You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by br...@apache.org on 2015/03/11 23:17:59 UTC

[1/3] trafficserver git commit: TS-3437: Make DH params configurable

Repository: trafficserver
Updated Branches:
  refs/heads/master 66bdd406f -> 4361f4d0d


TS-3437: Make DH params configurable


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/091b59ca
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/091b59ca
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/091b59ca

Branch: refs/heads/master
Commit: 091b59ca3f772ebc4a6cbc832b57fb0794c6b82e
Parents: 66bdd40
Author: Brian Geffon <br...@apache.org>
Authored: Wed Mar 11 15:16:07 2015 -0700
Committer: Brian Geffon <br...@apache.org>
Committed: Wed Mar 11 15:16:07 2015 -0700

----------------------------------------------------------------------
 iocore/net/P_SSLConfig.h | 1 +
 iocore/net/SSLConfig.cc  | 2 ++
 iocore/net/SSLUtils.cc   | 4 +++-
 mgmt/RecordsConfig.cc    | 2 ++
 4 files changed, 8 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index cda2dcb..376036d 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -81,6 +81,7 @@ struct SSLConfigParams : public ConfigInfo
   char *  clientKeyPath;
   char *  clientCACertFilename;
   char *  clientCACertPath;
+  int     enable_dhparams;
   int     clientVerify;
   int     client_verify_depth;
   long    ssl_ctx_options;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 627ccd2..1e1c0df 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -74,6 +74,7 @@ SSLConfigParams::SSLConfigParams()
 
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
 
+  enable_dhparams = 0;
   ssl_ctx_options = 0;
   ssl_client_ctx_protocols = 0;
   ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
@@ -159,6 +160,7 @@ SSLConfigParams::initialize()
   REC_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
   REC_ReadConfigStringAlloc(client_cipherSuite, "proxy.config.ssl.client.cipher_suite");
   dhparamsFile = RecConfigReadConfigPath("proxy.config.ssl.server.dhparams_file");
+  REC_ReadConfigInt32(enable_dhparams, "proxy.config.ssl.client.enable_dhparams");
 
   int options;
   int client_ssl_options;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 361d344..83ce5e5 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1473,8 +1473,10 @@ SSLInitServerContext(const SSLConfigParams * params, const ssl_user_config & ssl
   SSL_CTX_set_default_passwd_cb_userdata(CTX, NULL);\
   }
   SSL_CLEAR_PW_REFERENCES(ud,ctx)
-  if (!ssl_context_enable_dhe(params->dhparamsFile, ctx)) {
+  if (params->enable_dhparams && !ssl_context_enable_dhe(params->dhparamsFile, ctx)) {
     goto fail;
+  } else if (!params->enable_dhparams) {
+    Debug("ssl", "Not using dhparams");
   }
   return ssl_context_enable_ecdh(ctx);
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index b360aa0..76d6cb2 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1322,6 +1322,8 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.ssl.allow_client_renegotiation", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.ssl.server.enable_dhparams", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  ,
   {RECT_CONFIG, "proxy.config.ssl.server.dhparams_file", RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
   //##############################################################################

[2/3] trafficserver git commit: TS-3437: Make DH params configurable: update docs

Posted by br...@apache.org.

TS-3437: Make DH params configurable: update docs


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/8a4128c1
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/8a4128c1
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/8a4128c1

Branch: refs/heads/master
Commit: 8a4128c1dcf6e933ff77b9f7fe641b5bc8975a21
Parents: 091b59c
Author: Brian Geffon <br...@apache.org>
Authored: Wed Mar 11 15:17:07 2015 -0700
Committer: Brian Geffon <br...@apache.org>
Committed: Wed Mar 11 15:17:07 2015 -0700

----------------------------------------------------------------------
 doc/reference/configuration/records.config.en.rst | 5 +++++
 1 file changed, 5 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/8a4128c1/doc/reference/configuration/records.config.en.rst
----------------------------------------------------------------------
diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst
index 4cad8e8..8d6c843 100644
--- a/doc/reference/configuration/records.config.en.rst
+++ b/doc/reference/configuration/records.config.en.rst
@@ -2258,6 +2258,11 @@ SSL Termination
    Unless this is an absolute path, it is loaded relative to the
    path specified by :ts:cv:`proxy.config.ssl.server.cert.path`.
 
+.. ts:cv:: CONFIG proxy.config.ssl.client.enable_dhparams INT 0
+
+   Enable or disable the dhparams_file configuration option,
+   this is disabled by default
+
 .. ts:cv:: CONFIG proxy.config.ssl.server.dhparams_file STRING NULL
 
    The name of a file containing a set of Diffie-Hellman key exchange

Re: [1/3] trafficserver git commit: TS-3437: Make DH params configurable

Posted by James Peach <jp...@apache.org>.

The added configuration is "proxy.config.ssl.server.enable_dhparams", but the code checks "proxy.config.ssl.client.enable_dhparams".

The added configuration is marked RECU_RESTART_TS, but will actually take effect when ssl_multicert.config is reloaded. So I think this should be RECU_DYNAMIC (though this is almost an intermediate state).

> On Mar 11, 2015, at 3:17 PM, briang@apache.org wrote:
> 
> Repository: trafficserver
> Updated Branches:
>  refs/heads/master 66bdd406f -> 4361f4d0d
> 
> 
> TS-3437: Make DH params configurable
> 
> 
> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
> Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/091b59ca
> Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/091b59ca
> Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/091b59ca
> 
> Branch: refs/heads/master
> Commit: 091b59ca3f772ebc4a6cbc832b57fb0794c6b82e
> Parents: 66bdd40
> Author: Brian Geffon <br...@apache.org>
> Authored: Wed Mar 11 15:16:07 2015 -0700
> Committer: Brian Geffon <br...@apache.org>
> Committed: Wed Mar 11 15:16:07 2015 -0700
> 
> ----------------------------------------------------------------------
> iocore/net/P_SSLConfig.h | 1 +
> iocore/net/SSLConfig.cc  | 2 ++
> iocore/net/SSLUtils.cc   | 4 +++-
> mgmt/RecordsConfig.cc    | 2 ++
> 4 files changed, 8 insertions(+), 1 deletion(-)
> ----------------------------------------------------------------------
> 
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/P_SSLConfig.h
> ----------------------------------------------------------------------
> diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
> index cda2dcb..376036d 100644
> --- a/iocore/net/P_SSLConfig.h
> +++ b/iocore/net/P_SSLConfig.h
> @@ -81,6 +81,7 @@ struct SSLConfigParams : public ConfigInfo
>   char *  clientKeyPath;
>   char *  clientCACertFilename;
>   char *  clientCACertPath;
> +  int     enable_dhparams;
>   int     clientVerify;
>   int     client_verify_depth;
>   long    ssl_ctx_options;
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLConfig.cc
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
> index 627ccd2..1e1c0df 100644
> --- a/iocore/net/SSLConfig.cc
> +++ b/iocore/net/SSLConfig.cc
> @@ -74,6 +74,7 @@ SSLConfigParams::SSLConfigParams()
> 
>   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
> 
> +  enable_dhparams = 0;
>   ssl_ctx_options = 0;
>   ssl_client_ctx_protocols = 0;
>   ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
> @@ -159,6 +160,7 @@ SSLConfigParams::initialize()
>   REC_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
>   REC_ReadConfigStringAlloc(client_cipherSuite, "proxy.config.ssl.client.cipher_suite");
>   dhparamsFile = RecConfigReadConfigPath("proxy.config.ssl.server.dhparams_file");
> +  REC_ReadConfigInt32(enable_dhparams, "proxy.config.ssl.client.enable_dhparams");
> 
>   int options;
>   int client_ssl_options;
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLUtils.cc
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
> index 361d344..83ce5e5 100644
> --- a/iocore/net/SSLUtils.cc
> +++ b/iocore/net/SSLUtils.cc
> @@ -1473,8 +1473,10 @@ SSLInitServerContext(const SSLConfigParams * params, const ssl_user_config & ssl
>   SSL_CTX_set_default_passwd_cb_userdata(CTX, NULL);\
>   }
>   SSL_CLEAR_PW_REFERENCES(ud,ctx)
> -  if (!ssl_context_enable_dhe(params->dhparamsFile, ctx)) {
> +  if (params->enable_dhparams && !ssl_context_enable_dhe(params->dhparamsFile, ctx)) {
>     goto fail;
> +  } else if (!params->enable_dhparams) {
> +    Debug("ssl", "Not using dhparams");
>   }
>   return ssl_context_enable_ecdh(ctx);
> 
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/mgmt/RecordsConfig.cc
> ----------------------------------------------------------------------
> diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
> index b360aa0..76d6cb2 100644
> --- a/mgmt/RecordsConfig.cc
> +++ b/mgmt/RecordsConfig.cc
> @@ -1322,6 +1322,8 @@ static const RecordElement RecordsConfig[] =
>   ,
>   {RECT_CONFIG, "proxy.config.ssl.allow_client_renegotiation", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>   ,
> +  {RECT_CONFIG, "proxy.config.ssl.server.enable_dhparams", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
> +  ,
>   {RECT_CONFIG, "proxy.config.ssl.server.dhparams_file", RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
>   ,
>   //##############################################################################
>

Re: [1/3] trafficserver git commit: TS-3437: Make DH params configurable

Posted by James Peach <jp...@apache.org>.

The added configuration is "proxy.config.ssl.server.enable_dhparams", but the code checks "proxy.config.ssl.client.enable_dhparams".

The added configuration is marked RECU_RESTART_TS, but will actually take effect when ssl_multicert.config is reloaded. So I think this should be RECU_DYNAMIC (though this is almost an intermediate state).

> On Mar 11, 2015, at 3:17 PM, briang@apache.org wrote:
> 
> Repository: trafficserver
> Updated Branches:
>  refs/heads/master 66bdd406f -> 4361f4d0d
> 
> 
> TS-3437: Make DH params configurable
> 
> 
> Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
> Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/091b59ca
> Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/091b59ca
> Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/091b59ca
> 
> Branch: refs/heads/master
> Commit: 091b59ca3f772ebc4a6cbc832b57fb0794c6b82e
> Parents: 66bdd40
> Author: Brian Geffon <br...@apache.org>
> Authored: Wed Mar 11 15:16:07 2015 -0700
> Committer: Brian Geffon <br...@apache.org>
> Committed: Wed Mar 11 15:16:07 2015 -0700
> 
> ----------------------------------------------------------------------
> iocore/net/P_SSLConfig.h | 1 +
> iocore/net/SSLConfig.cc  | 2 ++
> iocore/net/SSLUtils.cc   | 4 +++-
> mgmt/RecordsConfig.cc    | 2 ++
> 4 files changed, 8 insertions(+), 1 deletion(-)
> ----------------------------------------------------------------------
> 
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/P_SSLConfig.h
> ----------------------------------------------------------------------
> diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
> index cda2dcb..376036d 100644
> --- a/iocore/net/P_SSLConfig.h
> +++ b/iocore/net/P_SSLConfig.h
> @@ -81,6 +81,7 @@ struct SSLConfigParams : public ConfigInfo
>   char *  clientKeyPath;
>   char *  clientCACertFilename;
>   char *  clientCACertPath;
> +  int     enable_dhparams;
>   int     clientVerify;
>   int     client_verify_depth;
>   long    ssl_ctx_options;
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLConfig.cc
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
> index 627ccd2..1e1c0df 100644
> --- a/iocore/net/SSLConfig.cc
> +++ b/iocore/net/SSLConfig.cc
> @@ -74,6 +74,7 @@ SSLConfigParams::SSLConfigParams()
> 
>   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
> 
> +  enable_dhparams = 0;
>   ssl_ctx_options = 0;
>   ssl_client_ctx_protocols = 0;
>   ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
> @@ -159,6 +160,7 @@ SSLConfigParams::initialize()
>   REC_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
>   REC_ReadConfigStringAlloc(client_cipherSuite, "proxy.config.ssl.client.cipher_suite");
>   dhparamsFile = RecConfigReadConfigPath("proxy.config.ssl.server.dhparams_file");
> +  REC_ReadConfigInt32(enable_dhparams, "proxy.config.ssl.client.enable_dhparams");
> 
>   int options;
>   int client_ssl_options;
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/iocore/net/SSLUtils.cc
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
> index 361d344..83ce5e5 100644
> --- a/iocore/net/SSLUtils.cc
> +++ b/iocore/net/SSLUtils.cc
> @@ -1473,8 +1473,10 @@ SSLInitServerContext(const SSLConfigParams * params, const ssl_user_config & ssl
>   SSL_CTX_set_default_passwd_cb_userdata(CTX, NULL);\
>   }
>   SSL_CLEAR_PW_REFERENCES(ud,ctx)
> -  if (!ssl_context_enable_dhe(params->dhparamsFile, ctx)) {
> +  if (params->enable_dhparams && !ssl_context_enable_dhe(params->dhparamsFile, ctx)) {
>     goto fail;
> +  } else if (!params->enable_dhparams) {
> +    Debug("ssl", "Not using dhparams");
>   }
>   return ssl_context_enable_ecdh(ctx);
> 
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/091b59ca/mgmt/RecordsConfig.cc
> ----------------------------------------------------------------------
> diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
> index b360aa0..76d6cb2 100644
> --- a/mgmt/RecordsConfig.cc
> +++ b/mgmt/RecordsConfig.cc
> @@ -1322,6 +1322,8 @@ static const RecordElement RecordsConfig[] =
>   ,
>   {RECT_CONFIG, "proxy.config.ssl.allow_client_renegotiation", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>   ,
> +  {RECT_CONFIG, "proxy.config.ssl.server.enable_dhparams", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
> +  ,
>   {RECT_CONFIG, "proxy.config.ssl.server.dhparams_file", RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
>   ,
>   //##############################################################################
>

[3/3] trafficserver git commit: TS-3437: Make DH params configurable: update changes

Posted by br...@apache.org.

TS-3437: Make DH params configurable: update changes


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/4361f4d0
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/4361f4d0
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/4361f4d0

Branch: refs/heads/master
Commit: 4361f4d0d49f46be59fc6fe86e26f22fbfacebc1
Parents: 8a4128c
Author: Brian Geffon <br...@apache.org>
Authored: Wed Mar 11 15:17:33 2015 -0700
Committer: Brian Geffon <br...@apache.org>
Committed: Wed Mar 11 15:17:33 2015 -0700

----------------------------------------------------------------------
 CHANGES | 2 ++
 1 file changed, 2 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/4361f4d0/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index ff61651..cc83148 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 5.3.0
 
+  *) [TS-3437] Make DH params configurable
+
   *) [TS-3342] Non-standard method in bad request can cause crash
 
   *) [TS-3331] negative responses cached even when headers indicate otherwise