You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2016/05/02 00:54:24 UTC
[trafficserver] 01/04: TS-4373: TSSslServerContextCreate and
TSSslContextDestroy.
This is an automated email from the ASF dual-hosted git repository.
jpeach pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git
commit 5a36ca58a85f34a6c7f7ccef1a9f5c9fe79ebf88
Author: Mathias Biilmann Christensen <in...@mathias-biilmann.net>
AuthorDate: Mon Dec 28 22:45:03 2015 -0800
TS-4373: TSSslServerContextCreate and TSSslContextDestroy.
TSSslServerContextCreate returns a new SSL Context that's configured
according to the settings in records.config.
This is useful if an extension wants to use the TS_SSL_CERT_HOOK to
control loading of SNI certificates, and still want to respect the
cipher suite and related SSL settings.
Add TSSslContextDestroy method.
---
iocore/net/P_SSLUtils.h | 3 +++
iocore/net/SSLUtils.cc | 41 +++++++++++++++++++++++++++++++++++++++++
proxy/InkAPI.cc | 18 ++++++++++++++++++
proxy/api/ts/ts.h | 5 +++++
4 files changed, 67 insertions(+)
diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index d4dd94d..b20db10 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -117,6 +117,9 @@ extern RecRawStatBlock *ssl_rsb;
// Create a default SSL server context.
SSL_CTX *SSLDefaultServerContext();
+// Create a new SSL server context fully configured.
+SSL_CTX *SSLCreateServerContext(const SSLConfigParams *params);
+
// Initialize the SSL library.
void SSLInitializeLibrary();
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index bd41877..ed80cf4 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1685,6 +1685,47 @@ ssl_set_handshake_callbacks(SSL_CTX *ctx)
#endif
}
+SSL_CTX *
+SSLCreateServerContext(const SSLConfigParams *params) {
+ Vec<X509 *> cert_list;
+ const ssl_user_config sslMultCertSettings;
+ SSL_CTX *ctx = SSLInitServerContext(params, sslMultCertSettings, cert_list);
+
+ // The certificate callbacks are set by the caller only
+ // for the default certificate
+ SSL_CTX_set_info_callback(ctx, ssl_callback_info);
+
+#if TS_USE_TLS_NPN
+ SSL_CTX_set_next_protos_advertised_cb(ctx, SSLNetVConnection::advertise_next_protocol, NULL);
+#endif /* TS_USE_TLS_NPN */
+
+#if TS_USE_TLS_ALPN
+ SSL_CTX_set_alpn_select_cb(ctx, SSLNetVConnection::select_next_protocol, NULL);
+#endif /* TS_USE_TLS_ALPN */
+
+ // TODO: Allow control over tickets and ticket path when using SSLCreateServerContext
+ ssl_context_enable_tickets(ctx, NULL);
+
+#ifdef HAVE_OPENSSL_OCSP_STAPLING
+ if (SSLConfigParams::ssl_ocsp_enabled) {
+ Debug("ssl", "ssl ocsp stapling is enabled");
+ SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
+ } else {
+ Debug("ssl", "ssl ocsp stapling is disabled");
+ }
+#else
+ if (SSLConfigParams::ssl_ocsp_enabled) {
+ Warning("fail to enable ssl ocsp stapling, this openssl version does not support it");
+ }
+#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+
+
+ if (SSLConfigParams::init_ssl_ctx_cb) {
+ SSLConfigParams::init_ssl_ctx_cb(ctx, true);
+ }
+ return ctx;
+}
+
static SSL_CTX *
ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, const ssl_user_config &sslMultCertSettings)
{
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index 110efc7..dd7f649 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -8845,6 +8845,24 @@ TSSslContextFindByAddr(struct sockaddr const *addr)
return ret;
}
+tsapi TSSslContext
+TSSslServerContextCreate()
+{
+ TSSslContext ret = NULL;
+ SSLConfigParams *config = SSLConfig::acquire();
+ if (config != NULL) {
+ ret = reinterpret_cast<TSSslContext>(SSLCreateServerContext(config));
+ SSLConfig::release(config);
+ }
+ return ret;
+}
+
+tsapi void
+TSSslContextDestroy(TSSslContext ctx)
+{
+ SSLReleaseContext(reinterpret_cast<SSL_CTX*>(ctx));
+}
+
tsapi int
TSVConnIsSsl(TSVConn sslp)
{
diff --git a/proxy/api/ts/ts.h b/proxy/api/ts/ts.h
index a55408a..7fb07de 100644
--- a/proxy/api/ts/ts.h
+++ b/proxy/api/ts/ts.h
@@ -1224,9 +1224,14 @@ tsapi TSSslConnection TSVConnSSLConnectionGet(TSVConn sslp);
// Fetch a SSL context from the global lookup table
tsapi TSSslContext TSSslContextFindByName(const char *name);
tsapi TSSslContext TSSslContextFindByAddr(struct sockaddr const *);
+// Create a new SSL context based on the settings in records.config
+tsapi TSSslContext TSSslServerContextCreate(void);
+tsapi void TSSslContextDestroy(TSSslContext ctx);
+
// Returns 1 if the sslp argument refers to a SSL connection
tsapi int TSVConnIsSsl(TSVConn sslp);
+
/* --------------------------------------------------------------------------
HTTP transactions */
tsapi void TSHttpTxnHookAdd(TSHttpTxn txnp, TSHttpHookID id, TSCont contp);
--
To stop receiving notification emails like this one, please contact
"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>.