You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by so...@apache.org on 2014/03/08 01:30:51 UTC
git commit: TS-2569: set the default SSL options correctly
Repository: trafficserver
Updated Branches:
refs/heads/4.2.x 37b33476e -> b262f4b34
TS-2569: set the default SSL options correctly
We discovered that the proxy.config.ssl.server.honor_cipher_order=1
setting was not working correctly. After investigating it was
determined that if you do not have a dest_ip=* in the ssl_multicert.config
file then the server cipher order setting will not be honored. The
proposed fix (which works) is to initialize the default context with
the necessary SSL options.
(cherry picked from commit 963982e432a6fa5ef0f1968904c75571a3f6befb)
Conflicts:
CHANGES
iocore/net/SSLUtils.cc
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/b262f4b3
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/b262f4b3
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/b262f4b3
Branch: refs/heads/4.2.x
Commit: b262f4b34def13bf16db32810da8766d83a59451
Parents: 37b3347
Author: Ron Barber <rb...@yahoo-inc.com>
Authored: Thu Feb 27 14:37:42 2014 -0800
Committer: Phil Sorber <so...@apache.org>
Committed: Fri Mar 7 17:30:05 2014 -0700
----------------------------------------------------------------------
CHANGES | 3 ++
iocore/net/SSLUtils.cc | 110 +++++++++++++++++++++++++-------------------
2 files changed, 66 insertions(+), 47 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b262f4b3/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 91ced1f..2aafea7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 4.2.0
+ *) [TS-2569] Set the default SSL options correctly.
+ Author: Ron Barber <rb...@yahoo-inc.com>
+
*) [TS-2620] Make the stats_over_http plugin publish node and plugin stats.
*) [TS-2607] Fix TS_USE_HWLOC #define in build process
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/b262f4b3/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 4b1b646..88ffcfb 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -445,54 +445,56 @@ SSLInitServerContext(
#endif
SSL_CTX_set_quiet_shutdown(ctx, 1);
- // XXX OpenSSL recommends that we should use SSL_CTX_use_certificate_chain_file() here. That API
- // also loads only the first certificate, but it allows the intermediate CA certificate chain to
- // be in the same file. SSL_CTX_use_certificate_chain_file() was added in OpenSSL 0.9.3.
- completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, serverCertPtr);
- if (!SSL_CTX_use_certificate_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
- SSLError("failed to load certificate from %s", (const char *)completeServerCertPath);
- goto fail;
- }
-
- // First, load any CA chains from the global chain file.
- if (params->serverCertChainFilename) {
- xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly, params->serverCertChainFilename));
- if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
- SSLError("failed to load global certificate chain from %s", (const char *)completeServerCertChainPath);
+ // if serverCertPtr == NULL, then we are initing the default context so skip server cert init
+ if (serverCertPtr) {
+ // XXX OpenSSL recommends that we should use SSL_CTX_use_certificate_chain_file() here. That API
+ // also loads only the first certificate, but it allows the intermediate CA certificate chain to
+ // be in the same file. SSL_CTX_use_certificate_chain_file() was added in OpenSSL 0.9.3.
+ completeServerCertPath = Layout::relative_to(params->serverCertPathOnly, serverCertPtr);
+ if (!SSL_CTX_use_certificate_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
+ SSLError("failed to load certificate from %s", (const char *)completeServerCertPath);
goto fail;
}
- }
- // Now, load any additional certificate chains specified in this entry.
- if (serverCaCertPtr) {
- xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly, serverCaCertPtr));
- if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
- SSLError("failed to load certificate chain from %s", (const char *)completeServerCertChainPath);
- goto fail;
+ // First, load any CA chains from the global chain file.
+ if (params->serverCertChainFilename) {
+ xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly, params->serverCertChainFilename));
+ if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
+ SSLError("failed to load global certificate chain from %s", (const char *)completeServerCertChainPath);
+ goto fail;
+ }
}
- }
- if (serverKeyPtr == NULL) {
- // assume private key is contained in cert obtained from multicert file.
- if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
- SSLError("failed to load server private key from %s", (const char *)completeServerCertPath);
- goto fail;
+ // Now, load any additional certificate chains specified in this entry.
+ if (serverCaCertPtr) {
+ xptr<char> completeServerCertChainPath(Layout::relative_to(params->serverCertPathOnly, serverCaCertPtr));
+ if (!SSL_CTX_add_extra_chain_cert_file(ctx, completeServerCertChainPath)) {
+ SSLError("failed to load certificate chain from %s", (const char *)completeServerCertChainPath);
+ goto fail;
+ }
}
- } else if (params->serverKeyPathOnly != NULL) {
- xptr<char> completeServerKeyPath(Layout::get()->relative_to(params->serverKeyPathOnly, serverKeyPtr));
- if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerKeyPath, SSL_FILETYPE_PEM)) {
- SSLError("failed to load server private key from %s", (const char *)completeServerKeyPath);
- goto fail;
+
+ if (serverKeyPtr == NULL) {
+ // assume private key is contained in cert obtained from multicert file.
+ if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerCertPath, SSL_FILETYPE_PEM)) {
+ SSLError("failed to load server private key from %s", (const char *)completeServerCertPath);
+ goto fail;
+ }
+ } else if (params->serverKeyPathOnly != NULL) {
+ xptr<char> completeServerKeyPath(Layout::get()->relative_to(params->serverKeyPathOnly, serverKeyPtr));
+ if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerKeyPath, SSL_FILETYPE_PEM)) {
+ SSLError("failed to load server private key from %s", (const char *)completeServerKeyPath);
+ goto fail;
+ }
+ } else {
+ SSLError("empty SSL private key path in records.config");
}
- } else {
- SSLError("empty SSL private key path in records.config");
- }
- if (!SSL_CTX_check_private_key(ctx)) {
- SSLError("server private key does not match the certificate public key");
- goto fail;
+ if (!SSL_CTX_check_private_key(ctx)) {
+ SSLError("server private key does not match the certificate public key");
+ goto fail;
+ }
}
-
if (params->clientCertLevel != 0) {
if (params->serverCACertFilename != NULL && params->serverCACertPath != NULL) {
@@ -626,10 +628,14 @@ asn1_strdup(ASN1_STRING * s)
static void
ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char * certfile)
{
- X509_NAME * subject = NULL;
+ X509_NAME * subject = NULL;
+ X509 * cert;
+ ats_file_bio bio(certfile, "r");
- ats_file_bio bio(certfile, "r");
- X509* cert = PEM_read_bio_X509_AUX(bio.bio, NULL, NULL, NULL);
+ cert = PEM_read_bio_X509_AUX(bio.bio, NULL, NULL, NULL);
+ if (NULL == cert) {
+ return;
+ }
// Insert a key for the subject CN.
subject = X509_get_subject_name(cert);
@@ -645,14 +651,14 @@ ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char * certfi
ASN1_STRING * cn = X509_NAME_ENTRY_get_data(e);
xptr<char> name(asn1_strdup(cn));
- Debug("ssl", "mapping '%s' to certificate %s", (const char *)name, certfile);
+ Debug("ssl", "mapping '%s' to certificate %s", (const char *) name, certfile);
lookup->insert(ctx, name);
}
}
#if HAVE_OPENSSL_TS_H
// Traverse the subjectAltNames (if any) and insert additional keys for the SSL context.
- GENERAL_NAMES * names = (GENERAL_NAMES *)X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+ GENERAL_NAMES * names = (GENERAL_NAMES *) X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (names) {
unsigned count = sk_GENERAL_NAME_num(names);
for (unsigned i = 0; i < count; ++i) {
@@ -661,7 +667,7 @@ ssl_index_certificate(SSLCertLookup * lookup, SSL_CTX * ctx, const char * certfi
name = sk_GENERAL_NAME_value(names, i);
if (name->type == GEN_DNS) {
xptr<char> dns(asn1_strdup(name->d.dNSName));
- Debug("ssl", "mapping '%s' to certificate %s", (const char *)dns, certfile);
+ Debug("ssl", "mapping '%s' to certificate %s", (const char *) dns, certfile);
lookup->insert(ctx, dns);
}
}
@@ -895,8 +901,18 @@ SSLParseCertificateConfiguration(
// bootstrap the SSL handshake so that we can subsequently do the SNI lookup to switch to the real
// context.
if (lookup->ssl_default == NULL) {
- lookup->ssl_default = ssl_context_enable_sni(SSLDefaultServerContext(), lookup);
- lookup->insert(lookup->ssl_default, "*");
+ xptr<char> addr;
+ xptr<char> cert;
+ xptr<char> ca;
+ xptr<char> key;
+ int session_ticket_enabled = -1;
+ xptr<char> ticket_key_filename;
+
+ addr = ats_strdup("*");
+ if (!ssl_store_ssl_context(params, lookup, addr, cert, ca, key, session_ticket_enabled, ticket_key_filename)) {
+ Error("failed to store default ctx ");
+ return false;
+ }
}
return true;