You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2012/01/27 06:27:35 UTC
svn commit: r1236534 - in /trafficserver/traffic/trunk: CHANGES
iocore/net/SSLNet.cc iocore/net/SSLNetVConnection.cc
Author: jpeach
Date: Fri Jan 27 05:27:34 2012
New Revision: 1236534
URL: http://svn.apache.org/viewvc?rev=1236534&view=rev
Log:
TS-1083: Initial NPN plumbing.
Modified:
trafficserver/traffic/trunk/CHANGES
trafficserver/traffic/trunk/iocore/net/SSLNet.cc
trafficserver/traffic/trunk/iocore/net/SSLNetVConnection.cc
Modified: trafficserver/traffic/trunk/CHANGES
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/CHANGES?rev=1236534&r1=1236533&r2=1236534&view=diff
==============================================================================
--- trafficserver/traffic/trunk/CHANGES (original)
+++ trafficserver/traffic/trunk/CHANGES Fri Jan 27 05:27:34 2012
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 3.1.2
+ *) [TS-1083] Initial SSL next protocol negotiation support.
+
*) [TS-1082] Obey existing optimizer CXXFLAGS and CFLAGS at configure time.
*) [TS-1077] All proxy ports are now configured by
Modified: trafficserver/traffic/trunk/iocore/net/SSLNet.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/SSLNet.cc?rev=1236534&r1=1236533&r2=1236534&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/SSLNet.cc (original)
+++ trafficserver/traffic/trunk/iocore/net/SSLNet.cc Fri Jan 27 05:27:34 2012
@@ -33,6 +33,35 @@ unsigned long SSL_pthreads_thread_id();
bool SSLNetProcessor::open_ssl_initialized = false;
+#if TS_USE_TLS_NPN
+static int
+npn_advertise_protocols(SSL *ssl,
+ const unsigned char **out, unsigned int *outlen, void *arg)
+{
+ static const unsigned char protocols[] =
+ "\x08http/1.0"
+ "\x08http/1.1";
+
+ SSLNetProcessor * sslNetProc = (SSLNetProcessor *)arg;
+
+ // XXX: At some point we need to figure out how to know which protocols to
+ // advertise.
+ (void)sslNetProc;
+
+ // For currently defined protocol strings,
+ // see http://technotes.googlecode.com/git/nextprotoneg.html. The OpenSSL
+ // documentation tells us to return a string in "wire format". The draft NPN
+ // RFC helpfuly refuses to document the wire format. The above link says we
+ // need to send length-prefixed strings, but does not say how many bytes the
+ // length is. Nice.
+ *out = protocols;
+ *outlen = sizeof(protocols) - 1;
+
+ // Successful return tells OpenSSL to advertise.
+ return SSL_TLSEXT_ERR_OK;
+}
+#endif /* TS_USE_TLS_NPN */
+
int
SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char *file)
@@ -121,7 +150,7 @@ SSLNetProcessor::reconfigure(void)
if (!open_ssl_initialized) {
open_ssl_initialized = true;
SSL_load_error_strings();
- SSLeay_add_ssl_algorithms();
+ SSL_library_init();
initSSLLocks();
}
@@ -371,6 +400,11 @@ SSLNetProcessor::initSSLServerCTX(SslCon
return -6;
}
}
+
+#if TS_USE_TLS_NPN
+ SSL_CTX_set_next_protos_advertised_cb(lCtx, npn_advertise_protocols, this);
+#endif /* TS_USE_TLS_NPN */
+
return 0;
}
Modified: trafficserver/traffic/trunk/iocore/net/SSLNetVConnection.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/SSLNetVConnection.cc?rev=1236534&r1=1236533&r2=1236534&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/SSLNetVConnection.cc (original)
+++ trafficserver/traffic/trunk/iocore/net/SSLNetVConnection.cc Fri Jan 27 05:27:34 2012
@@ -531,6 +531,20 @@ SSLNetVConnection::sslServerHandShakeEve
}
sslHandShakeComplete = 1;
+#if TS_USE_TLS_NPN
+ if (diags->on("ssl")) {
+ const unsigned char * proto = NULL;
+ unsigned len = 0;
+
+ SSL_get0_next_proto_negotiated(ssl, &proto, &len);
+ if (len) {
+ Debug("ssl", "client selected next protocol %.*s", len, proto);
+ } else {
+ Debug("ssl", "client did not select a next protocol");
+ }
+ }
+#endif /* TS_USE_TLS_NPN */
+
return EVENT_DONE;
case SSL_ERROR_WANT_ACCEPT: