You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by zwoop <gi...@git.apache.org> on 2017/02/24 19:51:28 UTC

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

GitHub user zwoop opened a pull request:

    https://github.com/apache/trafficserver/pull/1488

    This allows old ssl_multicert.config to still function on reload

    The problem is that if a certificate fails to load, for whatever reason that might be, ATS still switches the configuration, leaving the server in a crippled state. This patch fixes this, to the normal behavior of ATS retaining the old configurations if the new fails to load.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/zwoop/trafficserver FixSSLLoadFailure

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/1488.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1488
    
----
commit 2f636d23c493039626fae51c7cd37047140bb657
Author: Leif Hedstrom <zw...@apache.org>
Date:   2017-02-24T19:47:29Z

    This allows old ssl_multicert.config to still function on reload

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

Posted by zwoop <gi...@git.apache.org>.

Github user zwoop commented on a diff in the pull request:

    https://github.com/apache/trafficserver/pull/1488#discussion_r103039820
  
    --- Diff: iocore/net/SSLUtils.cc ---
    @@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const SSLConfigParams *params, SSLCertLookup *l
             if (ssl_extract_certificate(&line_info, sslMultiCertSettings)) {
               // There must be a certificate specified unless the tunnel action is set
               if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != SSLCertContext::OPT_TUNNEL) {
    -            ssl_store_ssl_context(params, lookup, &sslMultiCertSettings);
    +            if (ssl_store_ssl_context(params, lookup, &sslMultiCertSettings) == nullptr) {
    +              Error("failed to load SSL server contexts");
    +              return false;
    +            }
               } else {
    --- End diff --
    
    Yeh, it's not used, but the point is that we stop parsing the configuration at this point, which leaves lookup->is_valid == false (correctly). I believe in the old version, the status of the lookup is the status of the *last* certificate in the configuration.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver issue #1488: This allows old ssl_multicert.config to still fun...

Posted by atsci <gi...@git.apache.org>.

Github user atsci commented on the issue:

    https://github.com/apache/trafficserver/pull/1488
  
    Intel CC build *successful*! See https://ci.trafficserver.apache.org/job/icc-github/46/ for details.
     



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

Posted by zwoop <gi...@git.apache.org>.

Github user zwoop commented on a diff in the pull request:

    https://github.com/apache/trafficserver/pull/1488#discussion_r103039976
  
    --- Diff: iocore/net/SSLUtils.cc ---
    @@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const SSLConfigParams *params, SSLCertLookup *l
             if (ssl_extract_certificate(&line_info, sslMultiCertSettings)) {
               // There must be a certificate specified unless the tunnel action is set
               if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != SSLCertContext::OPT_TUNNEL) {
    -            ssl_store_ssl_context(params, lookup, &sslMultiCertSettings);
    +            if (ssl_store_ssl_context(params, lookup, &sslMultiCertSettings) == nullptr) {
    +              Error("failed to load SSL server contexts");
    +              return false;
    +            }
               } else {
    --- End diff --
    
    I'd be fine adding additional actionable checks here if you like, I'm just not familiar with most of this code.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

Posted by zwoop <gi...@git.apache.org>.

Github user zwoop closed the pull request at:

    https://github.com/apache/trafficserver/pull/1488


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver issue #1488: This allows old ssl_multicert.config to still fun...

Posted by zwoop <gi...@git.apache.org>.

Github user zwoop commented on the issue:

    https://github.com/apache/trafficserver/pull/1488
  
    I'm gonna close this PR for now, I think this code could be cleaned up, but setting proxy.config.ssl.server.multicert.exit_on_load_fail=1 seems to behave more reasonable than the defaults.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver issue #1488: This allows old ssl_multicert.config to still fun...

Posted by atsci <gi...@git.apache.org>.

Github user atsci commented on the issue:

    https://github.com/apache/trafficserver/pull/1488
  
    FreeBSD build *successful*! See https://ci.trafficserver.apache.org/job/freebsd-github/1613/ for details.
     



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver issue #1488: This allows old ssl_multicert.config to still fun...

Posted by atsci <gi...@git.apache.org>.

Github user atsci commented on the issue:

    https://github.com/apache/trafficserver/pull/1488
  
    clang-analyzer build *successful*! See https://ci.trafficserver.apache.org/job/clang-analyzer-github/178/ for details.
     



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver pull request #1488: This allows old ssl_multicert.config to st...

Posted by shinrich <gi...@git.apache.org>.

Github user shinrich commented on a diff in the pull request:

    https://github.com/apache/trafficserver/pull/1488#discussion_r103023456
  
    --- Diff: iocore/net/SSLUtils.cc ---
    @@ -2007,7 +2007,10 @@ SSLParseCertificateConfiguration(const SSLConfigParams *params, SSLCertLookup *l
             if (ssl_extract_certificate(&line_info, sslMultiCertSettings)) {
               // There must be a certificate specified unless the tunnel action is set
               if (sslMultiCertSettings.cert || sslMultiCertSettings.opt != SSLCertContext::OPT_TUNNEL) {
    -            ssl_store_ssl_context(params, lookup, &sslMultiCertSettings);
    +            if (ssl_store_ssl_context(params, lookup, &sslMultiCertSettings) == nullptr) {
    +              Error("failed to load SSL server contexts");
    +              return false;
    +            }
               } else {
    --- End diff --
    
    I'm a bit confused why this fixes anything.  I don't see any callers checking the return value.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver issue #1488: This allows old ssl_multicert.config to still fun...

Posted by zwoop <gi...@git.apache.org>.

Github user zwoop commented on the issue:

    https://github.com/apache/trafficserver/pull/1488
  
    I see now, there's a new configuration, proxy.config.ssl.server.multicert.exit_on_load_fail, which would exit on load errors. Surprised that this is not the default to "1" though.
    
    However, the fix above would retain (what I think is) correct behavior on reloads, and if proxy.config.ssl.server.multicert.exit_on_load_fail is off (0), you'd still be able to load the initially broken configuration.
    
    Why anyone wants a broken configuration is beyond me, but I'm ok with this, but think it should be changed to "1" for v8.0.0.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] trafficserver issue #1488: This allows old ssl_multicert.config to still fun...

Posted by atsci <gi...@git.apache.org>.

Github user atsci commented on the issue:

    https://github.com/apache/trafficserver/pull/1488
  
    Linux build *successful*! See https://ci.trafficserver.apache.org/job/linux-github/1508/ for details.
     



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---