You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/07/25 00:13:17 UTC

git commit: TS-1993: looking for SSL certificate chain in the wrong place

Updated Branches:
  refs/heads/master 9b021428c -> 848a13c7e


TS-1993: looking for SSL certificate chain in the wrong place

We should always look for server certificate chains relative to the
SSL certificate directory.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/848a13c7
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/848a13c7
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/848a13c7

Branch: refs/heads/master
Commit: 848a13c7e0c6de3168550b2cd4872aa0b24e5412
Parents: 9b02142
Author: James Peach <jp...@apache.org>
Authored: Mon Jul 22 11:52:59 2013 -0700
Committer: James Peach <jp...@apache.org>
Committed: Wed Jul 24 15:12:39 2013 -0700

----------------------------------------------------------------------
 CHANGES                  |  2 ++
 iocore/net/P_SSLConfig.h |  2 +-
 iocore/net/SSLConfig.cc  | 17 +++++++----------
 iocore/net/SSLUtils.cc   | 14 +++++++-------
 4 files changed, 17 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/848a13c7/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index d38407e..0b03531 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
 Changes with Apache Traffic Server 3.3.5
 
 
+  *) [TS-1993] SSL certificate chains are loaded from the wrong directory.
+
   *) [TS-2059] Remove dead code in EnvBlock.cc and processSpawn().
 
   *) [TS-2057] Removed deprecated proxy port configuration values from records.config.

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/848a13c7/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 4519e87..039cd7f 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -56,7 +56,7 @@ struct SSLConfigParams : public ConfigInfo
   virtual ~SSLConfigParams();
 
   char *  serverCertPathOnly;
-  char *  serverCertChainPath;
+  char *  serverCertChainFilename;
   char *  serverKeyPathOnly;
   char *  serverCACertFilename;
   char *  serverCACertPath;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/848a13c7/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 679b0f1..0a9a3b2 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -47,7 +47,7 @@ static ConfigUpdateHandler<SSLCertificateConfig> * sslCertUpdate;
 SSLConfigParams::SSLConfigParams()
 {
   serverCertPathOnly =
-    serverCertChainPath =
+    serverCertChainFilename =
     configFilePath =
     serverCACertFilename =
     serverCACertPath =
@@ -73,7 +73,7 @@ SSLConfigParams::~SSLConfigParams()
 void
 SSLConfigParams::cleanup()
 {
-  ats_free_null(serverCertChainPath);
+  ats_free_null(serverCertChainFilename);
   ats_free_null(serverCACertFilename);
   ats_free_null(serverCACertPath);
   ats_free_null(clientCertPath);
@@ -99,7 +99,7 @@ SSLConfigParams::cleanup()
 static void
 set_paths_helper(const char *path, const char *filename, char **final_path, char **final_filename)
 {
-  if (final_path != NULL) {
+  if (final_path) {
     if (path && path[0] != '/') {
       *final_path = Layout::get()->relative_to(Layout::get()->prefix, path);
     } else if (!path || path[0] == '\0'){
@@ -118,7 +118,7 @@ set_paths_helper(const char *path, const char *filename, char **final_path, char
 void
 SSLConfigParams::initialize()
 {
-  char serverCertRelativePath[PATH_NAME_MAX] = "";
+  char *serverCertRelativePath = NULL;
   char *ssl_server_private_key_path = NULL;
   char *CACertRelativePath = NULL;
   char *ssl_client_cert_filename = NULL;
@@ -162,13 +162,10 @@ SSLConfigParams::initialize()
 #endif
   }
 
-  REC_ReadConfigString(serverCertRelativePath, "proxy.config.ssl.server.cert.path", PATH_NAME_MAX);
+  REC_ReadConfigStringAlloc(serverCertChainFilename, "proxy.config.ssl.server.cert_chain.filename");
+  REC_ReadConfigStringAlloc(serverCertRelativePath, "proxy.config.ssl.server.cert.path");
   set_paths_helper(serverCertRelativePath, NULL, &serverCertPathOnly, NULL);
-
-  char *cert_chain = NULL;
-  REC_ReadConfigStringAlloc(cert_chain, "proxy.config.ssl.server.cert_chain.filename");
-  set_paths_helper(serverCertRelativePath, cert_chain, NULL, &serverCertChainPath);
-  ats_free(cert_chain);
+  ats_free(serverCertRelativePath);
 
   REC_ReadConfigStringAlloc(multicert_config_file, "proxy.config.ssl.server.multicert.filename");
   set_paths_helper(Layout::get()->sysconfdir, multicert_config_file, NULL, &configFilePath);

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/848a13c7/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index cf0bab1..4c8cf2e 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -317,19 +317,19 @@ SSLInitServerContext(
   }
 
   // First, load any CA chains from the global chain file.
-  if (params->serverCertChainPath) {
-    xptr<char> completeServerCaCertPath(Layout::relative_to(params->serverCACertPath, params->serverCertChainPath));
-    if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCaCertPath)) {
-      SSLError("failed to load global certificate chain from %s", (const char *)completeServerCaCertPath);
+  if (params->serverCertChainFilename) {
+    xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly, params->serverCertChainFilename));
+    if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
+      SSLError("failed to load global certificate chain from %s", (const char *)completeServerCertChainPath);
       goto fail;
     }
   }
 
   // Now, load any additional certificate chains specified in this entry.
   if (serverCaCertPtr) {
-    xptr<char> completeServerCaCertPath(Layout::relative_to(params->serverCACertPath, serverCaCertPtr));
-    if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCaCertPath)) {
-      SSLError("failed to load certificate chain from %s", (const char *)completeServerCaCertPath);
+    xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly, serverCaCertPtr));
+    if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
+      SSLError("failed to load certificate chain from %s", (const char *)completeServerCertChainPath);
       goto fail;
     }
   }