You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by pa...@apache.org on 2017/05/22 13:56:18 UTC
[trafficserver] branch master updated: Issue_1943: get rid of
ticket_key_name tag from ssl_multicert
This is an automated email from the ASF dual-hosted git repository.
paziz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new ec7be29 Issue_1943: get rid of ticket_key_name tag from ssl_multicert
ec7be29 is described below
commit ec7be2916892492fa5ebfdec2de2bae9b2bf428b
Author: Persia Aziz <pe...@yahoo-inc.com>
AuthorDate: Fri May 19 15:08:49 2017 -0500
Issue_1943: get rid of ticket_key_name tag from ssl_multicert
---
doc/admin-guide/files/ssl_multicert.config.en.rst | 16 ++--------------
iocore/net/SSLUtils.cc | 15 ++-------------
2 files changed, 4 insertions(+), 27 deletions(-)
diff --git a/doc/admin-guide/files/ssl_multicert.config.en.rst b/doc/admin-guide/files/ssl_multicert.config.en.rst
index 25bab6e..e8112a7 100644
--- a/doc/admin-guide/files/ssl_multicert.config.en.rst
+++ b/doc/admin-guide/files/ssl_multicert.config.en.rst
@@ -98,20 +98,8 @@ ssl_ticket_enabled=1|0 (optional)
OpenSSL should be upgraded to version 0.9.8f or higher. This
option must be set to `0` to disable session ticket support.
-ticket_key_name=FILENAME (optional)
- The name of session ticket key file which contains a secret for
- encrypting and decrypting TLS session tickets. If *FILENAME* is
- not an absolute path, it is resolved relative to the
- :ts:cv:`proxy.config.ssl.server.cert.path` configuration variable.
- This option has no effect if session tickets are disabled by the
- ``ssl_ticket_enabled`` option. The contents of the key file should
- be 48 random (ASCII) bytes. One way to generate this would be to run
- ``head -c48 /dev/urandom | openssl enc -base64 | head -c48 > file.ticket``.
-
- Session ticket support is enabled by default. If neither of the
- ``ssl_ticket_enabled`` and ``ticket_key_name`` options are
- specified, and internal session ticket key is generated. This
- key will be different each time Traffic Server is started.
+ticket_key_name=FILENAME (optional) [**REMOVED in 7.1.x and 8.0**]
+ Ticket key should be set in records.config via :ts:cv:`proxy.config.ssl.server.ticket_key.filename`
ssl_key_dialog=builtin|"exec:/path/to/program [args]" (optional)
Method used to provide a pass phrase for encrypted private keys. If the
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 8619b8e..ef20872 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -67,7 +67,6 @@
#define SSL_ACTION_TAG "action"
#define SSL_ACTION_TUNNEL_TAG "tunnel"
#define SSL_SESSION_TICKET_ENABLED "ssl_ticket_enabled"
-#define SSL_SESSION_TICKET_KEY_FILE_TAG "ticket_key_name"
#define SSL_KEY_DIALOG "ssl_key_dialog"
#define SSL_CERT_SEPARATE_DELIM ','
@@ -100,8 +99,6 @@ struct ssl_user_config {
ssl_user_config() : opt(SSLCertContext::OPT_NONE)
{
REC_ReadConfigInt32(session_ticket_enabled, "proxy.config.ssl.server.session_ticket.enable");
- REC_ReadConfigStringAlloc(ticket_key_filename, "proxy.config.ssl.server.ticket_key.filename");
- Debug("ssl", "ticket key filename %s", (const char *)ticket_key_filename);
}
int session_ticket_enabled;
@@ -110,7 +107,6 @@ struct ssl_user_config {
ats_scoped_str first_cert;
ats_scoped_str ca;
ats_scoped_str key;
- ats_scoped_str ticket_key_filename;
ats_scoped_str dialog;
SSLCertContext::Option opt;
};
@@ -1810,11 +1806,8 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, cons
}
}
- // Load the session ticket key if session tickets are not disabled and we have key name.
- if (sslMultCertSettings->session_ticket_enabled != 0 && sslMultCertSettings->ticket_key_filename) {
- ats_scoped_str ticket_key_path(Layout::relative_to(params->serverCertPathOnly, sslMultCertSettings->ticket_key_filename));
- keyblock = ssl_context_enable_tickets(ctx, ticket_key_path);
- } else if (sslMultCertSettings->session_ticket_enabled != 0) {
+ // Load the session ticket key if session tickets are not disabled
+ if (sslMultCertSettings->session_ticket_enabled != 0) {
keyblock = ssl_context_enable_tickets(ctx, nullptr);
}
@@ -1936,10 +1929,6 @@ ssl_extract_certificate(const matcher_line *line_info, ssl_user_config &sslMultC
sslMultCertSettings.session_ticket_enabled = atoi(value);
}
- if (strcasecmp(label, SSL_SESSION_TICKET_KEY_FILE_TAG) == 0) {
- sslMultCertSettings.ticket_key_filename = ats_strdup(value);
- }
-
if (strcasecmp(label, SSL_KEY_DIALOG) == 0) {
sslMultCertSettings.dialog = ats_strdup(value);
}
--
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].