You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@trafficserver.apache.org by James Peach <jp...@apache.org> on 2015/02/25 01:20:58 UTC

Re: [1/2] trafficserver git commit: TS-3375 - Further refining error actions on bad SSL configuration.

> On Feb 16, 2015, at 9:53 AM, shinrich@apache.org wrote:
> 
> Repository: trafficserver
> Updated Branches:
>  refs/heads/master 53d5c6dfb -> a8e0c5e17
> 
> 
> TS-3375 - Further refining error actions on bad SSL configuration.
> 
[snip]
> 
> http://git-wip-us.apache.org/repos/asf/trafficserver/blob/8152dbfc/iocore/net/SSLConfig.cc
> ----------------------------------------------------------------------
> diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
> index 98214d2..627ccd2 100644
> --- a/iocore/net/SSLConfig.cc
> +++ b/iocore/net/SSLConfig.cc
> @@ -342,7 +342,10 @@ SSLCertificateConfig::startup()
>   sslCertUpdate->attach("proxy.config.ssl.server.private_key.path");
>   sslCertUpdate->attach("proxy.config.ssl.server.cert_chain.filename");
> 
> -  return reconfigure();
> +  if (!reconfigure()) {
> +    _exit(1);
> +  }
> +  return true;
> }

This should just return the status. It's up to the caller to decide whether to exit or not. It looks like we don't typically plumb these failures all the way to main(), but I think it would we reasonable for the SSLNetProcessor to exit. It should exit by using Fatal().

> bool
> @@ -360,7 +363,8 @@ SSLCertificateConfig::reconfigure()
>     ink_hrtime_sleep(HRTIME_SECONDS(secs));
>   }
> 
> -  if (SSLParseCertificateConfiguration(params, lookup)) {
> +  SSLParseCertificateConfiguration(params, lookup);

You still need to check the return value of SSLParseCertificateConfiguration() here.

> +  if (lookup->is_valid) {
>     configid = configProcessor.set(configid, lookup);
>   } else {
>     retStatus = false;