_FUNCS(SSL_get_servername, [], [enable_tls_sni=no])
+
+ LIBS=$_sni_saved_LIBS
+
+ AC_MSG_CHECKING(whether to enable ServerNameIndication TLS extension support)
+ AC_MSG_RESULT([$enable_tls_sni])
+ TS_ARG_ENABLE_VAR([use], [tls-sni])
+ AC_SUBST(use_tls_sni)
+])
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cad0e9b5/configure.ac
----------------------------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 52e072f..9f849e7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -845,6 +845,10 @@ fi
TS_CHECK_CRYPTO_NEXTPROTONEG
#
+# Check for ServerNameIndication TLS extension support.
+TS_CHECK_CRYPTO_SNI
+
+#
# Check for zlib presence and usability
TS_CHECK_ZLIB
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cad0e9b5/lib/ts/ink_config.h.in
----------------------------------------------------------------------
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 6d02b77..aa12b36 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -114,6 +114,7 @@
#define TS_USE_HWLOC @use_hwloc@
#define TS_USE_FREELIST @use_freelist@
#define TS_USE_TLS_NPN @use_tls_npn@
+#define TS_USE_TLS_SNI @use_tls_sni@
/* OS API definitions */
#define GETHOSTBYNAME_R_HOSTENT_DATA @gethostbyname_r_hostent_data@
Re: [3/4] git commit: TS-462: Configure checks for ServerNameIndication
Posted by James Peach <ja...@me.com>.
On Mar 19, 2012, at 6:09 AM, Igor Galić wrote:
>
> Sorry for the late review!
> Sick/work/blah.
>
>
> ----- Original Message -----
>> TS-462: Configure checks for ServerNameIndication
>>
>>
>> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
>> Commit:
>> http://git-wip-us.apache.org/repos/asf/trafficserver/commit/cad0e9b5
>> Tree:
>> http://git-wip-us.apache.org/repos/asf/trafficserver/tree/cad0e9b5
>> Diff:
>> http://git-wip-us.apache.org/repos/asf/trafficserver/diff/cad0e9b5
>>
>> Branch: refs/heads/master
>> Commit: cad0e9b529337ee70b52235be9065e73820c157e
>> Parents: f67290f
>> Author: James Peach <jp...@apache.org>
>> Authored: Wed Feb 29 22:11:40 2012 -0800
>> Committer: James Peach <jp...@apache.org>
>> Committed: Tue Mar 13 20:33:15 2012 -0700
>>
>> ----------------------------------------------------------------------
>> build/crypto.m4 | 39
>> +++++++++++++++++++++++++++++++++++++++
>> configure.ac | 4 ++++
>> lib/ts/ink_config.h.in | 1 +
>> 3 files changed, 44 insertions(+), 0 deletions(-)
>> ----------------------------------------------------------------------
>>
>>
>> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cad0e9b5/build/crypto.m4
>> ----------------------------------------------------------------------
>> diff --git a/build/crypto.m4 b/build/crypto.m4
>> index 5cdc80a..3cee32f 100644
>> --- a/build/crypto.m4
>> +++ b/build/crypto.m4
>> @@ -124,3 +124,42 @@ AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [
>> TS_ARG_ENABLE_VAR([use], [tls-npn])
>> AC_SUBST(use_tls_npn)
>> ])
>> +
>> +AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
>> + _sni_saved_LIBS=$LIBS
>> + enable_tls_sni=yes
>> +
>> + TS_ADDTO(LIBS, [$LIBSSL])
>> + AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h)
>> + # We are looking for SSL_CTX_set_tlsext_servername_callback, but
>> it's a
>> + # macro, so AC_CHECK_FUNCS is not going to do the business.
>> + AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
>> + AC_COMPILE_IFELSE(
>> + [
>> + AC_LANG_PROGRAM([[
>> +#if HAVE_OPENSSL_SSL_H
>> +#include <openssl/ssl.h>
>> +#endif
>> +#if HAVE_OPENSSL_TLS1_H
>> +#include <openssl/tls1.h>
>> +#endif
>> + ]],
>> + [[SSL_CTX_set_tlsext_servername_callback(NULL, NULL);]])
>> + ],
>> + [
>> + AC_MSG_RESULT([yes])
>> + ],
>> + [
>> + AC_MSG_RESULT([no])
>> + enable_tls_sni=no
>> + ])
>> +
>> + AC_CHECK_FUNCS(SSL_get_servername, [], [enable_tls_sni=no])
>> +
>> + LIBS=$_sni_saved_LIBS
>> +
>> + AC_MSG_CHECKING(whether to enable ServerNameIndication TLS
>> extension support)
>> + AC_MSG_RESULT([$enable_tls_sni])
>> + TS_ARG_ENABLE_VAR([use], [tls-sni])
>> + AC_SUBST(use_tls_sni)
>> +])
>
>
> This seems like overkill.
> All you'd have to do is surround your changes in the code with
>
> #ifndef OPENSSL_NO_TLSEXT
>
> At least that's how httpd does it:
>
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l495
Yeh zwoop has the same comment, but I didn't think it was worth changing. It's overkill, but still correct.
J
Re: [3/4] git commit: TS-462: Configure checks for ServerNameIndication
Posted by Igor Galić <i....@brainsware.org>.
Sorry for the late review!
Sick/work/blah.
----- Original Message -----
> TS-462: Configure checks for ServerNameIndication
>
>
> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
> Commit:
> http://git-wip-us.apache.org/repos/asf/trafficserver/commit/cad0e9b5
> Tree:
> http://git-wip-us.apache.org/repos/asf/trafficserver/tree/cad0e9b5
> Diff:
> http://git-wip-us.apache.org/repos/asf/trafficserver/diff/cad0e9b5
>
> Branch: refs/heads/master
> Commit: cad0e9b529337ee70b52235be9065e73820c157e
> Parents: f67290f
> Author: James Peach <jp...@apache.org>
> Authored: Wed Feb 29 22:11:40 2012 -0800
> Committer: James Peach <jp...@apache.org>
> Committed: Tue Mar 13 20:33:15 2012 -0700
>
> ----------------------------------------------------------------------
> build/crypto.m4 | 39
> +++++++++++++++++++++++++++++++++++++++
> configure.ac | 4 ++++
> lib/ts/ink_config.h.in | 1 +
> 3 files changed, 44 insertions(+), 0 deletions(-)
> ----------------------------------------------------------------------
>
>
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cad0e9b5/build/crypto.m4
> ----------------------------------------------------------------------
> diff --git a/build/crypto.m4 b/build/crypto.m4
> index 5cdc80a..3cee32f 100644
> --- a/build/crypto.m4
> +++ b/build/crypto.m4
> @@ -124,3 +124,42 @@ AC_DEFUN([TS_CHECK_CRYPTO_NEXTPROTONEG], [
> TS_ARG_ENABLE_VAR([use], [tls-npn])
> AC_SUBST(use_tls_npn)
> ])
> +
> +AC_DEFUN([TS_CHECK_CRYPTO_SNI], [
> + _sni_saved_LIBS=$LIBS
> + enable_tls_sni=yes
> +
> + TS_ADDTO(LIBS, [$LIBSSL])
> + AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h)
> + # We are looking for SSL_CTX_set_tlsext_servername_callback, but
> it's a
> + # macro, so AC_CHECK_FUNCS is not going to do the business.
> + AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback])
> + AC_COMPILE_IFELSE(
> + [
> + AC_LANG_PROGRAM([[
> +#if HAVE_OPENSSL_SSL_H
> +#include <openssl/ssl.h>
> +#endif
> +#if HAVE_OPENSSL_TLS1_H
> +#include <openssl/tls1.h>
> +#endif
> + ]],
> + [[SSL_CTX_set_tlsext_servername_callback(NULL, NULL);]])
> + ],
> + [
> + AC_MSG_RESULT([yes])
> + ],
> + [
> + AC_MSG_RESULT([no])
> + enable_tls_sni=no
> + ])
> +
> + AC_CHECK_FUNCS(SSL_get_servername, [], [enable_tls_sni=no])
> +
> + LIBS=$_sni_saved_LIBS
> +
> + AC_MSG_CHECKING(whether to enable ServerNameIndication TLS
> extension support)
> + AC_MSG_RESULT([$enable_tls_sni])
> + TS_ARG_ENABLE_VAR([use], [tls-sni])
> + AC_SUBST(use_tls_sni)
> +])
This seems like overkill.
All you'd have to do is surround your changes in the code with
#ifndef OPENSSL_NO_TLSEXT
At least that's how httpd does it:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l495
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cad0e9b5/configure.ac
> ----------------------------------------------------------------------
> diff --git a/configure.ac b/configure.ac
> index 52e072f..9f849e7 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -845,6 +845,10 @@ fi
> TS_CHECK_CRYPTO_NEXTPROTONEG
>
> #
> +# Check for ServerNameIndication TLS extension support.
> +TS_CHECK_CRYPTO_SNI
> +
> +#
> # Check for zlib presence and usability
> TS_CHECK_ZLIB
>
>
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/cad0e9b5/lib/ts/ink_config.h.in
> ----------------------------------------------------------------------
> diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
> index 6d02b77..aa12b36 100644
> --- a/lib/ts/ink_config.h.in
> +++ b/lib/ts/ink_config.h.in
> @@ -114,6 +114,7 @@
> #define TS_USE_HWLOC @use_hwloc@
> #define TS_USE_FREELIST @use_freelist@
> #define TS_USE_TLS_NPN @use_tls_npn@
> +#define TS_USE_TLS_SNI @use_tls_sni@
>
> /* OS API definitions */
> #define GETHOSTBYNAME_R_HOSTENT_DATA
> @gethostbyname_r_hostent_data@
>
>
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE