You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by da...@apache.org on 2019/02/20 20:16:07 UTC
[trafficcontrol] branch master updated: Make SSL Cert lookup
case-insensitive (#3331)
This is an automated email from the ASF dual-hosted git repository.
dangogh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 6504e7f Make SSL Cert lookup case-insensitive (#3331)
6504e7f is described below
commit 6504e7fa1af038371d086ed941c3847e7ae17207
Author: ajschmidt <za...@gmail.com>
AuthorDate: Wed Feb 20 13:16:01 2019 -0700
Make SSL Cert lookup case-insensitive (#3331)
* Fix case-sensitive SSL cert lookup
* Set SSL certificate key names to lower case
* Set requested SNI to lower case
---
.../traffic_router/protocol/RouterNioEndpoint.java | 5 +++
.../traffic_router/secure/CertificateRegistry.java | 42 +++++++++++++---------
.../test/java/secure/CertificateRegistryTest.java | 3 ++
.../traffic_router/shared/CertificateData.java | 6 +++-
4 files changed, 39 insertions(+), 17 deletions(-)
diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java
index d604e81..657e573 100644
--- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java
+++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java
@@ -87,4 +87,9 @@ public class RouterNioEndpoint extends NioEndpoint {
createSSLContext(sslHostConfig);
}
}
+
+ @Override
+ protected SSLHostConfig getSSLHostConfig(final String sniHostName) {
+ return super.getSSLHostConfig(sniHostName.toLowerCase());
+ }
}
diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
index b3bfd3c..e3f773c 100644
--- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
+++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
@@ -17,12 +17,12 @@ package com.comcast.cdn.traffic_control.traffic_router.secure;
import com.comcast.cdn.traffic_control.traffic_router.protocol.RouterNioEndpoint;
import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData;
+import org.apache.log4j.Logger;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import org.apache.log4j.Logger;
public class CertificateRegistry {
private static final Logger log = Logger.getLogger(CertificateRegistry.class);
@@ -61,6 +61,7 @@ public class CertificateRegistry {
private static final CertificateRegistry DELIVERY_SERVICE_CERTIFICATES = new CertificateRegistry();
}
+ @SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"})
synchronized public void importCertificateDataList(final List<CertificateData> certificateDataList) {
final Map<String, HandshakeData> changes = new HashMap<>();
final Map<String, HandshakeData> master = new HashMap<>();
@@ -68,34 +69,43 @@ public class CertificateRegistry {
// find CertificateData which has changed
for (final CertificateData certificateData : certificateDataList) {
try {
- final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData);
- final String alias = handshakeData.getHostname().replaceFirst("\\*\\.", "");
- master.put(alias, handshakeData);
-
- if (certificateData.equals(previousData.get(certificateData.getHostname()))) {
- continue;
- }
- changes.put(alias, handshakeData);
- log.warn("Imported handshake data with alias " + alias);
- } catch (Exception e) {
+ final String alias = certificateData.alias();
+
+ if (!master.containsKey(alias)) {
+ final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData);
+ master.put(alias, handshakeData);
+ if (!certificateData.equals(previousData.get(alias))) {
+ changes.put(alias, handshakeData);
+ log.warn("Imported handshake data with alias " + alias);
+ }
+ }
+ else {
+ log.error("An TLS certificate already exists in the registry for host: "+alias+" There can be " +
+ "only one!" );
+ }
+ } catch (Exception e) {
log.error("Failed to import certificate data for delivery service: '" + certificateData.getDeliveryservice() + "', hostname: '" + certificateData.getHostname() + "'");
}
}
// find CertificateData which has been removed
- for (final String hostname : previousData.keySet())
+ for (final String alias : previousData.keySet())
{
- if (!master.containsKey(hostname.replaceFirst("\\*\\.", "")) && sslEndpoint != null)
+ if (!master.containsKey(alias) && sslEndpoint != null)
{
- sslEndpoint.removeSslHostConfig(hostname);
- log.warn("Removed handshake data with hostname " + hostname);
+ final String hostname = previousData.get(alias).getHostname();
+ sslEndpoint.removeSslHostConfig(hostname);
+ log.warn("Removed handshake data with hostname " + hostname);
}
}
// store the result for the next import
previousData.clear();
for (final CertificateData certificateData : certificateDataList) {
- previousData.put(certificateData.getHostname(), certificateData);
+ final String alias = certificateData.alias();
+ if (!previousData.containsKey(alias)) {
+ previousData.put(alias, certificateData);
+ }
}
handshakeDataMap = master;
diff --git a/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java b/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java
index 555e4ab..d01da22 100644
--- a/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java
+++ b/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java
@@ -50,6 +50,9 @@ public class CertificateRegistryTest {
certificateData1 = mock(CertificateData.class);
certificateData2 = mock(CertificateData.class);
certificateData3 = mock(CertificateData.class);
+ when(certificateData1.alias()).thenReturn("ds-1.some-cdn.example.com");
+ when(certificateData2.alias()).thenReturn("ds-2.some-cdn.example.com");
+ when(certificateData3.alias()).thenReturn("ds-3.some-cdn.example.com");
certificateDataList = Arrays.asList(certificateData1, certificateData2, certificateData3);
diff --git a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java
index 202908f..f9726f3 100644
--- a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java
+++ b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java
@@ -49,8 +49,12 @@ public class CertificateData {
return hostname;
}
+ public String alias() {
+ return getHostname().replaceFirst("\\*\\.", "");
+ }
+
public void setHostname(final String hostname) {
- this.hostname = hostname;
+ this.hostname = hostname.toLowerCase();
}
@SuppressWarnings("PMD.IfStmtsMustUseBraces")