You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by da...@apache.org on 2019/02/20 20:16:07 UTC

[trafficcontrol] branch master updated: Make SSL Cert lookup case-insensitive (#3331)

This is an automated email from the ASF dual-hosted git repository.

dangogh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/master by this push:
     new 6504e7f  Make SSL Cert lookup case-insensitive (#3331)
6504e7f is described below

commit 6504e7fa1af038371d086ed941c3847e7ae17207
Author: ajschmidt <za...@gmail.com>
AuthorDate: Wed Feb 20 13:16:01 2019 -0700

    Make SSL Cert lookup case-insensitive (#3331)
    
    * Fix case-sensitive SSL cert lookup
    * Set SSL certificate key names to lower case
    * Set requested SNI to lower case
---
 .../traffic_router/protocol/RouterNioEndpoint.java |  5 +++
 .../traffic_router/secure/CertificateRegistry.java | 42 +++++++++++++---------
 .../test/java/secure/CertificateRegistryTest.java  |  3 ++
 .../traffic_router/shared/CertificateData.java     |  6 +++-
 4 files changed, 39 insertions(+), 17 deletions(-)

diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java
index d604e81..657e573 100644
--- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java
+++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java
@@ -87,4 +87,9 @@ public class RouterNioEndpoint extends NioEndpoint {
             createSSLContext(sslHostConfig);
         }
     }
+
+    @Override
+    protected SSLHostConfig getSSLHostConfig(final String sniHostName) {
+        return super.getSSLHostConfig(sniHostName.toLowerCase());
+    }
 }
diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
index b3bfd3c..e3f773c 100644
--- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
+++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java
@@ -17,12 +17,12 @@ package com.comcast.cdn.traffic_control.traffic_router.secure;
 
 import com.comcast.cdn.traffic_control.traffic_router.protocol.RouterNioEndpoint;
 import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData;
+import org.apache.log4j.Logger;
 
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import org.apache.log4j.Logger;
 
 public class CertificateRegistry {
 	private static final Logger log = Logger.getLogger(CertificateRegistry.class);
@@ -61,6 +61,7 @@ public class CertificateRegistry {
 		private static final CertificateRegistry DELIVERY_SERVICE_CERTIFICATES = new CertificateRegistry();
 	}
 
+	@SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"})
 	synchronized public void importCertificateDataList(final List<CertificateData> certificateDataList) {
 		final Map<String, HandshakeData> changes = new HashMap<>();
 		final Map<String, HandshakeData> master = new HashMap<>();
@@ -68,34 +69,43 @@ public class CertificateRegistry {
 		// find CertificateData which has changed
 		for (final CertificateData certificateData : certificateDataList) {
 			try {
-			final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData);
-			final String alias = handshakeData.getHostname().replaceFirst("\\*\\.", "");
-			master.put(alias, handshakeData);
-
-			if (certificateData.equals(previousData.get(certificateData.getHostname()))) {
-				continue;
-			}
-			changes.put(alias, handshakeData);
-			log.warn("Imported handshake data with alias " + alias);
-		} catch (Exception e) {
+				final String alias = certificateData.alias();
+
+				if (!master.containsKey(alias)) {
+					final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData);
+					master.put(alias, handshakeData);
+					if (!certificateData.equals(previousData.get(alias))) {
+						changes.put(alias, handshakeData);
+						log.warn("Imported handshake data with alias " + alias);
+					}
+				}
+				else {
+					log.error("An TLS certificate already exists in the registry for host: "+alias+" There can be " +
+							"only one!" );
+				}
+			} catch (Exception e) {
 				log.error("Failed to import certificate data for delivery service: '" + certificateData.getDeliveryservice() + "', hostname: '" + certificateData.getHostname() + "'");
 			}
 		}
 
 		// find CertificateData which has been removed
-		for (final String hostname : previousData.keySet())
+		for (final String alias : previousData.keySet())
 		{
-			if (!master.containsKey(hostname.replaceFirst("\\*\\.", "")) && sslEndpoint != null)
+			if (!master.containsKey(alias) && sslEndpoint != null)
 			{
-					sslEndpoint.removeSslHostConfig(hostname);
-				    log.warn("Removed handshake data with hostname " + hostname);
+				final String hostname = previousData.get(alias).getHostname();
+				sslEndpoint.removeSslHostConfig(hostname);
+			    log.warn("Removed handshake data with hostname " + hostname);
 			}
 		}
 
 		// store the result for the next import
 		previousData.clear();
 		for (final CertificateData certificateData : certificateDataList) {
-			previousData.put(certificateData.getHostname(), certificateData);
+			final String alias = certificateData.alias();
+			if (!previousData.containsKey(alias)) {
+				previousData.put(alias, certificateData);
+			}
 		}
 
 		handshakeDataMap = master;
diff --git a/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java b/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java
index 555e4ab..d01da22 100644
--- a/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java
+++ b/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java
@@ -50,6 +50,9 @@ public class CertificateRegistryTest {
 		certificateData1 = mock(CertificateData.class);
 		certificateData2 = mock(CertificateData.class);
 		certificateData3 = mock(CertificateData.class);
+		when(certificateData1.alias()).thenReturn("ds-1.some-cdn.example.com");
+		when(certificateData2.alias()).thenReturn("ds-2.some-cdn.example.com");
+		when(certificateData3.alias()).thenReturn("ds-3.some-cdn.example.com");
 
 		certificateDataList = Arrays.asList(certificateData1, certificateData2, certificateData3);
 
diff --git a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java
index 202908f..f9726f3 100644
--- a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java
+++ b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java
@@ -49,8 +49,12 @@ public class CertificateData {
 		return hostname;
 	}
 
+	public String alias() {
+		return getHostname().replaceFirst("\\*\\.", "");
+	}
+
 	public void setHostname(final String hostname) {
-		this.hostname = hostname;
+		this.hostname = hostname.toLowerCase();
 	}
 
 	@SuppressWarnings("PMD.IfStmtsMustUseBraces")