You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2012/03/30 19:50:54 UTC
git commit: TS-1092 Remove specific SSL termination mode,
we either terminate, or we do not
Updated Branches:
refs/heads/master 0f19fb8fe -> f5d90c94b
TS-1092 Remove specific SSL termination mode, we either terminate, or we do not
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f5d90c94
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f5d90c94
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f5d90c94
Branch: refs/heads/master
Commit: f5d90c94bbab5b29c63ec91169ca462e647c150e
Parents: 0f19fb8
Author: Leif Hedstrom <le...@ogre.com>
Authored: Fri Mar 30 11:50:41 2012 -0600
Committer: Leif Hedstrom <le...@ogre.com>
Committed: Fri Mar 30 11:50:41 2012 -0600
----------------------------------------------------------------------
CHANGES | 3 +++
iocore/net/P_SSLConfig.h | 19 -------------------
iocore/net/SSLConfig.cc | 7 -------
iocore/net/SSLNetProcessor.cc | 13 +++++--------
lib/records/RecHttp.cc | 3 +--
proxy/Main.cc | 3 +--
proxy/http/HttpProxyServerMain.cc | 2 +-
7 files changed, 11 insertions(+), 39 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 65e0cff..e5a4259 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 3.1.4
+ *) [TS-1092] Remove specific SSL termination mode, we either terminate, or
+ we do not.
+
*) [TS-1173] Improve the comments in remap.config.
*) [TS-981] Remove the support for libev (for now at least).
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index f0e32b4..f105388 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -52,21 +52,12 @@ struct SslConfigParams
#endif
{
public:
- enum SSL_TERMINATION_MODE
- {
- SSL_TERM_MODE_NONE = 0,
- SSL_TERM_MODE_CLIENT = 1,
- SSL_TERM_MODE_SERVER = 2,
- SSL_TERM_MODE_BOTH = SSL_TERM_MODE_CLIENT | SSL_TERM_MODE_SERVER
- };
-
enum SSL_SESSION_CACHE_MODE
{
SSL_SESSION_CACHE_MODE_OFF = 0,
SSL_SESSION_CACHE_MODE_SERVER = 1
};
- SSL_TERMINATION_MODE getTerminationMode(void) const { return termMode; }
char *getConfigFilePath(void) const { return configFilePath; }
char *getServerCertPathOnly(void) const { return serverCertPathOnly; }
char *getServerCACertPathOnly(void) const { return CACertPath; }
@@ -100,8 +91,6 @@ private:
int clientVerify;
int client_verify_depth;
- SSL_TERMINATION_MODE termMode;
-
long ssl_ctx_options;
friend struct SSLNetProcessor;
@@ -121,16 +110,8 @@ public:
static SslConfigParams *acquire();
static void release(SslConfigParams * params);
- static bool serverTerminationEnabled(void) { return serverSSLTermination; }
-
private:
- static void clearTermEnabled()
- {
- serverSSLTermination = 0;
- }
-
static int id;
- static bool serverSSLTermination;
#ifndef USE_CONFIG_PROCESSOR
static SslConfigParams *ssl_config_params;
#endif
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 80780eb..b0a6e1d 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -38,7 +38,6 @@
#include <openssl/ssl.h>
int SslConfig::id = 0;
-bool SslConfig::serverSSLTermination = 0;
SslConfig sslTerminationConfig;
@@ -59,7 +58,6 @@ SslConfigParams::SslConfigParams()
clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
- termMode = SSL_TERM_MODE_NONE;
ssl_ctx_options = 0;
ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER;
ssl_session_cache_size = 1024*20;
@@ -88,7 +86,6 @@ SslConfigParams::cleanup()
ats_free_null(cipherSuite);
clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
- termMode = SSL_TERM_MODE_NONE;
}
/** set_paths_helper
@@ -153,10 +150,7 @@ SslConfigParams::initialize()
//+++++++++++++++++++++++++ Server part +++++++++++++++++++++++++++++++++
verify_depth = 7;
- termMode = static_cast<SSL_TERMINATION_MODE>(HttpProxyPort::hasSSL() ? SSL_TERM_MODE_BOTH : 0);
-
IOCORE_ReadConfigInt32(clientCertLevel, "proxy.config.ssl.client.certification_level");
-
IOCORE_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
int options;
@@ -253,7 +247,6 @@ SslConfig::reconfigure()
#else
ssl_config_params = params;
#endif
- serverSSLTermination = (params->termMode & SslConfigParams::SSL_TERM_MODE_SERVER) != 0;
}
SslConfigParams *
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/iocore/net/SSLNetProcessor.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index e219480..dc8a832 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -23,7 +23,9 @@
#include "P_Net.h"
#include "I_Layout.h"
-#include "openssl/engine.h"
+#include "I_RecHttp.h"
+
+#include <openssl/engine.h>
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) // openssl returns a const SSL_METHOD
typedef const SSL_METHOD * ink_ssl_method_t;
@@ -123,8 +125,7 @@ SSLNetProcessor::initSSLLocks(void)
int
SSLNetProcessor::reconfigure(void)
{
- int ssl_mode = SslConfigParams::SSL_TERM_MODE_NONE, err = 0;
- int sslServerEnabled = 0;
+ int err = 0;
cleanup();
@@ -138,17 +139,13 @@ SSLNetProcessor::reconfigure(void)
SslConfigParams *param = sslTerminationConfig.acquire();
ink_assert(param);
- ssl_mode = param->getTerminationMode();
- sslServerEnabled = ssl_mode & SslConfigParams::SSL_TERM_MODE_CLIENT;
-
- if (sslServerEnabled) {
+ if (HttpProxyPort::hasSSL()) {
// Only init server stuff if SSL is enabled in the config file
err = initSSL(param);
if (err == 0) {
sslCertLookup.init(param);
} else {
logSSLError("Can't initialize the SSL library, disabling SSL termination!");
- sslTerminationConfig.clearTermEnabled();
}
}
// Enable client regardless of config file setttings as remap file
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/lib/records/RecHttp.cc
----------------------------------------------------------------------
diff --git a/lib/records/RecHttp.cc b/lib/records/RecHttp.cc
index 8181e45..f5dce11 100644
--- a/lib/records/RecHttp.cc
+++ b/lib/records/RecHttp.cc
@@ -195,8 +195,7 @@ HttpProxyPort::loadDefaultIfEmpty(Group& ports) {
self::loadValue(ports, DEFAULT_VALUE);
// Check to see if we need to force an SSL port.
- if (REC_ERR_OKAY == RecGetRecordInt(SSL_ENABLED_CONFIG_NAME, &ssl_enabled) &&
- ssl_enabled) {
+ if (REC_ERR_OKAY == RecGetRecordInt(SSL_ENABLED_CONFIG_NAME, &ssl_enabled) && ssl_enabled) {
// SSL is explicitly enabled, so force an SSL port if there isn't one.
if (!self::hasSSL(ports)) {
HttpProxyPort port;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/proxy/Main.cc
----------------------------------------------------------------------
diff --git a/proxy/Main.cc b/proxy/Main.cc
index a234064..a09a282 100644
--- a/proxy/Main.cc
+++ b/proxy/Main.cc
@@ -1233,14 +1233,13 @@ chdir_root()
int
getNumSSLThreads(void)
{
- bool ssl_enabled = HttpProxyPort::hasSSL();
int num_of_ssl_threads = 0;
// Set number of ssl threads equal to num of processors if
// SSL is enabled so it will scale properly. If SSL is not
// enabled, leave num of ssl threads one, incase a remap rule
// requires traffic server to act as an ssl client.
- if (ssl_enabled) {
+ if (HttpProxyPort::hasSSL()) {
int config_num_ssl_threads = 0;
TS_ReadConfigInteger(config_num_ssl_threads, "proxy.config.ssl.number.threads");
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5d90c94/proxy/http/HttpProxyServerMain.cc
----------------------------------------------------------------------
diff --git a/proxy/http/HttpProxyServerMain.cc b/proxy/http/HttpProxyServerMain.cc
index 5ebbb22..803e213 100644
--- a/proxy/http/HttpProxyServerMain.cc
+++ b/proxy/http/HttpProxyServerMain.cc
@@ -207,7 +207,7 @@ start_HttpProxyServer(int accept_threads)
ha_opt.outbound_ip6 = HttpConfig::m_master.outbound_ip6;
if (HttpProxyPort::TRANSPORT_SSL == p.m_type) {
- if (sslParam->getTerminationMode() & sslParam->SSL_TERM_MODE_CLIENT) {
+ if (HttpProxyPort::hasSSL()) {
HttpAccept * http = NEW(new HttpAccept(ha_opt));
SSLNextProtocolAccept * ssl = NEW(new SSLNextProtocolAccept(http));
ssl->registerEndpoint(TS_NPN_PROTOCOL_HTTP_1_0, http);