You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2012/08/07 05:44:06 UTC
git commit: TS-1392: Fix SNI certificate fallback path
Updated Branches:
refs/heads/master a2b709167 -> 9c3bebd88
TS-1392: Fix SNI certificate fallback path
When the SNI lookup fails, we fall back to a bad default SSL context
instead of the context that we selected when we accepted the TCP
connection. Make sure that we don't clobber a SSL context if the
SNI lookup fails.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/9c3bebd8
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/9c3bebd8
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/9c3bebd8
Branch: refs/heads/master
Commit: 9c3bebd88eecf6aee1ce346b67460b8e1787752d
Parents: a2b7091
Author: James Peach <jp...@apache.org>
Authored: Mon Aug 6 20:42:43 2012 -0700
Committer: James Peach <jp...@apache.org>
Committed: Mon Aug 6 20:42:43 2012 -0700
----------------------------------------------------------------------
CHANGES | 2 ++
iocore/net/SSLCertLookup.cc | 7 -------
iocore/net/SSLNetVConnection.cc | 17 ++++++++++++++---
3 files changed, 16 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9c3bebd8/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index cacaa22..6399c3c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 3.3.0
+ *) [TS-1392] Fix SNI certificate fallback path
+
*) [TS-1385] generic atomic operations API
*) [TS-1380] SSL wildcard lookup doesn't find the longest match
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9c3bebd8/iocore/net/SSLCertLookup.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc
index b5392a7..3f2a29e 100644
--- a/iocore/net/SSLCertLookup.cc
+++ b/iocore/net/SSLCertLookup.cc
@@ -113,13 +113,6 @@ SSLCertLookup::init(SslConfigParams * p)
{
param = p;
multipleCerts = buildTable();
-
- // If there wasn't a default SSL context, make a default one. We need this to bootstrap
- // the SNI process and also to avoid crashing (which is generaly frowned upon).
- if (!this->ssl_default) {
- // XXX this leaks, but we're a singleton, so ....
- this->ssl_default = SSL_CTX_new(SSLv23_server_method());
- }
}
bool
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/9c3bebd8/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index e9372e9..fd89cba 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -46,6 +46,8 @@ ClassAllocator<SSLNetVConnection> sslNetVCAllocator("sslNetVCAllocator");
// Private
//
+static SSL_CTX * ssl_default = SSL_CTX_new(SSLv23_server_method());
+
#if TS_USE_TLS_SNI
static int
@@ -65,12 +67,18 @@ ssl_servername_callback(SSL * ssl, int * ad, void * arg)
ctx = lookup->defaultContext();
}
- if (ctx == NULL) {
- return SSL_TLSEXT_ERR_NOACK;
+ if (ctx != NULL) {
+ SSL_set_SSL_CTX(ssl, ctx);
}
+ // At this point, we might have updated ctx based on the SNI lookup, or we might still have the
+ // original SSL context that we set when we accepted the connection.
+ ctx = SSL_get_SSL_CTX(ssl);
Debug("ssl", "found SSL context %p for requested name '%s'", ctx, servername);
- SSL_set_SSL_CTX(ssl, ctx);
+
+ if (ctx == NULL) {
+ return SSL_TLSEXT_ERR_NOACK;
+ }
// We need to return one of the SSL_TLSEXT_ERR constants. If we return an
// error, we can fill in *ad with an alert code to propgate to the
@@ -495,6 +503,9 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
if (ctx == NULL) {
ctx = sslCertLookup.defaultContext();
}
+ if (ctx == NULL) {
+ ctx = ssl_default;
+ }
#if TS_USE_TLS_SNI
Debug("ssl", "setting SNI callbacks with initial ctx %p", ctx);