You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2016/05/02 00:54:24 UTC

[trafficserver] 01/04: TS-4373: TSSslServerContextCreate and TSSslContextDestroy.

This is an automated email from the ASF dual-hosted git repository.

jpeach pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

commit 5a36ca58a85f34a6c7f7ccef1a9f5c9fe79ebf88
Author: Mathias Biilmann Christensen <in...@mathias-biilmann.net>
AuthorDate: Mon Dec 28 22:45:03 2015 -0800

    TS-4373: TSSslServerContextCreate and TSSslContextDestroy.
    
    TSSslServerContextCreate returns a new SSL Context that's configured
    according to the settings in records.config.
    
    This is useful if an extension wants to use the TS_SSL_CERT_HOOK to
    control loading of SNI certificates, and still want to respect the
    cipher suite and related SSL settings.
    
    Add TSSslContextDestroy method.
---
 iocore/net/P_SSLUtils.h |  3 +++
 iocore/net/SSLUtils.cc  | 41 +++++++++++++++++++++++++++++++++++++++++
 proxy/InkAPI.cc         | 18 ++++++++++++++++++
 proxy/api/ts/ts.h       |  5 +++++
 4 files changed, 67 insertions(+)

diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index d4dd94d..b20db10 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -117,6 +117,9 @@ extern RecRawStatBlock *ssl_rsb;
 // Create a default SSL server context.
 SSL_CTX *SSLDefaultServerContext();
 
+// Create a new SSL server context fully configured.
+SSL_CTX *SSLCreateServerContext(const SSLConfigParams *params);
+
 // Initialize the SSL library.
 void SSLInitializeLibrary();
 
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index bd41877..ed80cf4 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1685,6 +1685,47 @@ ssl_set_handshake_callbacks(SSL_CTX *ctx)
 #endif
 }
 
+SSL_CTX *
+SSLCreateServerContext(const SSLConfigParams *params) {
+  Vec<X509 *> cert_list;
+  const ssl_user_config sslMultCertSettings;
+  SSL_CTX *ctx = SSLInitServerContext(params, sslMultCertSettings, cert_list);
+
+  // The certificate callbacks are set by the caller only
+  // for the default certificate
+  SSL_CTX_set_info_callback(ctx, ssl_callback_info);
+
+#if TS_USE_TLS_NPN
+  SSL_CTX_set_next_protos_advertised_cb(ctx, SSLNetVConnection::advertise_next_protocol, NULL);
+#endif /* TS_USE_TLS_NPN */
+
+#if TS_USE_TLS_ALPN
+  SSL_CTX_set_alpn_select_cb(ctx, SSLNetVConnection::select_next_protocol, NULL);
+#endif /* TS_USE_TLS_ALPN */
+
+  // TODO: Allow control over tickets and ticket path when using SSLCreateServerContext
+  ssl_context_enable_tickets(ctx, NULL);
+
+#ifdef HAVE_OPENSSL_OCSP_STAPLING
+  if (SSLConfigParams::ssl_ocsp_enabled) {
+    Debug("ssl", "ssl ocsp stapling is enabled");
+    SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
+  } else {
+    Debug("ssl", "ssl ocsp stapling is disabled");
+  }
+#else
+  if (SSLConfigParams::ssl_ocsp_enabled) {
+    Warning("fail to enable ssl ocsp stapling, this openssl version does not support it");
+  }
+#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+
+
+  if (SSLConfigParams::init_ssl_ctx_cb) {
+    SSLConfigParams::init_ssl_ctx_cb(ctx, true);
+  }
+  return ctx;
+}
+
 static SSL_CTX *
 ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, const ssl_user_config &sslMultCertSettings)
 {
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index 110efc7..dd7f649 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -8845,6 +8845,24 @@ TSSslContextFindByAddr(struct sockaddr const *addr)
   return ret;
 }
 
+tsapi TSSslContext
+TSSslServerContextCreate()
+{
+  TSSslContext ret = NULL;
+  SSLConfigParams *config = SSLConfig::acquire();
+  if (config != NULL) {
+    ret = reinterpret_cast<TSSslContext>(SSLCreateServerContext(config));
+    SSLConfig::release(config);
+  }
+  return ret;
+}
+
+tsapi void
+TSSslContextDestroy(TSSslContext ctx)
+{
+  SSLReleaseContext(reinterpret_cast<SSL_CTX*>(ctx));
+}
+
 tsapi int
 TSVConnIsSsl(TSVConn sslp)
 {
diff --git a/proxy/api/ts/ts.h b/proxy/api/ts/ts.h
index a55408a..7fb07de 100644
--- a/proxy/api/ts/ts.h
+++ b/proxy/api/ts/ts.h
@@ -1224,9 +1224,14 @@ tsapi TSSslConnection TSVConnSSLConnectionGet(TSVConn sslp);
 // Fetch a SSL context from the global lookup table
 tsapi TSSslContext TSSslContextFindByName(const char *name);
 tsapi TSSslContext TSSslContextFindByAddr(struct sockaddr const *);
+// Create a new SSL context based on the settings in records.config
+tsapi TSSslContext TSSslServerContextCreate(void);
+tsapi void TSSslContextDestroy(TSSslContext ctx);
+
 // Returns 1 if the sslp argument refers to a SSL connection
 tsapi int TSVConnIsSsl(TSVConn sslp);
 
+
 /* --------------------------------------------------------------------------
    HTTP transactions */
 tsapi void TSHttpTxnHookAdd(TSHttpTxn txnp, TSHttpHookID id, TSCont contp);

-- 
To stop receiving notification emails like this one, please contact
"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>.