You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by pa...@apache.org on 2018/04/26 22:12:26 UTC
[trafficserver] branch master updated: API for setting OCSP Callback
This is an automated email from the ASF dual-hosted git repository.
paziz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 2724159 API for setting OCSP Callback
2724159 is described below
commit 2724159802a9cd55936b50b744b2e79d5557d861
Author: Persia Aziz <pe...@yahoo-inc.com>
AuthorDate: Tue Mar 27 14:43:13 2018 -0500
API for setting OCSP Callback
---
.../{TSSslContextFindBy.en.rst => TSSslContext.en.rst} | 7 ++++---
.../api/functions/TSSslServerContextCreate.en.rst | 6 ++++--
doc/developer-guide/api/functions/TSTypes.en.rst | 4 ++++
lib/ts/apidefs.h.in | 1 +
proxy/InkAPI.cc | 10 +++++++++-
proxy/InkAPITest.cc | 2 +-
proxy/api/ts/ts.h | 2 +-
7 files changed, 24 insertions(+), 8 deletions(-)
diff --git a/doc/developer-guide/api/functions/TSSslContextFindBy.en.rst b/doc/developer-guide/api/functions/TSSslContext.en.rst
similarity index 94%
rename from doc/developer-guide/api/functions/TSSslContextFindBy.en.rst
rename to doc/developer-guide/api/functions/TSSslContext.en.rst
index b9bc07e..e921d5b 100644
--- a/doc/developer-guide/api/functions/TSSslContextFindBy.en.rst
+++ b/doc/developer-guide/api/functions/TSSslContext.en.rst
@@ -18,10 +18,10 @@
.. default-domain:: c
-TSSslContextFindByName
-**********************
+TS SSL Context
+**************
-Traffic Server TLS server context lookup.
+Traffic Server TLS server context.
Synopsis
========
@@ -44,6 +44,7 @@ created from :file:`ssl_multicert.config` matchin against the server
:arg:`address`.
+
See also
========
diff --git a/doc/developer-guide/api/functions/TSSslServerContextCreate.en.rst b/doc/developer-guide/api/functions/TSSslServerContextCreate.en.rst
index c9e1429..38f982b 100644
--- a/doc/developer-guide/api/functions/TSSslServerContextCreate.en.rst
+++ b/doc/developer-guide/api/functions/TSSslServerContextCreate.en.rst
@@ -28,14 +28,16 @@ Synopsis
`#include <ts/ts.h>`
-.. function:: TSSslContext TSSslServerContextCreate(void)
+.. function:: TSSslContext TSSslServerContextCreate(TSSslX509 *cert, char *certname)
.. function:: void TSSslContextDestroy(TSSslContext ctx)
Description
===========
:func:`TSSslServerContextCreate` creates a new TLS server context. The context
-is configured using the TLS settings specified in :file:`records.config`.
+is configured using the TLS settings specified in :file:`records.config`. The user can pass certificate object(:type:`TSSslX509` :arg:`cert`
+and certname (:code:`const char*` :arg:`certname`) optionally.
+This function sets the certificate status callback and initializes ocsp stapling data if :arg:`cert` and :arg:`certname` is provided and ocsp is enabled globally.
:func:`TSSslServerContextCreate` returns ``nullptr`` on failure.
:func:`TSSslContextDestroy` destroys a TLS context created by
diff --git a/doc/developer-guide/api/functions/TSTypes.en.rst b/doc/developer-guide/api/functions/TSTypes.en.rst
index d07ef6e..b828328 100644
--- a/doc/developer-guide/api/functions/TSTypes.en.rst
+++ b/doc/developer-guide/api/functions/TSTypes.en.rst
@@ -136,6 +136,10 @@ more widely. Those are described on this page.
.. type:: TSRemapRequestInfo
+.. type:: TSSslX509
+
+ This type represents the :code:`X509` object created from an SSL certificate.
+
.. type:: TSTextLogObject
This type represents a custom log file that you create with
diff --git a/lib/ts/apidefs.h.in b/lib/ts/apidefs.h.in
index b889588..e3fd982 100644
--- a/lib/ts/apidefs.h.in
+++ b/lib/ts/apidefs.h.in
@@ -856,6 +856,7 @@ typedef struct tsapi_cachetxn *TSCacheTxn;
typedef struct tsapi_port *TSPortDescriptor;
typedef struct tsapi_vio *TSVIO;
typedef struct tsapi_thread *TSThread;
+typedef struct tsapi_x509 *TSSslX509;
typedef struct tsapi_mutex *TSMutex;
typedef struct tsapi_config *TSConfig;
typedef struct tsapi_cont *TSCont;
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index e920bbe..565f839 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -58,6 +58,7 @@
#include "I_AIO.h"
#include "I_Tasks.h"
+#include "P_OCSPStapling.h"
#include "I_RecDefs.h"
#include "I_RecCore.h"
#include "I_Machine.h"
@@ -9285,12 +9286,19 @@ TSSslContextFindByAddr(struct sockaddr const *addr)
}
tsapi TSSslContext
-TSSslServerContextCreate()
+TSSslServerContextCreate(TSSslX509 cert, const char *certname)
{
TSSslContext ret = nullptr;
SSLConfigParams *config = SSLConfig::acquire();
if (config != nullptr) {
ret = reinterpret_cast<TSSslContext>(SSLCreateServerContext(config));
+ if (ret && SSLConfigParams::ssl_ocsp_enabled && cert && certname) {
+ if (SSL_CTX_set_tlsext_status_cb(reinterpret_cast<SSL_CTX *>(ret), ssl_callback_ocsp_stapling)) {
+ if (!ssl_stapling_init_cert(reinterpret_cast<SSL_CTX *>(ret), reinterpret_cast<X509 *>(cert), certname)) {
+ Warning("fail to configure SSL_CTX for OCSP Stapling info for certificate at %s", (const char *)certname);
+ }
+ }
+ }
SSLConfig::release(config);
}
return ret;
diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc
index 2085ebd..b38df07 100644
--- a/proxy/InkAPITest.cc
+++ b/proxy/InkAPITest.cc
@@ -8073,7 +8073,7 @@ REGRESSION_TEST(SDK_API_TSSslServerContextCreate)(RegressionTest *test, int leve
TSSslContext ctx;
// See TS-4769: TSSslServerContextCreate always returns null.
- ctx = TSSslServerContextCreate();
+ ctx = TSSslServerContextCreate(nullptr, nullptr);
*pstatus = ctx ? REGRESSION_TEST_PASSED : REGRESSION_TEST_FAILED;
TSSslContextDestroy(ctx);
diff --git a/proxy/api/ts/ts.h b/proxy/api/ts/ts.h
index 7fceaad..7598fc2 100644
--- a/proxy/api/ts/ts.h
+++ b/proxy/api/ts/ts.h
@@ -1236,7 +1236,7 @@ tsapi TSSslConnection TSVConnSSLConnectionGet(TSVConn sslp);
tsapi TSSslContext TSSslContextFindByName(const char *name);
tsapi TSSslContext TSSslContextFindByAddr(struct sockaddr const *);
/* Create a new SSL context based on the settings in records.config */
-tsapi TSSslContext TSSslServerContextCreate(void);
+tsapi TSSslContext TSSslServerContextCreate(TSSslX509 cert, const char *certname);
tsapi void TSSslContextDestroy(TSSslContext ctx);
tsapi void TSSslTicketKeyUpdate(char *ticketData, int ticketDataLen);
tsapi TSNextProtocolSet TSUnregisterProtocol(TSNextProtocolSet protoset, const char *protocol);
--
To stop receiving notification emails like this one, please contact
paziz@apache.org.