You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2017/03/15 15:09:14 UTC

[trafficserver] branch 7.1.x updated: client cert should be added to netvcoptions only when needed

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/7.1.x by this push:
       new  3496333   client cert should be added to netvcoptions only when needed
3496333 is described below

commit 34963335f199cb6868affb6e1a23d486947fde14
Author: Persia Aziz <pe...@yahoo-inc.com>
AuthorDate: Mon Feb 27 12:41:25 2017 -0600

    client cert should be added to netvcoptions only when needed
    
    (cherry picked from commit a37401bda5cfad8ce90477f1875754aeab172522)
---
 proxy/http/HttpSM.cc | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index de4b87b..c74d888 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -4020,7 +4020,6 @@ HttpSM::do_remap_request(bool run_inline)
 {
   DebugSM("http_seq", "[HttpSM::do_remap_request] Remapping request");
   DebugSM("url_rewrite", "Starting a possible remapping for request [%" PRId64 "]", sm_id);
-  SSLConfig::scoped_config params;
   bool ret = false;
   if (t_state.cop_test_page == false) {
     ret = remapProcessor.setup_for_remap(&t_state);
@@ -4061,20 +4060,6 @@ HttpSM::do_remap_request(bool run_inline)
     pending_action = remap_action_handle;
   }
 
-  // check if the overridden client cert filename is already attached to an existing ssl context
-  if (t_state.txn_conf->client_cert_filepath && t_state.txn_conf->client_cert_filename) {
-    ats_scoped_str clientCert(Layout::relative_to(t_state.txn_conf->client_cert_filepath, t_state.txn_conf->client_cert_filename));
-    if (clientCert != nullptr) {
-      auto tCTX = params->getCTX(clientCert);
-
-      if (tCTX == nullptr) {
-        // make new client ctx and add it to the ctx list
-        auto tctx = params->getNewCTX(clientCert);
-        params->InsertCTX(clientCert, tctx);
-      }
-    }
-  }
-
   return;
 }
 
@@ -5049,10 +5034,21 @@ HttpSM::do_http_server_open(bool raw)
     if (host && len > 0) {
       opt.set_sni_servername(host, len);
     }
+
+    SSLConfig::scoped_config params;
+    // check if the overridden client cert filename is already attached to an existing ssl context
     if (t_state.txn_conf->client_cert_filepath && t_state.txn_conf->client_cert_filename) {
       ats_scoped_str clientCert(
-        (Layout::relative_to(t_state.txn_conf->client_cert_filepath, t_state.txn_conf->client_cert_filename)));
+        Layout::relative_to(t_state.txn_conf->client_cert_filepath, t_state.txn_conf->client_cert_filename));
       if (clientCert != nullptr) {
+        auto tCTX = params->getCTX(clientCert);
+
+        if (tCTX == nullptr) {
+          // make new client ctx and add it to the ctx list
+          Debug("ssl", "adding new cert for client cert %s", (char *)clientCert);
+          auto tctx = params->getNewCTX(clientCert);
+          params->InsertCTX(clientCert, tctx);
+        }
         opt.set_client_certname(clientCert);
       }
     }

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].