You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2012/03/30 19:50:54 UTC

git commit: TS-1092 Remove specific SSL termination mode, we either terminate, or we do not

Updated Branches:
  refs/heads/master 0f19fb8fe -> f5d90c94b


TS-1092 Remove specific SSL termination mode, we either terminate, or we do not


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f5d90c94
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f5d90c94
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f5d90c94

Branch: refs/heads/master
Commit: f5d90c94bbab5b29c63ec91169ca462e647c150e
Parents: 0f19fb8
Author: Leif Hedstrom <le...@ogre.com>
Authored: Fri Mar 30 11:50:41 2012 -0600
Committer: Leif Hedstrom <le...@ogre.com>
Committed: Fri Mar 30 11:50:41 2012 -0600

----------------------------------------------------------------------
 CHANGES                           |    3 +++
 iocore/net/P_SSLConfig.h          |   19 -------------------
 iocore/net/SSLConfig.cc           |    7 -------
 iocore/net/SSLNetProcessor.cc     |   13 +++++--------
 lib/records/RecHttp.cc            |    3 +--
 proxy/Main.cc                     |    3 +--
 proxy/http/HttpProxyServerMain.cc |    2 +-
 7 files changed, 11 insertions(+), 39 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 65e0cff..e5a4259 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 3.1.4
+  *) [TS-1092] Remove specific SSL termination mode, we either terminate, or
+    we do not.
+
   *) [TS-1173] Improve the comments in remap.config.
 
   *) [TS-981] Remove the support for libev (for now at least).

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index f0e32b4..f105388 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -52,21 +52,12 @@ struct SslConfigParams
 #endif
 {
 public:
-  enum SSL_TERMINATION_MODE
-  {
-    SSL_TERM_MODE_NONE = 0,
-    SSL_TERM_MODE_CLIENT = 1,
-    SSL_TERM_MODE_SERVER = 2,
-    SSL_TERM_MODE_BOTH = SSL_TERM_MODE_CLIENT | SSL_TERM_MODE_SERVER
-  };
-
   enum SSL_SESSION_CACHE_MODE
   {
     SSL_SESSION_CACHE_MODE_OFF = 0,
     SSL_SESSION_CACHE_MODE_SERVER = 1
   };
 
-  SSL_TERMINATION_MODE getTerminationMode(void) const { return termMode; }
   char *getConfigFilePath(void) const { return configFilePath; }
   char *getServerCertPathOnly(void) const { return serverCertPathOnly; }
   char *getServerCACertPathOnly(void) const { return CACertPath; }
@@ -100,8 +91,6 @@ private:
   int clientVerify;
   int client_verify_depth;
 
-  SSL_TERMINATION_MODE termMode;
-
   long ssl_ctx_options;
 
   friend struct SSLNetProcessor;
@@ -121,16 +110,8 @@ public:
   static SslConfigParams *acquire();
   static void release(SslConfigParams * params);
 
-  static bool serverTerminationEnabled(void) { return serverSSLTermination; }
-
 private:
-  static void clearTermEnabled()
-  {
-    serverSSLTermination = 0;
-  }
-
   static int id;
-  static bool serverSSLTermination;
 #ifndef USE_CONFIG_PROCESSOR
   static SslConfigParams *ssl_config_params;
 #endif

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 80780eb..b0a6e1d 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -38,7 +38,6 @@
 #include <openssl/ssl.h>
 
 int SslConfig::id = 0;
-bool SslConfig::serverSSLTermination = 0;
 
 SslConfig sslTerminationConfig;
 
@@ -59,7 +58,6 @@ SslConfigParams::SslConfigParams()
 
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
 
-  termMode = SSL_TERM_MODE_NONE;
   ssl_ctx_options = 0;
   ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER;
   ssl_session_cache_size = 1024*20;
@@ -88,7 +86,6 @@ SslConfigParams::cleanup()
   ats_free_null(cipherSuite);
 
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
-  termMode = SSL_TERM_MODE_NONE;
 }
 
 /**  set_paths_helper
@@ -153,10 +150,7 @@ SslConfigParams::initialize()
   //+++++++++++++++++++++++++ Server part +++++++++++++++++++++++++++++++++
   verify_depth = 7;
 
-  termMode = static_cast<SSL_TERMINATION_MODE>(HttpProxyPort::hasSSL() ? SSL_TERM_MODE_BOTH : 0);
-  
   IOCORE_ReadConfigInt32(clientCertLevel, "proxy.config.ssl.client.certification_level");
-
   IOCORE_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
 
   int options;
@@ -253,7 +247,6 @@ SslConfig::reconfigure()
 #else
   ssl_config_params = params;
 #endif
-  serverSSLTermination = (params->termMode & SslConfigParams::SSL_TERM_MODE_SERVER) != 0;
 }
 
 SslConfigParams *

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/iocore/net/SSLNetProcessor.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index e219480..dc8a832 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -23,7 +23,9 @@
 
 #include "P_Net.h"
 #include "I_Layout.h"
-#include "openssl/engine.h"
+#include "I_RecHttp.h"
+
+#include <openssl/engine.h>
 
 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) // openssl returns a const SSL_METHOD
 typedef const SSL_METHOD * ink_ssl_method_t;
@@ -123,8 +125,7 @@ SSLNetProcessor::initSSLLocks(void)
 int
 SSLNetProcessor::reconfigure(void)
 {
-  int ssl_mode = SslConfigParams::SSL_TERM_MODE_NONE, err = 0;
-  int sslServerEnabled = 0;
+  int err = 0;
 
   cleanup();
 
@@ -138,17 +139,13 @@ SSLNetProcessor::reconfigure(void)
   SslConfigParams *param = sslTerminationConfig.acquire();
   ink_assert(param);
 
-  ssl_mode = param->getTerminationMode();
-  sslServerEnabled = ssl_mode & SslConfigParams::SSL_TERM_MODE_CLIENT;
-
-  if (sslServerEnabled) {
+  if (HttpProxyPort::hasSSL()) {
     // Only init server stuff if SSL is enabled in the config file
     err = initSSL(param);
     if (err == 0) {
       sslCertLookup.init(param);
     } else {
       logSSLError("Can't initialize the SSL library, disabling SSL termination!");
-      sslTerminationConfig.clearTermEnabled();
     }
   }
   // Enable client regardless of config file setttings as remap file

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/lib/records/RecHttp.cc
----------------------------------------------------------------------
diff --git a/lib/records/RecHttp.cc b/lib/records/RecHttp.cc
index 8181e45..f5dce11 100644
--- a/lib/records/RecHttp.cc
+++ b/lib/records/RecHttp.cc
@@ -195,8 +195,7 @@ HttpProxyPort::loadDefaultIfEmpty(Group& ports) {
     self::loadValue(ports, DEFAULT_VALUE);
 
   // Check to see if we need to force an SSL port.
-  if (REC_ERR_OKAY == RecGetRecordInt(SSL_ENABLED_CONFIG_NAME, &ssl_enabled) &&
-      ssl_enabled) {
+  if (REC_ERR_OKAY == RecGetRecordInt(SSL_ENABLED_CONFIG_NAME, &ssl_enabled) && ssl_enabled) {
     // SSL is explicitly enabled, so force an SSL port if there isn't one.
     if (!self::hasSSL(ports)) {
       HttpProxyPort port;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/proxy/Main.cc
----------------------------------------------------------------------
diff --git a/proxy/Main.cc b/proxy/Main.cc
index a234064..a09a282 100644
--- a/proxy/Main.cc
+++ b/proxy/Main.cc
@@ -1233,14 +1233,13 @@ chdir_root()
 int
 getNumSSLThreads(void)
 {
-  bool ssl_enabled = HttpProxyPort::hasSSL();
   int num_of_ssl_threads = 0;
 
   // Set number of ssl threads equal to num of processors if
   // SSL is enabled so it will scale properly. If SSL is not
   // enabled, leave num of ssl threads one, incase a remap rule
   // requires traffic server to act as an ssl client.
-  if (ssl_enabled) {
+  if (HttpProxyPort::hasSSL()) {
     int config_num_ssl_threads = 0;
 
     TS_ReadConfigInteger(config_num_ssl_threads, "proxy.config.ssl.number.threads");

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/proxy/http/HttpProxyServerMain.cc
----------------------------------------------------------------------
diff --git a/proxy/http/HttpProxyServerMain.cc b/proxy/http/HttpProxyServerMain.cc
index 5ebbb22..803e213 100644
--- a/proxy/http/HttpProxyServerMain.cc
+++ b/proxy/http/HttpProxyServerMain.cc
@@ -207,7 +207,7 @@ start_HttpProxyServer(int accept_threads)
       ha_opt.outbound_ip6 = HttpConfig::m_master.outbound_ip6;
 
     if (HttpProxyPort::TRANSPORT_SSL == p.m_type) {
-      if (sslParam->getTerminationMode() & sslParam->SSL_TERM_MODE_CLIENT) {
+      if (HttpProxyPort::hasSSL()) {
         HttpAccept * http = NEW(new HttpAccept(ha_opt));
         SSLNextProtocolAccept * ssl = NEW(new SSLNextProtocolAccept(http));
         ssl->registerEndpoint(TS_NPN_PROTOCOL_HTTP_1_0, http);