You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/12/04 23:06:06 UTC
[1/2] git commit: TS-2372: update default SSL context options
Updated Branches:
refs/heads/master 581282d8b -> d75e933a1
TS-2372: update default SSL context options
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d7bb4cd3
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d7bb4cd3
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d7bb4cd3
Branch: refs/heads/master
Commit: d7bb4cd3c6ec6c1fc5e70251257e2e10e450c92f
Parents: 581282d
Author: James Peach <jp...@apache.org>
Authored: Tue Nov 26 09:37:15 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 14:05:09 2013 -0800
----------------------------------------------------------------------
iocore/net/SSLConfig.cc | 18 ++++++++++++++++++
iocore/net/SSLNetVConnection.cc | 1 +
2 files changed, 19 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d7bb4cd3/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 72b7c42..d4e0b9e 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -164,6 +164,24 @@ SSLConfigParams::initialize()
#endif
}
+ // Enable ephemeral DH parameters for the case where we use a cipher with DH forward security.
+#ifdef SSL_OP_SINGLE_DH_USE
+ ssl_ctx_options |= SSL_OP_SINGLE_DH_USE;
+#endif
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ ssl_ctx_options |= SSL_OP_SINGLE_ECDH_USE;
+#endif
+
+ // Enable all SSL compatibility workarounds.
+ ssl_ctx_options |= SSL_OP_ALL;
+
+ // According to OpenSSL source, applications must enable this if they support the Server Name extension. Since
+ // we do, then we ought to enable this. Httpd also enables this unconditionally.
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ ssl_ctx_options |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
+#endif
+
REC_ReadConfigStringAlloc(serverCertChainFilename, "proxy.config.ssl.server.cert_chain.filename");
REC_ReadConfigStringAlloc(serverCertRelativePath, "proxy.config.ssl.server.cert.path");
set_paths_helper(serverCertRelativePath, NULL, &serverCertPathOnly, NULL);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d7bb4cd3/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 9e477da..6bdb0da 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -466,6 +466,7 @@ SSLNetVConnection::free(EThread * t) {
sslHandShakeComplete = false;
sslClientConnection = false;
npnSet = NULL;
+ npnEndPoint= NULL;
if (from_accept_thread) {
sslNetVCAllocator.free(this);
[2/2] git commit: TS-2372: enable ECDHE forward security
Posted by jp...@apache.org.
TS-2372: enable ECDHE forward security
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/d75e933a
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/d75e933a
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/d75e933a
Branch: refs/heads/master
Commit: d75e933a1c1b05700ca79dcbe53f6261d39e8c13
Parents: d7bb4cd
Author: James Peach <jp...@apache.org>
Authored: Tue Nov 26 09:37:47 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 14:05:10 2013 -0800
----------------------------------------------------------------------
CHANGES | 2 ++
iocore/net/SSLUtils.cc | 17 +++++++++++++++++
2 files changed, 19 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d75e933a/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 504e1a0..363b915 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
Changes with Apache Traffic Server 4.2.0
+ *) [TS-2372] Enable TLS perfect forward security with ECDHE.
+
*) [TS-2416] Make TLS the session timeout threshold configurable.
Author: Wei Sun <su...@yahoo-inc.com>
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/d75e933a/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 228870a..33d1bd5 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -185,6 +185,21 @@ ssl_context_enable_sni(SSL_CTX * ctx, SSLCertLookup * lookup)
return ctx;
}
+static void
+ssl_enable_ecdh(SSL_CTX * ctx)
+{
+#if defined(SSL_CTRL_SET_ECDH_AUTO)
+ SSL_CTX_set_ecdh_auto(ctx, 1);
+#elif defined(NID_X9_62_prime256v1)
+ EC_KEY * ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+
+ if (ecdh) {
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+ EC_KEY_free(ecdh);
+ }
+#endif
+}
+
void
SSLInitializeLibrary()
{
@@ -407,6 +422,8 @@ SSLInitServerContext(
}
}
+ ssl_enable_ecdh(ctx);
+
return ctx;
fail: