You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2021/03/16 20:35:16 UTC
[trafficserver] branch 9.1.x updated: Add server_name option to
proxy.config.ssl.client.sni_policy (#7533)
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.1.x by this push:
new 5ca791a Add server_name option to proxy.config.ssl.client.sni_policy (#7533)
5ca791a is described below
commit 5ca791a809de8140cb847f5fd2f951406523637c
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Wed Feb 24 07:56:22 2021 +0900
Add server_name option to proxy.config.ssl.client.sni_policy (#7533)
(cherry picked from commit 884f4a4e57378100847d7d5cfd56c688155321a6)
---
doc/admin-guide/files/records.config.en.rst | 3 +++
proxy/http/HttpSM.cc | 2 ++
.../tls/tls_verify_override_base.test.py | 26 +++++++++++++++++++++-
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index fcbec12..6f7529a 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3662,6 +3662,9 @@ Client-Related Configuration
``host``
This is the default. The value of the ``Host`` field in the proxy request is used.
+ ``server_name``
+ The SNI value of the inbound TLS connection is used.
+
``remap``
The remapped upstream name is used.
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index ec539af..ee1b09a 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -4876,6 +4876,8 @@ HttpSM::get_outbound_sni() const
int len;
char const *ptr = t_state.hdr_info.server_request.host_get(&len);
zret.assign(ptr, len);
+ } else if (ua_txn && !strcmp(policy, "server_name"_tv)) {
+ zret.assign(ua_txn->get_netvc()->get_server_name(), ts::TextView::npos);
} else if (policy.front() == '@') { // guaranteed non-empty from previous clause
zret = policy.remove_prefix(1);
} else {
diff --git a/tests/gold_tests/tls/tls_verify_override_base.test.py b/tests/gold_tests/tls/tls_verify_override_base.test.py
index 8650ad6..b5d06d4 100644
--- a/tests/gold_tests/tls/tls_verify_override_base.test.py
+++ b/tests/gold_tests/tls/tls_verify_override_base.test.py
@@ -21,7 +21,7 @@ Test tls server certificate verification options. Exercise conf_remap
'''
# Define default ATS
-ts = Test.MakeATSProcess("ts", select_ports=True)
+ts = Test.MakeATSProcess("ts", select_ports=True, enable_tls=True)
server_foo = Test.MakeOriginServer("server_foo",
ssl=True,
options={"--key": "{0}/signed-foo.key".format(Test.RunDirectory),
@@ -85,11 +85,17 @@ ts.Disk.remap_config.AddLine(
'map /snipolicyfoohost https://foo.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=host'.format(
server_bar.Variables.SSL_Port))
ts.Disk.remap_config.AddLine(
+ 'map /snipolicyfooservername https://foo.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=server_name'.format(
+ server_bar.Variables.SSL_Port))
+ts.Disk.remap_config.AddLine(
'map /snipolicybarremap https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=remap'.format(
server_bar.Variables.SSL_Port))
ts.Disk.remap_config.AddLine(
'map /snipolicybarhost https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=host'.format(
server_bar.Variables.SSL_Port))
+ts.Disk.remap_config.AddLine(
+ 'map /snipolicybarservername https://bar.com:{0} @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.properties=NAME @plugin=conf_remap.so @pparam=proxy.config.ssl.client.verify.server.policy=ENFORCED @plugin=conf_remap.so @pparam=proxy.config.ssl.client.sni_policy=server_name'.format(
+ server_bar.Variables.SSL_Port))
ts.Disk.ssl_multicert_config.AddLine(
'dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key'
@@ -194,6 +200,15 @@ tr.StillRunningAfter = ts
tr.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could not connect", "Curl attempt should fail")
# Should fail
+tr = Test.AddTestRun("foo-to-bar-sni-policy-servername")
+tr.Processes.Default.Command = "curl -k --resolv foo.com:{0}:127.0.0.1 https://foo.com:{0}/snipolicybarservername".format(
+ ts.Variables.ssl_port)
+tr.ReturnCode = 0
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+tr.Processes.Default.Streams.stdout = Testers.ContainsExpression("Could not connect", "Curl attempt should fail")
+
+# Should fail
tr = Test.AddTestRun("bar-to-foo-sni-policy-remap")
tr.Processes.Default.Command = "curl -k -H \"host: bar.com\" http://127.0.0.1:{0}/snipolicyfooremap".format(ts.Variables.port)
tr.ReturnCode = 0
@@ -209,6 +224,15 @@ tr.StillRunningAfter = server
tr.StillRunningAfter = ts
tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could not connect", "Curl attempt should succeed")
+# Should succeed
+tr = Test.AddTestRun("bar-to-foo-sni-policy-servername")
+tr.Processes.Default.Command = "curl -k --resolv bar.com:{0}:127.0.0.1 https://bar.com:{0}/snipolicyfooservername".format(
+ ts.Variables.ssl_port)
+tr.ReturnCode = 0
+tr.StillRunningAfter = server
+tr.StillRunningAfter = ts
+tr.Processes.Default.Streams.stdout = Testers.ExcludesExpression("Could not connect", "Curl attempt should succeed")
+
# Over riding the built in ERROR check since we expect some cases to fail