You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by pa...@apache.org on 2018/04/26 22:12:26 UTC

[trafficserver] branch master updated: API for setting OCSP Callback

This is an automated email from the ASF dual-hosted git repository.

paziz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 2724159  API for setting OCSP Callback
2724159 is described below

commit 2724159802a9cd55936b50b744b2e79d5557d861
Author: Persia Aziz <pe...@yahoo-inc.com>
AuthorDate: Tue Mar 27 14:43:13 2018 -0500

    API for setting OCSP Callback
---
 .../{TSSslContextFindBy.en.rst => TSSslContext.en.rst}         |  7 ++++---
 .../api/functions/TSSslServerContextCreate.en.rst              |  6 ++++--
 doc/developer-guide/api/functions/TSTypes.en.rst               |  4 ++++
 lib/ts/apidefs.h.in                                            |  1 +
 proxy/InkAPI.cc                                                | 10 +++++++++-
 proxy/InkAPITest.cc                                            |  2 +-
 proxy/api/ts/ts.h                                              |  2 +-
 7 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/doc/developer-guide/api/functions/TSSslContextFindBy.en.rst b/doc/developer-guide/api/functions/TSSslContext.en.rst
similarity index 94%
rename from doc/developer-guide/api/functions/TSSslContextFindBy.en.rst
rename to doc/developer-guide/api/functions/TSSslContext.en.rst
index b9bc07e..e921d5b 100644
--- a/doc/developer-guide/api/functions/TSSslContextFindBy.en.rst
+++ b/doc/developer-guide/api/functions/TSSslContext.en.rst
@@ -18,10 +18,10 @@
 
 .. default-domain:: c
 
-TSSslContextFindByName
-**********************
+TS SSL Context
+**************
 
-Traffic Server TLS server context lookup.
+Traffic Server TLS server context.
 
 Synopsis
 ========
@@ -44,6 +44,7 @@ created from :file:`ssl_multicert.config` matchin against the server
 :arg:`address`.
 
 
+
 See also
 ========
 
diff --git a/doc/developer-guide/api/functions/TSSslServerContextCreate.en.rst b/doc/developer-guide/api/functions/TSSslServerContextCreate.en.rst
index c9e1429..38f982b 100644
--- a/doc/developer-guide/api/functions/TSSslServerContextCreate.en.rst
+++ b/doc/developer-guide/api/functions/TSSslServerContextCreate.en.rst
@@ -28,14 +28,16 @@ Synopsis
 
 `#include <ts/ts.h>`
 
-.. function:: TSSslContext TSSslServerContextCreate(void)
+.. function:: TSSslContext TSSslServerContextCreate(TSSslX509 *cert, char *certname)
 .. function:: void TSSslContextDestroy(TSSslContext ctx)
 
 Description
 ===========
 
 :func:`TSSslServerContextCreate` creates a new TLS server context. The context
-is configured using the TLS settings specified in :file:`records.config`.
+is configured using the TLS settings specified in :file:`records.config`. The user can pass certificate object(:type:`TSSslX509` :arg:`cert`
+and certname (:code:`const char*` :arg:`certname`) optionally.
+This function sets the certificate status callback and initializes ocsp stapling data if :arg:`cert` and :arg:`certname` is provided and ocsp is enabled globally.
 :func:`TSSslServerContextCreate` returns ``nullptr`` on failure.
 
 :func:`TSSslContextDestroy` destroys a TLS context created by
diff --git a/doc/developer-guide/api/functions/TSTypes.en.rst b/doc/developer-guide/api/functions/TSTypes.en.rst
index d07ef6e..b828328 100644
--- a/doc/developer-guide/api/functions/TSTypes.en.rst
+++ b/doc/developer-guide/api/functions/TSTypes.en.rst
@@ -136,6 +136,10 @@ more widely. Those are described on this page.
 
 .. type:: TSRemapRequestInfo
 
+.. type:: TSSslX509
+
+    This type represents the :code:`X509` object created from an SSL certificate.
+
 .. type:: TSTextLogObject
 
    This type represents a custom log file that you create with
diff --git a/lib/ts/apidefs.h.in b/lib/ts/apidefs.h.in
index b889588..e3fd982 100644
--- a/lib/ts/apidefs.h.in
+++ b/lib/ts/apidefs.h.in
@@ -856,6 +856,7 @@ typedef struct tsapi_cachetxn *TSCacheTxn;
 typedef struct tsapi_port *TSPortDescriptor;
 typedef struct tsapi_vio *TSVIO;
 typedef struct tsapi_thread *TSThread;
+typedef struct tsapi_x509 *TSSslX509;
 typedef struct tsapi_mutex *TSMutex;
 typedef struct tsapi_config *TSConfig;
 typedef struct tsapi_cont *TSCont;
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index e920bbe..565f839 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -58,6 +58,7 @@
 #include "I_AIO.h"
 #include "I_Tasks.h"
 
+#include "P_OCSPStapling.h"
 #include "I_RecDefs.h"
 #include "I_RecCore.h"
 #include "I_Machine.h"
@@ -9285,12 +9286,19 @@ TSSslContextFindByAddr(struct sockaddr const *addr)
 }
 
 tsapi TSSslContext
-TSSslServerContextCreate()
+TSSslServerContextCreate(TSSslX509 cert, const char *certname)
 {
   TSSslContext ret        = nullptr;
   SSLConfigParams *config = SSLConfig::acquire();
   if (config != nullptr) {
     ret = reinterpret_cast<TSSslContext>(SSLCreateServerContext(config));
+    if (ret && SSLConfigParams::ssl_ocsp_enabled && cert && certname) {
+      if (SSL_CTX_set_tlsext_status_cb(reinterpret_cast<SSL_CTX *>(ret), ssl_callback_ocsp_stapling)) {
+        if (!ssl_stapling_init_cert(reinterpret_cast<SSL_CTX *>(ret), reinterpret_cast<X509 *>(cert), certname)) {
+          Warning("fail to configure SSL_CTX for OCSP Stapling info for certificate at %s", (const char *)certname);
+        }
+      }
+    }
     SSLConfig::release(config);
   }
   return ret;
diff --git a/proxy/InkAPITest.cc b/proxy/InkAPITest.cc
index 2085ebd..b38df07 100644
--- a/proxy/InkAPITest.cc
+++ b/proxy/InkAPITest.cc
@@ -8073,7 +8073,7 @@ REGRESSION_TEST(SDK_API_TSSslServerContextCreate)(RegressionTest *test, int leve
   TSSslContext ctx;
 
   // See TS-4769: TSSslServerContextCreate always returns null.
-  ctx = TSSslServerContextCreate();
+  ctx = TSSslServerContextCreate(nullptr, nullptr);
 
   *pstatus = ctx ? REGRESSION_TEST_PASSED : REGRESSION_TEST_FAILED;
   TSSslContextDestroy(ctx);
diff --git a/proxy/api/ts/ts.h b/proxy/api/ts/ts.h
index 7fceaad..7598fc2 100644
--- a/proxy/api/ts/ts.h
+++ b/proxy/api/ts/ts.h
@@ -1236,7 +1236,7 @@ tsapi TSSslConnection TSVConnSSLConnectionGet(TSVConn sslp);
 tsapi TSSslContext TSSslContextFindByName(const char *name);
 tsapi TSSslContext TSSslContextFindByAddr(struct sockaddr const *);
 /*  Create a new SSL context based on the settings in records.config */
-tsapi TSSslContext TSSslServerContextCreate(void);
+tsapi TSSslContext TSSslServerContextCreate(TSSslX509 cert, const char *certname);
 tsapi void TSSslContextDestroy(TSSslContext ctx);
 tsapi void TSSslTicketKeyUpdate(char *ticketData, int ticketDataLen);
 tsapi TSNextProtocolSet TSUnregisterProtocol(TSNextProtocolSet protoset, const char *protocol);

-- 
To stop receiving notification emails like this one, please contact
paziz@apache.org.