You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2017/07/07 15:13:01 UTC
[trafficserver] branch 7.1.x updated: TS-3746: make
proxy.config.ssl.client.verify.server overridable
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/7.1.x by this push:
new e4d9ade TS-3746: make proxy.config.ssl.client.verify.server overridable
e4d9ade is described below
commit e4d9adec374651ff4b898bb0b552b6fdf5fd5680
Author: Persia Aziz <pe...@yahoo-inc.com>
AuthorDate: Tue Apr 11 14:22:59 2017 -0500
TS-3746: make proxy.config.ssl.client.verify.server overridable
---
doc/admin-guide/files/records.config.en.rst | 2 ++
iocore/net/I_NetVConnection.h | 2 ++
iocore/net/P_SSLClientUtils.h | 2 ++
iocore/net/SSLConfig.cc | 1 -
iocore/net/SSLNetVConnection.cc | 7 ++++++-
lib/ts/apidefs.h.in | 1 +
mgmt/RecordsConfig.cc | 2 +-
plugins/experimental/ts_lua/ts_lua_http_config.c | 2 ++
proxy/InkAPI.cc | 5 +++++
proxy/InkAPITest.cc | 2 +-
proxy/http/HttpConfig.cc | 2 ++
proxy/http/HttpConfig.h | 6 ++++++
proxy/http/HttpSM.cc | 11 +++++++----
13 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index 5345cf5..54ce8ce 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3213,6 +3213,8 @@ Client-Related Configuration
----------------------------
.. ts:cv:: CONFIG proxy.config.ssl.client.verify.server INT 0
+ :reloadable:
+ :overridable:
Configures Traffic Server to verify the origin server certificate
with the Certificate Authority (CA).
diff --git a/iocore/net/I_NetVConnection.h b/iocore/net/I_NetVConnection.h
index a815cf3..da460d5 100644
--- a/iocore/net/I_NetVConnection.h
+++ b/iocore/net/I_NetVConnection.h
@@ -184,6 +184,8 @@ struct NetVCOptions {
*/
ats_scoped_str clientCertificate;
/// Reset all values to defaults.
+
+ uint8_t clientVerificationFlag = 0;
void reset();
void set_sock_param(int _recv_bufsize, int _send_bufsize, unsigned long _opt_flags, unsigned long _packet_mark = 0,
diff --git a/iocore/net/P_SSLClientUtils.h b/iocore/net/P_SSLClientUtils.h
index 6410af3..32d2a1d 100644
--- a/iocore/net/P_SSLClientUtils.h
+++ b/iocore/net/P_SSLClientUtils.h
@@ -37,4 +37,6 @@
// Create and initialize a SSL client context.
SSL_CTX *SSLInitClientContext(const struct SSLConfigParams *param);
+int verify_callback(int preverify_ok, X509_STORE_CTX *ctx);
+
#endif /* IOCORE_NET_P_SSLCLIENTUTILS_H_ */
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 03c42e0..a94100b 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -291,7 +291,6 @@ SSLConfigParams::initialize()
// ++++++++++++++++++++++++ Client part ++++++++++++++++++++
client_verify_depth = 7;
- REC_ReadConfigInt32(clientVerify, "proxy.config.ssl.client.verify.server");
ssl_client_cert_filename = nullptr;
ssl_client_cert_path = nullptr;
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index f74e2b2..37e4b7f 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -30,6 +30,7 @@
#include "P_SSLConfig.h"
#include "BIO_fastopen.h"
#include "Log.h"
+#include "P_SSLClientUtils.h"
#include <climits>
#include <string>
@@ -916,7 +917,6 @@ SSLNetVConnection::free(EThread *t)
THREAD_FREE(this, sslNetVCAllocator, t);
}
}
-
int
SSLNetVConnection::sslStartHandShake(int event, int &err)
{
@@ -1003,6 +1003,11 @@ SSLNetVConnection::sslStartHandShake(int event, int &err)
}
}
this->ssl = make_ssl_connection(clientCTX, this);
+ if (this->ssl != nullptr) {
+ uint8_t clientVerify = this->options.clientVerificationFlag;
+ int verifyValue = clientVerify & 1 ? SSL_VERIFY_PEER : SSL_VERIFY_NONE;
+ SSL_set_verify(this->ssl, verifyValue, verify_callback);
+ }
if (this->ssl == nullptr) {
SSLErrorVC(this, "failed to create SSL client session");
diff --git a/lib/ts/apidefs.h.in b/lib/ts/apidefs.h.in
index d835fe5..4f0ada3 100644
--- a/lib/ts/apidefs.h.in
+++ b/lib/ts/apidefs.h.in
@@ -752,6 +752,7 @@ typedef enum {
TS_CONFIG_HTTP_PARENT_PROXY_RETRY_TIME,
TS_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS,
TS_CONFIG_HTTP_PARENT_CONNECT_ATTEMPT_TIMEOUT,
+ TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
TS_CONFIG_LAST_ENTRY
} TSOverridableConfigKey;
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 54f28ad..383ede2 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1257,7 +1257,7 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.CA.cert.path", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.ssl.client.verify.server", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ {RECT_CONFIG, "proxy.config.ssl.client.verify.server", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.client.cert.filename", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_STR, "^[^[:space:]]*$", RECA_NULL}
,
diff --git a/plugins/experimental/ts_lua/ts_lua_http_config.c b/plugins/experimental/ts_lua/ts_lua_http_config.c
index b3560ab..b16b4f1 100644
--- a/plugins/experimental/ts_lua/ts_lua_http_config.c
+++ b/plugins/experimental/ts_lua/ts_lua_http_config.c
@@ -128,6 +128,7 @@ typedef enum {
TS_LUA_CONFIG_HTTP_PARENT_PROXY_RETRY_TIME = TS_CONFIG_HTTP_PARENT_PROXY_RETRY_TIME,
TS_LUA_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS = TS_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS,
TS_LUA_CONFIG_HTTP_PARENT_CONNECT_ATTEMPT_TIMEOUT = TS_CONFIG_HTTP_PARENT_CONNECT_ATTEMPT_TIMEOUT,
+ TS_LUA_CONFIG_SSL_CLIENT_VERIFY_SERVER = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER,
TS_LUA_CONFIG_LAST_ENTRY = TS_CONFIG_LAST_ENTRY,
} TSLuaOverridableConfigKey;
@@ -248,6 +249,7 @@ ts_lua_var_item ts_lua_http_config_vars[] = {
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PARENT_PROXY_RETRY_TIME),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PER_PARENT_CONNECT_ATTEMPTS),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_HTTP_PARENT_CONNECT_ATTEMPT_TIMEOUT),
+ TS_LUA_MAKE_VAR_ITEM(TS_CONFIG_SSL_CLIENT_VERIFY_SERVER),
TS_LUA_MAKE_VAR_ITEM(TS_LUA_CONFIG_LAST_ENTRY),
};
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index e937e76..8dfd0ba 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -8168,6 +8168,9 @@ _conf_to_memberp(TSOverridableConfigKey conf, OverridableHttpConfigParams *overr
case TS_CONFIG_PARENT_FAILURES_UPDATE_HOSTDB:
ret = &overridableHttpConfig->parent_failures_update_hostdb;
break;
+ case TS_CONFIG_SSL_CLIENT_VERIFY_SERVER:
+ ret = &overridableHttpConfig->ssl_client_verify_server;
+ break;
case TS_CONFIG_HTTP_PARENT_PROXY_FAIL_THRESHOLD:
typ = OVERRIDABLE_TYPE_INT;
ret = &overridableHttpConfig->parent_fail_threshold;
@@ -8506,6 +8509,8 @@ TSHttpTxnConfigFind(const char *name, int length, TSOverridableConfigKey *conf,
if (!strncmp(name, "proxy.config.http.response_server_str", length)) {
cnf = TS_CONFIG_HTTP_RESPONSE_SERVER_STR;
typ = TS_RECORDDATATYPE_STRING;
+ } else if (!strncmp(name, "proxy.config.ssl.client.verify.server", length)) {
+ cnf = TS_CONFIG_SSL_CLIENT_VERIFY_SERVER;
}
break;
case 't':
diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc
index df95f25..486c343 100644
--- a/proxy/InkAPITest.cc
+++ b/proxy/InkAPITest.cc
@@ -7601,8 +7601,8 @@ const char *SDK_Overridable_Configs[TS_CONFIG_LAST_ENTRY] = {
"proxy.config.http.parent_proxy.retry_time",
"proxy.config.http.parent_proxy.per_parent_connect_attempts",
"proxy.config.http.parent_proxy.connect_attempts_timeout",
+ "proxy.config.ssl.client.verify.server",
};
-
REGRESSION_TEST(SDK_API_OVERRIDABLE_CONFIGS)(RegressionTest *test, int /* atype ATS_UNUSED */, int *pstatus)
{
const char *conf;
diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc
index 130fd9a..412bd95 100644
--- a/proxy/http/HttpConfig.cc
+++ b/proxy/http/HttpConfig.cc
@@ -1084,6 +1084,7 @@ HttpConfig::startup()
HttpEstablishStaticConfigByte(c.errors_log_error_pages, "proxy.config.http.errors.log_error_pages");
HttpEstablishStaticConfigLongLong(c.oride.slow_log_threshold, "proxy.config.http.slow.log.threshold");
+ HttpEstablishStaticConfigByte(c.oride.ssl_client_verify_server, "proxy.config.ssl.client.verify.server");
HttpEstablishStaticConfigByte(c.record_cop_page, "proxy.config.http.record_heartbeat");
@@ -1371,6 +1372,7 @@ HttpConfig::reconfigure()
params->errors_log_error_pages = INT_TO_BOOL(m_master.errors_log_error_pages);
params->oride.slow_log_threshold = m_master.oride.slow_log_threshold;
params->record_cop_page = INT_TO_BOOL(m_master.record_cop_page);
+ params->oride.ssl_client_verify_server = INT_TO_BOOL(m_master.oride.ssl_client_verify_server);
params->oride.send_http11_requests = m_master.oride.send_http11_requests;
params->oride.doc_in_cache_skip_dns = INT_TO_BOOL(m_master.oride.doc_in_cache_skip_dns);
params->oride.default_buffer_size_index = m_master.oride.default_buffer_size_index;
diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h
index 4ec49c1..6f15f97 100644
--- a/proxy/http/HttpConfig.h
+++ b/proxy/http/HttpConfig.h
@@ -413,6 +413,7 @@ struct OverridableHttpConfigParams {
parent_failures_update_hostdb(0),
cache_open_write_fail_action(0),
post_check_content_length_enabled(1),
+ ssl_client_verify_server(0),
redirection_enabled(0),
redirect_use_orig_cache_key(0),
number_of_redirections(1),
@@ -577,6 +578,11 @@ struct OverridableHttpConfigParams {
////////////////////////
MgmtByte post_check_content_length_enabled;
+ /////////////////////////////
+ // server verification mode//
+ /////////////////////////////
+ MgmtByte ssl_client_verify_server;
+
//##############################################################################
//#
//# Redirection
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 5e17b0f..1ec919d 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5491,12 +5491,15 @@ HttpSM::handle_http_server_open()
// server session's first transaction.
if (nullptr != server_session) {
NetVConnection *vc = server_session->get_netvc();
+
if (vc != nullptr && (vc->options.sockopt_flags != t_state.txn_conf->sock_option_flag_out ||
vc->options.packet_mark != t_state.txn_conf->sock_packet_mark_out ||
- vc->options.packet_tos != t_state.txn_conf->sock_packet_tos_out)) {
- vc->options.sockopt_flags = t_state.txn_conf->sock_option_flag_out;
- vc->options.packet_mark = t_state.txn_conf->sock_packet_mark_out;
- vc->options.packet_tos = t_state.txn_conf->sock_packet_tos_out;
+ vc->options.packet_tos != t_state.txn_conf->sock_packet_tos_out ||
+ vc->options.clientVerificationFlag != t_state.txn_conf->ssl_client_verify_server)) {
+ vc->options.sockopt_flags = t_state.txn_conf->sock_option_flag_out;
+ vc->options.packet_mark = t_state.txn_conf->sock_packet_mark_out;
+ vc->options.packet_tos = t_state.txn_conf->sock_packet_tos_out;
+ vc->options.clientVerificationFlag = t_state.txn_conf->ssl_client_verify_server;
vc->apply_options();
}
}
--
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].