You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/07/04 01:23:20 UTC
[trafficserver] branch master updated (be5d692 -> 4d83742)
This is an automated email from the ASF dual-hosted git repository.
maskit pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git.
from be5d692 Converts remaining source files to #pragma once
new d517394 Cleans up logging around OCSP
new 4d83742 Fixes detection of OpenSSL's OCSP APIs
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
build/crypto.m4 | 15 +++++++++++++++
configure.ac | 3 +++
iocore/net/OCSPStapling.cc | 8 ++++----
iocore/net/P_OCSPStapling.h | 9 ++++-----
iocore/net/SSLNetProcessor.cc | 9 +++++----
iocore/net/SSLUtils.cc | 26 +++++++++++++-------------
lib/ts/ink_config.h.in | 1 +
src/traffic_layout/info.cc | 1 +
src/traffic_server/InkAPI.cc | 4 ++--
9 files changed, 48 insertions(+), 28 deletions(-)
[trafficserver] 02/02: Fixes detection of OpenSSL's OCSP APIs
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 4d83742716693181fff2664facba2a3cab57218b
Author: Randall Meyer <ra...@yahoo.com>
AuthorDate: Mon Jul 2 11:54:46 2018 -0700
Fixes detection of OpenSSL's OCSP APIs
OCSP_sendreq_new is a function, not a macro. Need to perform
configure-time checks for OCSP-related functions
This was broken with e80389f9e0120ced282d459f81e843c8f2fda71d
---
build/crypto.m4 | 15 +++++++++++++++
configure.ac | 3 +++
iocore/net/OCSPStapling.cc | 4 ++--
iocore/net/P_OCSPStapling.h | 9 ++++-----
iocore/net/SSLNetProcessor.cc | 9 +++++----
iocore/net/SSLUtils.cc | 12 ++++++------
lib/ts/ink_config.h.in | 1 +
src/traffic_layout/info.cc | 1 +
src/traffic_server/InkAPI.cc | 2 +-
9 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/build/crypto.m4 b/build/crypto.m4
index a8ae5aa..cbb1b53 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -211,3 +211,18 @@ AC_DEFUN([TS_CHECK_CRYPTO_DH_GET_2048_256], [
TS_ARG_ENABLE_VAR([use], [dh_get_2048_256])
AC_SUBST(use_dh_get_2048_256)
])
+
+AC_DEFUN([TS_CHECK_CRYPTO_OCSP], [
+ _ocsp_saved_LIBS=$LIBS
+
+ TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+ AC_CHECK_HEADERS(openssl/ocsp.h)
+ AC_CHECK_FUNCS(OCSP_sendreq_new OCSP_REQ_CTX_add1_header OCSP_REQ_CTX_set1_req, [enable_tls_ocsp=yes], [enable_tls_ocsp=no])
+
+ LIBS=$_ocsp_saved_LIBS
+
+ AC_MSG_CHECKING(whether OCSP is supported)
+ AC_MSG_RESULT([$enable_tls_ocsp])
+ TS_ARG_ENABLE_VAR([use], [tls-ocsp])
+ AC_SUBST(use_tls_ocsp)
+])
diff --git a/configure.ac b/configure.ac
index b51c3e9..201c33d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1184,6 +1184,9 @@ TS_CHECK_CRYPTO_SET_RBIO
# Check for DH_get_2048_256
TS_CHECK_CRYPTO_DH_GET_2048_256
+# Check for OCSP
+TS_CHECK_CRYPTO_OCSP
+
saved_LIBS="$LIBS"
TS_ADDTO([LIBS], ["$OPENSSL_LIBS"])
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 7f95137..56ea7c8 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -20,7 +20,7 @@
*/
#include "P_OCSPStapling.h"
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
#include <openssl/ssl.h>
#include <openssl/ocsp.h>
@@ -474,4 +474,4 @@ ssl_callback_ocsp_stapling(SSL *ssl)
}
}
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h
index 007cc91..fc303c9 100644
--- a/iocore/net/P_OCSPStapling.h
+++ b/iocore/net/P_OCSPStapling.h
@@ -21,13 +21,12 @@
#pragma once
-#include <openssl/ssl.h>
+#include "ts/ink_config.h"
-#ifdef OCSP_sendreq_new
-#define HAVE_OPENSSL_OCSP_STAPLING 1
-#endif
+#if TS_USE_TLS_OCSP
+#include <openssl/ssl.h>
+#include <openssl/ocsp.h>
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
void ssl_stapling_ex_init();
bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname);
void ocsp_update();
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index 5273110..c56c1d9 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -35,7 +35,8 @@
SSLNetProcessor ssl_NetProcessor;
NetProcessor &sslNetProcessor = ssl_NetProcessor;
SNIActionPerformer sni_action_performer;
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+
+#ifdef TS_USE_TLS_OCSP
struct OCSPContinuation : public Continuation {
int
mainEvent(int /* event ATS_UNUSED */, Event * /* e ATS_UNUSED */)
@@ -47,7 +48,7 @@ struct OCSPContinuation : public Continuation {
OCSPContinuation() : Continuation(new_ProxyMutex()) { SET_HANDLER(&OCSPContinuation::mainEvent); }
};
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
void
SSLNetProcessor::cleanup()
@@ -74,12 +75,12 @@ SSLNetProcessor::start(int, size_t stacksize)
// Initialize SSL statistics. This depends on an initial set of certificates being loaded above.
SSLInitializeStatistics();
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
if (SSLConfigParams::ssl_ocsp_enabled) {
EventType ET_OCSP = eventProcessor.spawn_event_threads("ET_OCSP", 1, stacksize);
eventProcessor.schedule_every(new OCSPContinuation(), HRTIME_SECONDS(SSLConfigParams::ssl_ocsp_update_period), ET_OCSP);
}
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
// We have removed the difference between ET_SSL threads and ET_NET threads,
// So just keep on chugging
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index bc9641a..93d7fb3 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -950,9 +950,9 @@ SSLInitializeLibrary()
}
#endif
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
ssl_stapling_ex_init();
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
// Reserve an application data index so that we can attach
// the SSLNetVConnection to the SSL session.
@@ -1860,7 +1860,7 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
SSL_CTX_set_alpn_select_cb(ctx, SSLNetVConnection::select_next_protocol, nullptr);
#endif /* TS_USE_TLS_ALPN */
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
if (SSLConfigParams::ssl_ocsp_enabled) {
Debug("ssl", "SSL OCSP Stapling is enabled");
SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
@@ -1871,7 +1871,7 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
if (SSLConfigParams::ssl_ocsp_enabled) {
Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support it");
}
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
if (SSLConfigParams::init_ssl_ctx_cb) {
SSLConfigParams::init_ssl_ctx_cb(ctx, true);
@@ -1966,7 +1966,7 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, cons
}
#endif
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
if (SSLConfigParams::ssl_ocsp_enabled) {
Debug("ssl", "SSL OCSP Stapling is enabled");
SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
@@ -1982,7 +1982,7 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, cons
if (SSLConfigParams::ssl_ocsp_enabled) {
Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support it");
}
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
// Insert additional mappings. Note that this maps multiple keys to the same value, so when
// this code is updated to reconfigure the SSL certificates, it will need some sort of
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 664bd3b..f4b491b 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -79,6 +79,7 @@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@
#define TS_USE_SSLV3_CLIENT @use_sslv3_client@
+#define TS_USE_TLS_OCSP @use_tls_ocsp@
#define TS_HAS_SO_PEERCRED @has_so_peercred@
diff --git a/src/traffic_layout/info.cc b/src/traffic_layout/info.cc
index 590afef..5304706 100644
--- a/src/traffic_layout/info.cc
+++ b/src/traffic_layout/info.cc
@@ -97,6 +97,7 @@ produce_features(bool json)
print_feature("TS_USE_LINUX_NATIVE_AIO", TS_USE_LINUX_NATIVE_AIO, json);
print_feature("TS_HAS_SO_PEERCRED", TS_HAS_SO_PEERCRED, json);
print_feature("TS_USE_REMOTE_UNWINDING", TS_USE_REMOTE_UNWINDING, json);
+ print_feature("TS_USE_TLS_OCSP", TS_USE_TLS_OCSP, json);
print_feature("SIZEOF_VOIDP", SIZEOF_VOIDP, json);
print_feature("TS_IP_TRANSPARENT", TS_IP_TRANSPARENT, json);
print_feature("TS_HAS_128BIT_CAS", TS_HAS_128BIT_CAS, json);
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index 8b656b1..19213df 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -9195,7 +9195,7 @@ TSSslServerContextCreate(TSSslX509 cert, const char *certname)
SSLConfigParams *config = SSLConfig::acquire();
if (config != nullptr) {
ret = reinterpret_cast<TSSslContext>(SSLCreateServerContext(config));
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
if (ret && SSLConfigParams::ssl_ocsp_enabled && cert && certname) {
if (SSL_CTX_set_tlsext_status_cb(reinterpret_cast<SSL_CTX *>(ret), ssl_callback_ocsp_stapling)) {
if (!ssl_stapling_init_cert(reinterpret_cast<SSL_CTX *>(ret), reinterpret_cast<X509 *>(cert), certname)) {
[trafficserver] 01/02: Cleans up logging around OCSP
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit d5173946c2c66be31d78481b7a278e5a91034686
Author: Randall Meyer <ra...@yahoo.com>
AuthorDate: Mon Jul 2 10:27:57 2018 -0700
Cleans up logging around OCSP
---
iocore/net/OCSPStapling.cc | 4 ++--
iocore/net/SSLUtils.cc | 14 +++++++-------
src/traffic_server/InkAPI.cc | 2 +-
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 2793072..7f95137 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -185,13 +185,13 @@ ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname)
cinf->uri = sk_OPENSSL_STRING_pop(aia);
}
if (!cinf->uri) {
- Note("no responder URI for %s", certname);
+ Note("no OCSP responder URI for %s", certname);
}
if (aia) {
X509_email_free(aia);
}
- Note("successfully initialized certinfo for %s into SSL_CTX: %p", certname, ctx);
+ Note("successfully initialized stapling for %s into SSL_CTX: %p", certname, ctx);
return true;
}
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index c6405ff..bc9641a 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1862,14 +1862,14 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
#ifdef HAVE_OPENSSL_OCSP_STAPLING
if (SSLConfigParams::ssl_ocsp_enabled) {
- Debug("ssl", "ssl ocsp stapling is enabled");
+ Debug("ssl", "SSL OCSP Stapling is enabled");
SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
} else {
- Debug("ssl", "ssl ocsp stapling is disabled");
+ Debug("ssl", "SSL OCSP Stapling is disabled");
}
#else
if (SSLConfigParams::ssl_ocsp_enabled) {
- Warning("fail to enable ssl ocsp stapling, this openssl version does not support it");
+ Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support it");
}
#endif /* HAVE_OPENSSL_OCSP_STAPLING */
@@ -1968,19 +1968,19 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, cons
#ifdef HAVE_OPENSSL_OCSP_STAPLING
if (SSLConfigParams::ssl_ocsp_enabled) {
- Debug("ssl", "ssl ocsp stapling is enabled");
+ Debug("ssl", "SSL OCSP Stapling is enabled");
SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
for (auto cert : cert_list) {
if (!ssl_stapling_init_cert(ctx, cert, certname)) {
- Warning("fail to configure SSL_CTX for OCSP Stapling info for certificate at %s", (const char *)certname);
+ Warning("failed to configure SSL_CTX for OCSP Stapling info for certificate at %s", (const char *)certname);
}
}
} else {
- Debug("ssl", "ssl ocsp stapling is disabled");
+ Debug("ssl", "SSL OCSP Stapling is disabled");
}
#else
if (SSLConfigParams::ssl_ocsp_enabled) {
- Warning("fail to enable ssl ocsp stapling, this openssl version does not support it");
+ Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support it");
}
#endif /* HAVE_OPENSSL_OCSP_STAPLING */
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index b962561..8b656b1 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -9199,7 +9199,7 @@ TSSslServerContextCreate(TSSslX509 cert, const char *certname)
if (ret && SSLConfigParams::ssl_ocsp_enabled && cert && certname) {
if (SSL_CTX_set_tlsext_status_cb(reinterpret_cast<SSL_CTX *>(ret), ssl_callback_ocsp_stapling)) {
if (!ssl_stapling_init_cert(reinterpret_cast<SSL_CTX *>(ret), reinterpret_cast<X509 *>(cert), certname)) {
- Warning("fail to configure SSL_CTX for OCSP Stapling info for certificate at %s", (const char *)certname);
+ Warning("failed to configure SSL_CTX for OCSP Stapling info for certificate at %s", (const char *)certname);
}
}
}