You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/07/25 00:13:17 UTC
git commit: TS-1993: looking for SSL certificate chain in the wrong
place
Updated Branches:
refs/heads/master 9b021428c -> 848a13c7e
TS-1993: looking for SSL certificate chain in the wrong place
We should always look for server certificate chains relative to the
SSL certificate directory.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/848a13c7
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/848a13c7
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/848a13c7
Branch: refs/heads/master
Commit: 848a13c7e0c6de3168550b2cd4872aa0b24e5412
Parents: 9b02142
Author: James Peach <jp...@apache.org>
Authored: Mon Jul 22 11:52:59 2013 -0700
Committer: James Peach <jp...@apache.org>
Committed: Wed Jul 24 15:12:39 2013 -0700
----------------------------------------------------------------------
CHANGES | 2 ++
iocore/net/P_SSLConfig.h | 2 +-
iocore/net/SSLConfig.cc | 17 +++++++----------
iocore/net/SSLUtils.cc | 14 +++++++-------
4 files changed, 17 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/848a13c7/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index d38407e..0b03531 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
Changes with Apache Traffic Server 3.3.5
+ *) [TS-1993] SSL certificate chains are loaded from the wrong directory.
+
*) [TS-2059] Remove dead code in EnvBlock.cc and processSpawn().
*) [TS-2057] Removed deprecated proxy port configuration values from records.config.
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/848a13c7/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 4519e87..039cd7f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -56,7 +56,7 @@ struct SSLConfigParams : public ConfigInfo
virtual ~SSLConfigParams();
char * serverCertPathOnly;
- char * serverCertChainPath;
+ char * serverCertChainFilename;
char * serverKeyPathOnly;
char * serverCACertFilename;
char * serverCACertPath;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/848a13c7/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 679b0f1..0a9a3b2 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -47,7 +47,7 @@ static ConfigUpdateHandler<SSLCertificateConfig> * sslCertUpdate;
SSLConfigParams::SSLConfigParams()
{
serverCertPathOnly =
- serverCertChainPath =
+ serverCertChainFilename =
configFilePath =
serverCACertFilename =
serverCACertPath =
@@ -73,7 +73,7 @@ SSLConfigParams::~SSLConfigParams()
void
SSLConfigParams::cleanup()
{
- ats_free_null(serverCertChainPath);
+ ats_free_null(serverCertChainFilename);
ats_free_null(serverCACertFilename);
ats_free_null(serverCACertPath);
ats_free_null(clientCertPath);
@@ -99,7 +99,7 @@ SSLConfigParams::cleanup()
static void
set_paths_helper(const char *path, const char *filename, char **final_path, char **final_filename)
{
- if (final_path != NULL) {
+ if (final_path) {
if (path && path[0] != '/') {
*final_path = Layout::get()->relative_to(Layout::get()->prefix, path);
} else if (!path || path[0] == '\0'){
@@ -118,7 +118,7 @@ set_paths_helper(const char *path, const char *filename, char **final_path, char
void
SSLConfigParams::initialize()
{
- char serverCertRelativePath[PATH_NAME_MAX] = "";
+ char *serverCertRelativePath = NULL;
char *ssl_server_private_key_path = NULL;
char *CACertRelativePath = NULL;
char *ssl_client_cert_filename = NULL;
@@ -162,13 +162,10 @@ SSLConfigParams::initialize()
#endif
}
- REC_ReadConfigString(serverCertRelativePath, "proxy.config.ssl.server.cert.path", PATH_NAME_MAX);
+ REC_ReadConfigStringAlloc(serverCertChainFilename, "proxy.config.ssl.server.cert_chain.filename");
+ REC_ReadConfigStringAlloc(serverCertRelativePath, "proxy.config.ssl.server.cert.path");
set_paths_helper(serverCertRelativePath, NULL, &serverCertPathOnly, NULL);
-
- char *cert_chain = NULL;
- REC_ReadConfigStringAlloc(cert_chain, "proxy.config.ssl.server.cert_chain.filename");
- set_paths_helper(serverCertRelativePath, cert_chain, NULL, &serverCertChainPath);
- ats_free(cert_chain);
+ ats_free(serverCertRelativePath);
REC_ReadConfigStringAlloc(multicert_config_file, "proxy.config.ssl.server.multicert.filename");
set_paths_helper(Layout::get()->sysconfdir, multicert_config_file, NULL, &configFilePath);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/848a13c7/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index cf0bab1..4c8cf2e 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -317,19 +317,19 @@ SSLInitServerContext(
}
// First, load any CA chains from the global chain file.
- if (params->serverCertChainPath) {
- xptr<char> completeServerCaCertPath(Layout::relative_to(params->serverCACertPath, params->serverCertChainPath));
- if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCaCertPath)) {
- SSLError("failed to load global certificate chain from %s", (const char *)completeServerCaCertPath);
+ if (params->serverCertChainFilename) {
+ xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly, params->serverCertChainFilename));
+ if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
+ SSLError("failed to load global certificate chain from %s", (const char *)completeServerCertChainPath);
goto fail;
}
}
// Now, load any additional certificate chains specified in this entry.
if (serverCaCertPtr) {
- xptr<char> completeServerCaCertPath(Layout::relative_to(params->serverCACertPath, serverCaCertPtr));
- if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCaCertPath)) {
- SSLError("failed to load certificate chain from %s", (const char *)completeServerCaCertPath);
+ xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly, serverCaCertPtr));
+ if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
+ SSLError("failed to load certificate chain from %s", (const char *)completeServerCertChainPath);
goto fail;
}
}