You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ig...@apache.org on 2012/10/17 13:09:27 UTC

git commit: TS-1536: SNI support breaks IP-based lookup

Updated Branches:
  refs/heads/3.2.x 2b805c173 -> d8212abfe


TS-1536: SNI support breaks IP-based lookup

The OpenSSL SNI callback will revert to the default context if the
name-based lookup fails even if we already did a successful
address-based context lookup. In this case, we clobber the address-based
context with a default context.

review/test: jpeach, igalic, oschaaf
backport: igalic


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d8212abf
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d8212abf
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d8212abf

Branch: refs/heads/3.2.x
Commit: d8212abfed857582944e9a626801acfe9b59366f
Parents: 2b805c1
Author: James Peach <jp...@apache.org>
Authored: Sat Oct 13 21:44:21 2012 -0700
Committer: Igor Galić <i....@brainsware.org>
Committed: Wed Oct 17 13:08:26 2012 +0200

----------------------------------------------------------------------
 CHANGES                         |    2 +-
 iocore/net/SSLCertLookup.cc     |   10 ++++------
 iocore/net/SSLNetVConnection.cc |    1 +
 3 files changed, 6 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d8212abf/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index c045145..ce545b8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,7 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 3.2.3
 
-  *) [TS-1524] fix signed/unsigned compilation issues in Vec
+  *) [TS-1536] SNI support breaks IP-based lookup
 
   *) [TS-1523] High CPU on *BSD
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d8212abf/iocore/net/SSLCertLookup.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc
index bce1124..021e1a5 100644
--- a/iocore/net/SSLCertLookup.cc
+++ b/iocore/net/SSLCertLookup.cc
@@ -56,20 +56,17 @@ ssl_servername_callback(SSL * ssl, int * ad, void * arg)
 
   Debug("ssl", "ssl=%p ad=%d lookup=%p server=%s", ssl, *ad, lookup, servername);
 
+  // The incoming SSL_CTX is either the one mapped from the inbound IP address or the default one. If we don't find a
+  // name-based match at this point, we *do not* want to mess with the context because we've already made a best effort
+  // to find the best match.
   if (likely(servername)) {
     ctx = lookup->findInfoInHash((char *)servername);
   }
 
-  if (ctx == NULL) {
-    ctx = lookup->defaultContext();
-  }
-
   if (ctx != NULL) {
     SSL_set_SSL_CTX(ssl, ctx);
   }
 
-  // At this point, we might have updated ctx based on the SNI lookup, or we might still have the
-  // original SSL context that we set when we accepted the connection.
   ctx = SSL_get_SSL_CTX(ssl);
   Debug("ssl", "found SSL context %p for requested name '%s'", ctx, servername);
 
@@ -549,6 +546,7 @@ SSLContextStorage::insert(SSL_CTX * ctx, const char * name)
     Debug("ssl", "indexed wildcard certificate for '%s' as '%s' with SSL_CTX %p", name, reversed, ctx);
     return this->wildcards.Insert(reversed, new SslEntry(ctx), 0 /* rank */, -1 /* keylen */);
   } else {
+    Debug("ssl", "indexed '%s' with SSL_CTX %p", name, ctx);
     ink_hash_table_insert(this->hostnames, name, (void *)ctx);
   }
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d8212abf/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 1df458e..201e346 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -454,6 +454,7 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
       safe_getsockname(get_socket(), &ip.sa, &namelen);
       ats_ip_ntop(&ip.sa, buff, sizeof(buff));
       ctx = sslCertLookup.findInfoInHash(buff);
+      Debug("ssl", "IP context is %p, default context %p", ctx, sslCertLookup.defaultContext());
       if (ctx == NULL) {
         ctx = sslCertLookup.defaultContext();
       }